The Real Value in Sarbanes-Oxley

Computerworld - Fear can be a powerful generator of upstanding conduct, say Stephen Wagner and Lee Dittmar. But business runs on discovering and creating value. In this month's Harvard Business Review, the co-authors discuss how smart companies are finding unexpected benefits in Sarbanes-Oxley compliance. Wagner, who is the managing partner of the U.S. Center for Corporate Governance at Deloitte & Touche, and Dittmar, who leads the enterprise governance consulting practice at Deloitte Consulting and co-leads its Sarbanes-Oxley practice, talked with Kathleen Melymuka about how your company can use compliance requirements to its advantage.

What were some of the big control gaps that early Sarbanes-Oxley compliance efforts uncovered?

WAGNER: One of requirements of internal controls is maintenance of records in reasonable detail that reflect transactions. We found [that] in many instances, control documentation was way behind or didn't exist. A second issue was "tone at the top" -- the communication that comes out of the boardroom and the CEO suite that sets the stage for the organization, including how it deals with ethical standards. We found that there was often very little communication across organizations around the importance of maintaining good controls. In some cases we found duplication of control activities that created inefficiency and less-than-effective controls. Lastly, we ran into the notion of unnecessary complexity in the extreme. Many companies are far more complicated than they need to be. In the IT area in particular, there was duplication of systems, multiple instances of ERP -- one division of a company had 200 financial accounting systems.

DITTMAR: And organizations didn't know what their control programs consisted of. They knew they had them, but as one told me, it was "kind of tribal." There was no consistency in how they did it. We found uncontrolled access to systems that are important to maintaining the integrity of financial reporting. I got a call from a CIO who said, "I've got hundreds of systems and 700 to 800 people who have access all the way to the database level. How can I control that?" This is an extreme example, but it was pervasive. Systems were designed for speed, not for controls. There were also a lot of challenges around security and change management. When we asked about change management processes, many companies said, "Which ones? For this system or this system?"

You make a distinction between strengthening the "control environment" and strengthening "controls." Can you explain that difference and why it's important?

WAGNER: The control environment is the foundational platform on which control activities take place. It deals with more illusive, less tangible things: structure, ethics and basic training on responsibilities, documentation processes, that "tone at the top" element. It's largely driven by senior execs and the board. It has a lot to do with the integrity of the organization and what it stands for and the commitments it has made to ethical behavior. It doesn't get down to the level of individual controls; those are the specific activities meant to address specific control objectives.