The Real Value in Sarbanes-Oxley
Computerworld - Fear can be a powerful generator of upstanding conduct, say Stephen Wagner and Lee Dittmar. But business runs on discovering and creating value. In this month's Harvard Business Review, the co-authors discuss how smart companies are finding unexpected benefits in Sarbanes-Oxley compliance. Wagner, who is the managing partner of the U.S. Center for Corporate Governance at Deloitte & Touche, and Dittmar, who leads the enterprise governance consulting practice at Deloitte Consulting and co-leads its Sarbanes-Oxley practice, talked with Kathleen Melymuka about how your company can use compliance requirements to its advantage.
What were some of the big control gaps that early Sarbanes-Oxley compliance efforts uncovered?
WAGNER: One of requirements of internal controls is maintenance of records in reasonable detail that reflect transactions. We found [that] in many instances, control documentation was way behind or didn't exist. A second issue was "tone at the top" -- the communication that comes out of the boardroom and the CEO suite that sets the stage for the organization, including how it deals with ethical standards. We found that there was often very little communication across organizations around the importance of maintaining good controls. In some cases we found duplication of control activities that created inefficiency and less-than-effective controls. Lastly, we ran into the notion of unnecessary complexity in the extreme. Many companies are far more complicated than they need to be. In the IT area in particular, there was duplication of systems, multiple instances of ERP -- one division of a company had 200 financial accounting systems.
DITTMAR: And organizations didn't know what their control programs consisted of. They knew they had them, but as one told me, it was "kind of tribal." There was no consistency in how they did it. We found uncontrolled access to systems that are important to maintaining the integrity of financial reporting. I got a call from a CIO who said, "I've got hundreds of systems and 700 to 800 people who have access all the way to the database level. How can I control that?" This is an extreme example, but it was pervasive. Systems were designed for speed, not for controls. There were also a lot of challenges around security and change management. When we asked about change management processes, many companies said, "Which ones? For this system or this system?"
You make a distinction between strengthening the "control environment" and strengthening "controls." Can you explain that difference and why it's important?
WAGNER: The control environment is the foundational platform on which control activities take place. It deals with more illusive, less tangible things: structure, ethics and basic training on responsibilities, documentation processes, that "tone at the top" element. It's largely driven by senior execs and the board. It has a lot to do with the integrity of the organization and what it stands for and the commitments it has made to ethical behavior. It doesn't get down to the level of individual controls; those are the specific activities meant to address specific control objectives.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Smarter Commerce is redefining value chain visibility
- Smarter Commerce is redefining the value chain in the age of the customer. It starts with putting the customer at the center of...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
- The Executive Buyer's Guide to Project Portfolio Management
- The Innotas Executive Buyer's Guide provides you with a concise overview of Project Portfolio Management (PPM) and delivers important buying criteria to help... All Management and Careers White Papers
- Live Webcast
Integrated IT Operations Management in the Cloud - Join award-winning technology editor Stan Gibson and Andrew White, CMO at Numara Software, to learn how asset management and service management are converging...
- Integrated IT Operations Management in the Cloud
- Join award-winning technology editor Stan Gibson and Andrew White, CMO at Numara Software, to learn how asset management and service management are converging...
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn... All Management and Careers Webcasts