Sarbanes-Oxley Requirements Put Legal Onus on CIOs

Computerworld - In addition to the likelihood that the Sarbanes-Oxley Act will force many companies to overhaul their IT systems, the new financial-reporting law may contain hidden legal hazards for CIOs, according to Jonathan Karpoff, a finance professor at the University of Washington in Seattle.
A financial-reporting scandal that's embroiling HealthSouth Corp. in Birmingham, Ala., illustrates the potential risks IT managers face, although it predates last summer's approval of the Sarbanes-Oxley measure. HealthSouth this month fired CIO Kenneth Livesay after he pleaded guilty to federal charges of falsifying financial information and conspiracy to commit wire and securities fraud (see story).
Livesay was one of five HealthSouth executives charged by the Department of Justice in connection with a scheme to artificially inflate the health care company's earnings and file false financial statements with the government. That's the kind of illegal behavior that the requirements of Sarbanes-Oxley are designed to stamp out.
Karpoff said the events at HealthSouth should send a clear signal to other CIOs about the need to ensure that corporate financial statements are valid. "Given this experience, the wake-up call of Sarbanes-Oxley is not only for the CEO and CFO; it's for all officers in the company to realize they may be held personally liable," he said.
The legal risks for CIOs may increase further as IT becomes more important within companies and is seen as such by legislators and regulators, said Paul A. Strassmann, an IT management consultant who last month stepped down as NASA's acting CIO (see story).
"Sarbanes-Oxley is just the beginning," said Strassmann, a former Computerworld columnist. "I believe that laws will be passed very soon where the CIO will have to sign certifications as to information asset security and protection."