Ads by TechWords

See your link here
Receive the latest technology news and information.
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Sarbanes-Oxley: Where IT and Finance Meet

June 30, 2003 12:00 PM ET

Computerworld - There's a giant sigh of relief rising in the executive suites and corporate boardrooms of large, publicly held companies around the country. Why? Because the U.S. Securities and Exchange Commission has postponed implementing certain key sections of the Sarbanes-Oxley Act for nine months. This gives the SEC more time to complete the regulations that all SEC-regulated companies will have to follow.
Postponing SarbOx (as it's affectionately called) will give CEOs, CFOs and external auditors more time to institute procedures for keeping track of all financial information, from the moment of inception to the final submission in an annual report to the SEC. It also delays the SarbOx mandate that every public company submit an annual report to the SEC that assesses the effectiveness of its internal controls for financial reporting.
Sounds like a purely financial issue, right? Not quite.
Yes, SarbOx is fundamentally financial legislation. Enacted in part as a reaction to Enron and other corporate financial scandals, the law's goal is for public companies to produce more complete and accurate financial reports. The emphasis on internal controls, however, goes far beyond policies, procedures and external audits.
The SEC still must define what "internal controls" means in terms of compliance regulations, but one thing is almost certain: Any public company that utilizes IT as part of its financial business processes will find that IT controls are included in the definition. SarbOx compliance could also mean an overhaul or upgrade of financial transaction and reporting systems for most companies, regardless of size, in order to meet regulatory requirements for more accurate, more detailed and speedier filings.
So far, CIOs have been warming the bench, while CEOs, CFOs, attorneys and auditors attempt to address known and anticipated SarbOx compliance issues. Now is the time for the CIO to get into the game and step up to take the lead on the IT control issue. The CIO should view the IT organization and infrastructure as if he were the CEO of a "business within the business." Would the CIO be comfortable putting his neck on the line during a SarbOx compliance audit? Probably not.
Although regulations haven't been defined for compliance with SarbOx Section 404 -- which mandates an audit of internal controls -- there are a number of areas where the CIO can apply common sense and best practices to comply with the act's goals.
Examining the control processes within the IT organization relating to financial systems is the logical place to start. For example, segregation of duties within the systems development staff is a widely recognized best practice that helps prevent errors and outright fraud. The people who code program changes should be different from the people who test them, and a separate team should be responsible for production change control.
Homegrown financial systems are fraught with potential data-integrity problems, but packaged systems aren't totally immune, either. Although leading ERP systems offer audit-trail functionality, customizations of these systems often bypass those controls. The CIO has to work with internal and external auditors to ensure that customizations can pass muster.
Closely related to development and change controls are project management methodologies. The leading cause of systems implementation failure continues to be poor project management. The CIO must ensure that the IT department has a process to ensure a successful selection and implementation of new or upgraded financial systems within defined schedules, budgets and acceptable levels of risk.
Records management is another area of concern for the CIO as the long-term custodian of corporate data. How a company stores and transmits electronic documents -- and whether or not they're deleted -- can have significant legal and financial consequences. The CIO should work with the CEO, CFO and corporate attorneys to create a document-retention-and-destruction policy that addresses what types of electronic documents should be saved -- and for how long.
Ultimately, SarbOx compliance will require a close working relationship involving the CEO, CFO and CIO. Getting into the game starts with running IT as a business and strengthening IT internal controls.
Norbert J. Kubilus is a partner at Tatum CIO Partners LLP in San Diego. He can be reached at
Norbert.Kubilus@tatumpartners.com.







Jump to comments

Legislation/Regulation

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

White Papers & Webcasts

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!  

Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?  

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

Mitigate Risk, Lower Costs and Improve Network Efficiency
Create a stable IP network that not only meets today's challenges, but is flexible enough to also meet future demands.