Sarbanes-Oxley: Where IT and Finance Meet

Computerworld - There's a giant sigh of relief rising in the executive suites and corporate boardrooms of large, publicly held companies around the country. Why? Because the U.S. Securities and Exchange Commission has postponed implementing certain key sections of the Sarbanes-Oxley Act for nine months. This gives the SEC more time to complete the regulations that all SEC-regulated companies will have to follow.
Postponing SarbOx (as it's affectionately called) will give CEOs, CFOs and external auditors more time to institute procedures for keeping track of all financial information, from the moment of inception to the final submission in an annual report to the SEC. It also delays the SarbOx mandate that every public company submit an annual report to the SEC that assesses the effectiveness of its internal controls for financial reporting.
Sounds like a purely financial issue, right? Not quite.
Yes, SarbOx is fundamentally financial legislation. Enacted in part as a reaction to Enron and other corporate financial scandals, the law's goal is for public companies to produce more complete and accurate financial reports. The emphasis on internal controls, however, goes far beyond policies, procedures and external audits.
The SEC still must define what "internal controls" means in terms of compliance regulations, but one thing is almost certain: Any public company that utilizes IT as part of its financial business processes will find that IT controls are included in the definition. SarbOx compliance could also mean an overhaul or upgrade of financial transaction and reporting systems for most companies, regardless of size, in order to meet regulatory requirements for more accurate, more detailed and speedier filings.
So far, CIOs have been warming the bench, while CEOs, CFOs, attorneys and auditors attempt to address known and anticipated SarbOx compliance issues. Now is the time for the CIO to get into the game and step up to take the lead on the IT control issue. The CIO should view the IT organization and infrastructure as if he were the CEO of a "business within the business." Would the CIO be comfortable putting his neck on the line during a SarbOx compliance audit? Probably not.
Although regulations haven't been defined for compliance with SarbOx Section 404 -- which mandates an audit of internal controls -- there are a number of areas where the CIO can apply common sense and best practices to comply with the act's goals.
Examining the control processes within the IT organization relating to financial systems is the logical place to start. For example, segregation of duties within the systems development staff is a widely recognized best practice that helps prevent errors and outright fraud. The people who code program changes should be different from the people who test them, and a separate team should be responsible for production change control.
Homegrown financial systems are fraught with potential data-integrity problems, but packaged systems aren't totally immune, either. Although leading ERP systems offer audit-trail functionality, customizations of these systems often bypass those controls. The CIO has to work with internal and external auditors to ensure that customizations can pass muster.
Closely related to development and change controls are project management methodologies. The leading cause of systems implementation failure continues to be poor project management. The CIO must ensure that the IT department has a process to ensure a successful selection and implementation of new or upgraded financial systems within defined schedules, budgets and acceptable levels of risk.
Records management is another area of concern for the CIO as the long-term custodian of corporate data. How a company stores and transmits electronic documents -- and whether or not they're deleted -- can have significant legal and financial consequences. The CIO should work with the CEO, CFO and corporate attorneys to create a document-retention-and-destruction policy that addresses what types of electronic documents should be saved -- and for how long.
Ultimately, SarbOx compliance will require a close working relationship involving the CEO, CFO and CIO. Getting into the game starts with running IT as a business and strengthening IT internal controls.
Norbert J. Kubilus is a partner at Tatum CIO Partners LLP in San Diego. He can be reached at
Norbert.Kubilus@tatumpartners.com.