IT scrambles to meet Sarb-Ox controls deadline

Computerworld - IT departments at many large companies are racing to document, remediate and test IT-related controls to meet a year-end reporting deadline for Sarbanes-Oxley compliance.

The rush is on because many companies failed to grasp the amount of work that would be required and because of miscommunication between IT managers and the finance departments that typically run Sarbanes-Oxley Act compliance projects, according to users and analysts who were interviewed last week.

"What I've seen is a 'Let's drop everything and get this done' approach on dealing with IT controls from the second quarter until now," said John Hagerty, an analyst at AMR Research Inc. in Boston.

Hagerty and several other analysts and consultants said they expect that most companies that need to show Sarb-Ox compliance by year's end will get the bulk of their IT controls documented and tested in time. But some analysts predicted that in annual 10-K reports early next year, as many as 25% of the so-called accelerated filers will have to report controls-related exceptions that require additional remediation. Depending on the severity of the problems, companies could be fined by the U.S. Securities and Exchange Commission.

Todd Naughton, vice president and controller at Zebra Technologies Corp., said the Vernon Hills, Ill.-based supplier of printer components "really just started looking" at general IT controls within the past three months.

For the past year, Zebra has focused on documenting, remediating and testing application-level controls throughout the organization, including mapping defined job roles to the system access levels they require, said Richard Jaszka, the company's internal audit manager.

"That said, we're concerned about our ability to meet the Section 404 requirements of Sarbanes-Oxley for the other IT controls," said Jaszka. For example, although Zebra has documented policies for key areas such as change management, systems development and mission-critical computer operations, "it will be a challenge to properly test these controls and address any necessary remedies by year-end," Jaszka said.

He added that regulators haven't specified which IT controls need to be documented and tested.

Compliance Gap

Stan Lepeak, an analyst at Meta Group Inc., said he wouldn't be surprised if 25% of accelerated filers are found to have inadequate controls. He based his estimate on several factors, including discussions with clients, Sarbanes-Oxley readiness surveys conducted with client firms, and concerns expressed by customers who outsource IT that service providers won't be able to document the IT controls in time.

"It really depends on how strict external auditors will be in determining what are material weaknesses or deficiencies in controls and what aren't," said Lepeak.