Compliance - The Sarbanes-Oxley (Sarbox) Conspiracy

1 2 Page 2
Page 2 of 2

At Energen, CIO White is taking the same reverse engineering approach to controls, trying to automate the ones he can. One is change management for Energen’s ERP system. Right now, the process for making a change to the system—say a tax rate change or a bug fix—is "arduous and requires many sign-offs," says White. Any changes that can affect financial data will have to be reported under Sarbanes-Oxley, and if, for example, a bug in the ERP software means past financial data was not correct, the company may need to restate earnings. That means change management must be much more carefully documented and monitored than in the past. So White is planning to automate the change request and sign-off processes to speed things up as much as possible. But he’s still worried that the new levels of scrutiny—and the coming requirement in Sarbanes-Oxley Section 309 that material changes to financial be reported in real-time—will prevent those changes from happening as fast as some in finance would like. "There isn’t a whole lot more time to milk out of the change process," he says. "If it takes a week then that’s the way it is. But people are already telling me it’s not fast enough."

The Knowledge Gap

Without a good playbook for Sarbanes-Oxley, IT and business executives find themselves dependent for advice upon external auditors and consultants. But according to the CIOs and analysts we spoke to, consultants are also trying to figure out what compliance means. And that’s yet another sore point for CIOs.

"I’m not getting any good advice about what I’m supposed to be doing from the consultants or the external auditors," says the anonymous manufacturing CIO. "They have no clue what Sarbox means for IT yet." Adds Gartner’s Mogull, "The most common complaint I’m hearing about the auditors is they aren’t providing enough clear guidance." When he challenged some of the auditing firms with this, their response was that the rules haven’t yet been finalized by the Securities and Exchange Commission. "I said, Well that’s fine," recalls Mogull, "but why are you taking people’s money then?"

Complicating the situation is the longtime split that has existed between financial auditing and IT auditing inside consulting firms and the Big Four accounting firms. Financial auditors have traditionally focused on controls and overall business governance, while IT auditors have consulted with CIOs on best practices for running IT. And just like the businesses they serve, it’s financial auditors, not the IT auditors, who are running Sarbox consulting engagements. This can lead to IT issues being ignored or shoved to the back burner. "They send in financial auditors and IT auditors but they are usually two separate teams that haven’t created a [joint] strategy," says Sharon O’Bryan, founder and president of consultancy OAS and a former Big Four IT auditor. This is yet another reason why IT may be left out of strategic planning for Sarbanes-Oxley.

With so much potential for confusion and consequent disaster, all top enterprise executives need to stay in the compliance loop. Even if an internal audit group is charged with leading the day-to-day effort on Sarbanes-Oxley, the steering committee is a place where other, nonfinancial voices can be heard. This will eventually allow internal audit groups to save face when they realize that Sarbox is a much bigger job than they may have originally thought. Energen’s White, for example, is part of a seven-member planning group that includes the CEO, CFO, COOs of two subsidiaries, the HR chief and chief counsel. This group doesn’t just democratize communication, however. It also demonstrates resolve and commitment from the top. That’s crucial in most IT projects, but especially in Sarbanes-Oxley because, as Burlington Coat Factory’s Friedman puts it, "There is no value [in Sarbox] as far as the user community is concerned. If you don’t have executive pushdown on this one, people are not going to move on it."

The Sarbox Compromise

Most auditors and CFOs we spoke with say that if IT is being left out of Sarbanes-Oxley, it is more a sin of omission, and perhaps ignorance, than a calculated plot. "The extent of IT involvement depends on how intuitive companies have been about technology-enabled controls," says Mark Lindig, a partner with Big Four firm KPMG’s IT auditing group. "If there isn’t much understanding, then IT might not be there at the beginning. Finance looks at Sarbanes-Oxley and says, ’How can I do this from a numbers focus?’ It’s like a hub-and-spoke arrangement where finance starts it and brings in other groups as they go."

CFOs are also struggling with how to define other executives’ roles in Sarbanes-Oxley. "Who signs on the bottom line?" asks Dennis Cavender, CFO of Essential Group, his voice shaking with emotion. "The CFO and CEO. That’s who have to put their names on the line, and that’s who it comes back to. I don’t see Sarbanes-Oxley as a confrontation between the CFO and CIO; I see it as being a team that has to work closer together, or the processes and internal controls will fall apart."

CIOs could do everyone a favor by defining their role in Sarbanes-Oxley themselves. After companies get over the initial shock of discovering how many manual financial controls they need to document, the CIO eventually will be assigned to automate them to save time and expense in quarterly compliance efforts. "The CIO will become the custodian of controls," says Lindig. "The finance function has to own them because they are the last line of defense before the audit, but as the controls are distributed into the organization, you need to establish custodial and execution responsibilities. That’s what Sarbanes-Oxley shines a bright light on. You have to have an accountability model for those controls."

This could be the natural role for CIOs—think access rights to systems, constructing employee portals, and other instances where the CIO already defines and manages automated controls. But it’s a short step from there to a much larger role that many CIOs have been reluctant to contemplate: the move from simply owning and maintaining the IT plumbing to becoming accountable for the accuracy and integrity of the data flowing through those pipes—the data controller, as John Lenz, partner at consulting company Tatum Partners, puts it. "Just as we have financial controllers today who assure the accuracy and integrity of numbers, we will have data controllers who assure the accuracy and integrity of data," Lenz suggests.

Some CIOs have already accepted that accountability. Electronic Arts’ West signs a certification to his CFO that the data from his financial IT systems is accurate. The CFO and CEO are still ultimately (and legally) accountable if the numbers are wrong, but subcertification puts functional executives’ necks on the line internally and in civil lawsuits. Gartner predicts that by next year, 70 percent of publicly traded companies will require their CIOs to do it.

CIOs who say they are currently satisfied with their role in Sarbanes-Oxley have one thing in common: They are defining their role themselves. They are volunteering to help coordinate the effort and offering project management—IT’s unique, golden asset—to whomever wants it.

"I got involved and pushed the issue," says NStar’s Zimon. "I thought, Better to get involved early than have the business come to me with a list of demands [just before the deadline]." By turning Sarbox into a "project" like Y2K, and volunteering resources to staff it, Zimon got to have more input into the company’s governance model. He also gained access to an early warning system that informs him of issues bubbling up. Now he’s working on building a joint business and IT group to continue to monitor and support the financial controls after the first round of Sarbox passes.

"I talk to CIOs who say this isn’t an issue for them like it is for me," says White.

"I can’t help but wonder if they aren’t in for a rude awakening."


Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Watch out for these 6 IT management traps to avoid