Sarbanes-Oxley: The IT Manager’s New Risks and Responsibilities

Don’t bother speaking to the CIO or anyone on the IT staff if you want to find out how Sola International is using information technology to meet the new reporting requirements mandated by the Sarbanes-Oxley Act. The guy to talk to?Patrick Kiernan, a senior financial systems analyst at the publicly traded, $550 million corrective and sunglass lens design, manufacture and distribution company?reports to the corporate controller. Kiernan is in charge of replacing the company’s manual spreadsheets with an automated reporting system and planning other projects that will further consolidate financial information. He acknowledges that IT can play a small supporting role (“Without IT’s assistance, I couldn’t have had the WAN or the servers”), but he doesn’t see why the CIO should be directly involved with Sarbanes-Oxley. “I doubt if the CIO would even be interested,” Kiernan says.

Part 2 Playing By New Rules Your Risks and Responsibilities

Editor’s Note: This story on the IT ramifications of the Sarbanes-Oxley Act is the second in a CIO series on federal legislation that is having a profound effect on how your company manages data, ensures security and protects privacy. Find the first story in the series, “What to Do When Uncle Sam Wants Your Data,” at www.cio.com/newrules.

That perspective bodes trouble for the CIO’s long-term role as the keeper of corporate data, but more immediately for companies’ ability to comply with the new government mandates on how they record, track and disclose financial information. And yet it’s an alarmingly pervasive point of view. In an informal survey by CIO of the top 19 companies on the Fortune 100 list, most executives viewed compliance with Sarbanes-Oxley as a finance issue, not a systems issue. A few acknowledged a potential role for IT but insisted it was premature for the CIO to be involved.

They are dangerously mistaken. While Sarbanes-Oxley is financial legislation, at its heart it is about ensuring that internal controls or rules are in place to govern the creation and documentation of information in financial statements. Since IT systems are used to generate, change, house and transport that data, CIOs have to build the controls that ensure the information stands up to audit scrutiny.

And the CEO and CFO aren’t the only ones who are now personally accountable for the validity of that information. CIOs may also be held liable for invalid data, as the unfolding case against HealthSouth illustrates. (HealthSouth fired CIO Kenneth Livesay last month after he pleaded guilty to federal charges of falsifying financial information and conspiracy to commit wire and securities fraud.)

Imagine, if you will, that Sarbanes-Oxley is a water purity test. What ultimately matters is the quality of the water coming out of the faucet. But no responsible organization would let its water be tested before thoroughly examining and repairing its plumbing, especially when failure means multimillion-dollar fines, a ruined reputation and possibly jail time for top executives. Yet that is what many companies are doing in the race to comply with Sarbanes-Oxley.

The companies that don’t recognize the large role IT must play “will find out later on that they’re wrong,” says Tom Patterson, a senior manager in BearingPoint’s information risk management practice. Companies that don’t involve the CIO, he says, are simply missing the point of the legislation.

Joe Eckroth, CIO of toy maker Mattel, agrees. “With the current environment, there can be nothing more important than getting the systems put in place to ensure compliance with Sarbanes-Oxley and boost investor confidence in the company,” he says.

While Eckroth is a key member of the management committee at Mattel assigned to that task, many CIOs remain shut out of the preparations. Here’s what you need to know to be part of your company’s Sarbanes-Oxley marathon.

The Case for Disclosure

It’s easy to understand why finance feels it must take charge of meeting the Sarbanes-Oxley Act’s reporting requirements. The legislation was, after all, born of public outrage over fraudulent accounting practices, such as those involved in the Enron, WorldCom and now HealthSouth scandals, and a wave of restated financials that further demonstrated the lack of oversight within corporate America.

The act, which is technically called the Public Company Accounting Reform and Investor Protection Act of 2002, was sponsored by Sen. Paul Sarbanes (D-Md.), then chairman of the Committee on Banking, Housing and Urban Affairs in the Senate, and Rep. Michael Oxley (R-Ohio), the Financial Services Committee chair in the House. It passed the Senate unanimously, won easy approval in the House, and President Bush signed it into law on July 30, 2002.

At the time, Sarbanes said that dramatic differences in the way businesses are run today had made obsolete the reporting framework the Securities and Exchange Commission required for the past 70 years. As recently as 1970, the average daily volume of shares traded in the New York Stock Exchange was 12 million. By 2000, it was more than a billion. Whereas markets were once dominated by trusting long-term investors willing to wait for financial information in quarterly and annual reports, today’s markets move in real-time, and twice-shy investors no longer believe that executives have their best interests in mind. Sarbanes-Oxley addresses this by speeding up the filing date for quarterly and annual reports and calling for real-time disclosure of material events (see “Real-Time Disclosure,” Page 74). The amount and speed of information available to the public, as mandated by the legislation, was designed to renew investors’ trust in corporate executives and their financial reports.

It also requires that companies institute procedures for keeping track of all financial information from the moment of inception to the final submission in an annual report to the SEC.

Guarding Against Fraud

In geek speak, a 404 is someone who is clueless, as in “Don’t ask him; he’s a 404.” The origin is the HTML error message 404, meaning file not found. The meaning of 404 is about to change, and this time you’d better be able to find the file.

Section 404 of the Sarbanes-Oxley Act is barely 100 words long. While that doesn’t sound like much, some companies will end up spending more than $3,000 a word to comply with it. The section says simply that annual reports must contain a statement signed by the CEO and CFO attesting that the information contained in any SEC filing is accurate. The company must also submit to an audit to prove it has controls in place to assure the information is accurate. (The stakes are certainly high enough; the penalties for a false attestation include jail time.)

The problem is that the act doesn’t offer much guidance beyond that broad requirement, and neither, quite frankly, does the SEC’s proposed ruling on the section. (The final rule was not issued by press time.) But while the SEC never says what internal controls are required, it does offer one very good hint. The proposed SEC rule on Section 404 spends a good deal of space discussing the definition of internal controls offered by COSO, an independent group sponsored by five major accounting organizations, including the American Institute of Certified Public Accountants and the Institute of Internal Auditors. COSO issued a report in 1992 examining corporate fraud and what procedures could be put in place to combat it. It recommended that companies adopt a framework whereby all transactions are properly authorized, there are safeguards against improper use, and all transactions are recorded and reported.

What that means is that every division in a company needs to have a documented set of internal rules that control how data is generated, manipulated, recorded and reported, says John Flaherty, the current COSO chairman and former vice president and general auditor for PepsiCo.

In this context, CIOs aren’t at risk for Enron-like fraud as much as what Flaherty calls “honest mistakes?systems that malfunction, miscompute or somehow give the wrong answer.” The bottom line is that if you “develop a system that doesn’t work, that’s a control problem,” he adds.

While the glory may come from fixing the systems that support the company as a whole, Fran Dramis, chief information, e-commerce and security officer at BellSouth, says that the first thing a CIO needs to do is make sure that the IT department has a strong governance framework internally. “[CIOs] should view their function as if [IT] were a separate company and they were the CEO of it,” he says from his office in the telecom giant’s Atlanta headquarters. “Think about having to sign that letter.” No one would put his neck on the line unless he knew that his company’s own systems had a built-in audit trail and proper authorization procedures, and that that could all be proved with documentation.

And then the IT executive needs to make sure that the systems generating, supporting and housing companywide data have the same internal control procedures in place. With that in mind, Dupont, one of the 15 percent to 20 percent of public companies that have adopted the COSO framework, recently gave 1,400 IT employees a half-day crash course in internal controls, says Linda Johnson, global financial manager for IT at the chemical company. The training emphasized key internal control concepts, for example, the need to assign different employees to code the program changes, test them and then move them into production. A different person performing each task helps prevent errors or fraud, Johnson has found.

This is a far cry from business as usual for most IT departments, where the priority has traditionally been getting a project done on time as opposed to documenting the controls process. Mattel’s Eckroth is currently finishing an Oracle financials implementation and says that the world’s largest toy maker is, for the first time, approaching this project with an eye toward Sarbanes-Oxley compliance. “We have to make sure that we haven’t missed something relative to the hierarchy of who can see what, who has signature or purchasing authority,” says Eckroth. Not only does he have to embed these rules into the enterprisewide financial system, but he has to document that he has done it.

“That is a step I have never taken before,” he says.

Tracking the Data

The current state of internal controls within American businesses is surprisingly lax. Most companies have not installed the kind of systems that can track changes to financial data as it moves around internally. “You see all these ERP and CRM systems that collect data, but feed into spreadsheets,” says Erik Guldentops, an executive professor at the management school of the University of Antwerp, Belgium, and an expert on IT controls and auditing. Spreadsheets are a manual process and prone to human error. It doesn’t matter how many usage rules a system has or how complete the documentation is. If data ends in a spreadsheet or any other process where a person works with it, says Guldentops, “the control over the information flow doesn’t exist anymore.”

Numbers bear this out. A 2003 survey by the Hackett Group concluded that 47 percent of the companies used standalone spreadsheets for planning and budgeting. One possible explanation for the uncontrolled information flow is that, on average, companies had nearly three different ERP systems from which to pull data.

That reliance on human processes won’t cut it with the new Sarbanes-Oxley legislation. While CIOs may not have to standardize on one ERP, they do?at the very least?need to document usage rules and an audit trail for each system that contributes financial information. And they have to do it soon: BearingPoint’s Patterson says that in order to stay on target with SEC-mandated compliance dates, that needs to be done by the end of this month. “By May 30th you should have a steering committee mapped out,” he says. By then, you should have done the up-front gap analysis and determined if the current systems pass muster or if you need to make changes.

CIOs who are up to speed on Sarbanes-Oxley suggest specific starting points, such as developing detailed plans for controls on basic financial systems. BellSouth’s Dramis says that “the information from all the systems, while not necessarily linked, has to be reconciled, either by integration or a shared data model.” BellSouth put in place a middleware-intensive infrastructure that facilitates the use and integration of data from different systems.

Bud Mathaisel, CIO of contract manufacturer Solectron, suggests some specific places where data integrity may slip through the cracks. “Look for things where there has been customization made to the general ledger and financial systems,” he says. Those areas typically won’t have the audit trail functionality now required. Mathaisel suggests working closely with the internal audit group to make sure these once-customized systems have acceptable audit trails and other controls.

Unfortunately, there is no silver bullet or even one-size-fits-all advice. From a technology point of view, the actions that a company will need to take depend entirely on what it is they find in the internal controls inspection (see “Fifteen Questions You Need to Be Able to Answer,” Page 76). But one thing’s for sure: CIOs need to work closely with the Sarbanes-Oxley auditors to make sure that they know what their companies’ weaknesses are. (For more on this read “The Auditors are Coming” at www.cio.com/printlinks.)

Sell Your Expertise

Yet if CIOs are being kept out of the loop, how can they even do that? Just what can you do to convince your CFO that it’s time to widen the circle and bring IT in? One persuasive tactic, suggest some leading CIOs, is to demonstrate an impressive understanding of what needs to be done to comply with Sarbanes-Oxley. In fact, your knowledge in this arcane area may just be the ticket that finally gets you a seat at the inner table. Those seats, says Dramis, are usually reserved for CIOs who can explain the business value of technology changes, but who are also able to “put on their business hat and review potential IT work in the context of the broader business needs.” The Sarbanes-Oxley Act is a perfect opportunity for a CIO to demonstrate that he can do both.

Set up a meeting with your CFO and make a presentation on what your company needs to do to comply and how you propose getting there. In the presentation, you need to make sure that the CFO understands how important IT systems are to data integrity. And you also have to make clear that you understand that the plumbing isn’t the only thing that affects purity.

“This is a double-edged sword,” says Richard de Moll, a vice president at Cap Gemini Ernst & Young and a former CFO. “You need to walk in with an educated point of view, but you can’t walk in saying that technology is the answer.” CIOs need to remember that technology, while an important part of Sarbanes-Oxley compliance, is just a part of a process of which the CFO is ultimately in charge.

De Moll acknowledges that CIOs will have an uphill battle convincing finance that IT should play a central role. One reason for that is the festering tension that developed between finance and information technology in the ’90s. During the tech boom, IT was the center of attention, even though?from a finance perspective?it remained a cost center. From the finance point of view, the bubble burst that forced so many technology startups out of business was well-deserved comeuppance. Finance distrusts IT now because of all the money wasted then.

Understanding that is the first step to overcoming the divide and getting that lead role. A good way to demonstrate that you grasp financial reality is to run the IT organization with a streamlined budget and justify further spending with firm business metrics like ROI. Implementing internal controls processes within the IT organization will not only help prepare for Sarbanes-Oxley but will make the message to finance that much stronger.

Ultimately, the best resources that CIOs have when it comes to Sarbanes-Oxley compliance may be each other. Solectron’s Mathaisel says that he is closely watching best practices exchanges for Sarbanes-Oxley news and tips on how other CIOs are endeavoring to fix their internal controls.

Mattel’s Eckroth agrees that CIOs need to work together. The legislation is meant to restore confidence in the business community as a whole. In this sense, says Eckroth, every company needs to take Sarbanes-Oxley seriously, “because one bad apple takes us all down.”