In The Press
Sarbanes-Oxley from the CIO's Point of View
Daniel Ball, Wax Digital - 07 Mar 2006
Chief information officers are looking for ways to deploy new technologies that can implement a list of requirements from auditors and reduce the burden on the organisation as a whole. This article looks at their role in SOX compliance and what action they should be taking.
For companies based, parented or even just doing business in the US, the Sarbanes-Oxley Act (SOX) is the single most important piece of legislation affecting corporate governance and financial disclosure since the US securities laws of the early 1930s. It was passed following the accounting scandals at Enron, WorldCom and Arthur Andersen, mandating a wide-sweeping accounting framework for all public companies doing business in the US.
The Act requires public companies to provide an accurate and timely audit of all finance-related business processes that are readily verifiable with a traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.
Penalties for non-compliance are tough - a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1m and 10 years in prison, even if done mistakenly. If a wrong certification was submitted on purpose, the fine can be up to $5m and 20 years in prison.
SOX is not limited to just the accounting process; it includes everything from human resources, procurement and IT systems and how they affect financial processes. Never before has an organisation had to have such a clear view of its internal processes and operations - enabling management to identify areas for business improvement.
Effect on the IT Department
It has not gone unnoticed by management that a major component of their SOX solution must reside in the IT department. According to research firm AMR, of the approximately $6bn that companies spent in 2005 for SOX compliance, about $1.7bn was technology oriented, a 43 per cent increase year on year alone.
Chief information officers (CIOs) have been given the task of finding ways to deploy new technologies that can flexibly, cost-effectively and reliably implement a list of requirements from auditors and reduce the burden on the organisation as a whole. IT must audit how every piece of financially relevant data is accessed or changed at every instance of its life within the company.
Many corporate IT environments, even those that are centred on a single enterprise resource planning (ERP) system, fail to provide automated capabilities for controls and policy rules enforcement, where human intervention, such as approvals, authorisations or exceptions, is required. This is where deficient controls tend to be prevalent and problematic.
An enterprise service bus (ESB) allows disparate IT assets to be rapidly and effectively connected, enabling risk management to be proactively addressed through controls automation and enforcement via business process management (BPM).
Once controls are automated they are less likely to fail, less costly to test and, since there is no user alternative, policies are inherently enforced. With effective safeguards for enforcing internal controls implemented, businesses can demonstrate and verify controls, enhance the integrity and auditability of IT systems, and reduce the need for extensive documentation and employee supervision. However, it's a mammoth task for CIOs to undertake, and one that has to be completed within given timescales.
Forecasts
US companies with market caps of less than $75m must become compliant between 2007 and 2008, a date that's been pushed out several times because of concerns that small companies lack the resources to address issues sooner. For this latter group, the heavy-weighted burden of SOX compliance remains and poses major challenges for companies without large IT budgets. According to a recent study done by the Small Business Administration, small businesses pay an average of 46 per cent more per employee in meeting federal regulations for compliance than their larger counterparts.
In addition, for those overseas companies who trade stock or issue debt in the US, they must be SOX compliant for fiscal years after July 2006. How much further the impact of SOX will be felt across Europe is open to debate. Most commentators expect further tightening of the regulatory framework, but aren't decisive about how far they believe the EU will go.
Gartner, for example, has been warning for some time that the EU will introduce legislation similar to Sarbanes-Oxley. Though the timetable is uncertain, it believes that it's inevitable that the EU will introduce a directive based on these proposals. It has recommended that European businesses should prepare to comply with EU-wide auditing rules, ensuring that their business process management and document management procedures are ready to respond to EU-wide audit requirements.
Proposals for increasing jail sentences for false financial reporting from two years to seven years and liability for legislation breaches extending beyond directors are already on the European table. A drip-feeding of similar legislative changes could well lead to the gradual introduction of SOX governance standards through the back door.
Others believe the EU will take a less interventionist role, especially since the departure of former internal market commissioner Frits Bolkestein, who was a clear advocate of a tougher, more punitive regime in Europe.
However, the most likely outcome will be the global nature of business, which almost guarantees that regulatory frameworks on corporate governance will converge. Listed companies operate in a global environment and, most significantly, US and international investors often hold a large stake in their capital. But have companies outside of US influence taken note of lessons being learned on the other side of the Atlantic?
Current Feeling in Europe
In a recent survey, European companies with a GBP500m+ turnover were questioned about how they believed SOX compliance was affecting them and their IT decision making. Without exception, those based in Europe and the UK with no US parent company remain sure that unless forced into it, they would not be taking pre-emptive measures to prepare for any potential EU legislation.
Interestingly, all European companies questioned believe that it's only a matter of time before EU legislation follows the precedent set by SOX in the US. Forty-three per cent of companies stated that they expect any future EU legislation to be tougher. But none of those questioned are making plans to pre-empt such legislation - they will only act when required to by law.
Since the financial reporting processes of most organisations are driven by supply chain systems, one would expect automation of compliance and control processes to have an equally low impact on UK companies. This is not the case, however; the same companies placed a moderate to high importance on automation of compliance.
The market for process automation tools and services is healthy, but it remains the general case that where companies do not have a US listing, SOX is not a driving force behind decision making in IT.
Furthermore, corporate practice is unlikely to change unless there is motivation for doing so - with only 29 per cent of respondents anticipating a growth in priority over the coming 12 months, and 72 per cent stating that they don't believe improved automation of compliance controls and processes has a perceived impact on a company's share price.
Benefits of Compliance
Of course, the underlying goal of SOX can be forgotten or ignored: to assure that companies know enough about their business to be able to report faithfully. But there are many benefits to the business if it is able to break through the pain barrier of implementing SOX compliant systems and processes. What began as a mandate is providing a springboard for plenty of business value.
Many CFOs believe they are now able to make day-to-day financial decisions faster, because they have more reliable operational data as a result of the improved processes and controls. SOX is increasingly being deployed as part of a broader risk management approach that can, at least theoretically, deliver a significant return on investment (ROI).
SOX can be tackled as part of a larger risk management strategy, which can generate value that would be ignored if an enterprise stuck to mere compliance. For example, 20 per cent of respondents to a recent survey by PwC said that SOX efforts had also allowed them to reduce fraud.
Most telling, about 66 per cent of the respondents credited SOX and other compliance initiatives with helping them to uncover potentially damaging control weaknesses. This is important because such weaknesses can spring up all over an enterprise, including in operations, and in certain instances cripple business. In fact, the very reason for some risk management regulations is that businesses have been crippled or indeed destroyed because of the lack of relevant risk management processes and tools.
There has been a lot of press about the cost of SOX compliance on an organisation. UK companies still see it as a big burden for little benefit, which diverts money and effort from other business needs. However, companies that are successful in developing a high level of visibility and accuracy into their systems are in a position to apply that knowledge to their overall business and, therefore, gain competitive market advantage over US and foreign companies without similar information.
| back to news index |
| © Copyright: Wax Digital Limited 2006 | XML Sitemap | RSS Feed |
 |
