Wednesday, January 12, 2005
S-Ox and the Need to Audit IT Processes
The Sarbanes-Oxley Act has dramatically heightened standards for financial reporting for US public companies with a market capitalization over $75 million. For the past 18 years, COSO (The Committee of Sponsoring Organizations of the Treadway Commission) has been the accepted framework for implementing internal controls for financial reporting. IT processes and technology, however, are not addressed by COSO. Since the vast majority of financial data that makes up financial reports is generated by IT and its related processes, it is critical that the effectiveness of these processes can be verified. By having well defined standards and procedures that can be verified, CEO's and CFO's can be confident that the reports they are certifying came from well maintained and error free software applications.
The two sections of the Sarbanes-Oxley Act that should concern IT executives the most are 302 and 404(a) because they deal with the internal controls that a company has in place to ensure the accuracy of their data. This relates directly to the software systems that a company uses to control, transmit and calculate the data that is used in their financial reports.
Section 302Effective August 29, 2002, Section 302 requires CEO's and CFO's to attest to the accuracy of their company's quarterly and annual reports.
CEO's and CFO's will be placing an enormous amount of trust in the people and systems that produce their company's financial data. Given the wide and deep spectrum of internal controls, it is a serious responsibility.
Section 404(a)The deadline for complying with this rule was originally September 15, 2003, but has now been pushed back to November 15th, 2004. A number of experts view the extension as a sign of just how seriously authorities intend to enforce and monitor the new law. The SEC has also recognized the COSO framework as the official framework for establishing internal controls over financial reporting. Many companies are now actively working with internal and external audit firms to set expectations surrounding Section 404, and avoid unwanted surprises when Section 404 comes into full force.
The View From the TopUnderstandably, CEO's and CFO's are taking Sarbanes-Oxley very seriously given the potential penalties for non-compliance. There is a tremendous amount of data that they will have to monitor to make sure the financial statements are accurate. From the point of view of an IT person, it is a given that IT will be relied upon to collect, store and compile this data from all areas of the company and transmit it to the appropriate people.
So, how do CEO's and CFO's view Sarbanes-Oxley from a compliance standpoint? Surprisingly, an informal survey by CIO Magazine of the top 19 companies on the Fortune 100 list revealed that most executives viewed compliance as a finance issue, not a systems issue1 . This is a mistake, as IT is poised to play a major role in the implementation of controls for financial reporting.
What Sarbanes-Oxley Means to IT ExecutivesSarbanes-Oxley paradoxically, has been a motivating factor to connect IT more closely to the business. Compliance can provide the CIO with a seat at the inner table of top executives, as an active partner in regulatory conformance. CIO's must be proactive in getting the attention of their CFO's so that they understand how important IT systems are to data integrity. One way to do this is by demonstrating a detailed understanding of Sarbanes-Oxley and the part you can play in achieving compliance — without claiming that IT holds all the answers. Seats at the inner table, "are usually reserved for CIOs who can explain the business value of technology changes, but who are also able to put on their business hat and review potential IT work in the context of the broader business needs."2
posted by Brian Moran @ 10:58 AM