The Sarbox Assessment

By Elizabeth Wasserman

Now that the first round of filing deadlines for the corporate governance law known as Sarbanes-Oxley have come and gone, companies can rest on their laurels, right?

Wrong.

This is the time when CIOs, in conjunction with CFOs and COOs, should be planning a post-mortem of Sarbanes-Oxley compliance. Executives need to assess how well their organizations were able to comply, how they can improve that performance in the coming years, and how they can weave the awareness of controls and potential risks throughout everyday operations.

"Everybody tried hard. Most people cleaned up the most egregious problems and, along the way, they laid the foundation for continuous improvement in this area going forward," said John Parkinson, chief technologist for the Americas region at consulting firm Capgemini. "Did they fix everything? Absolutely not. I don't know anybody who will say they got it 100 percent right this time."

Under Sarbanes-Oxley, public companies were required to test and document their internal controls and procedures for financial reporting by November 2004 and then attest to the effectiveness of these controls in their annual reports filed in March. The law was designed to restore public confidence in financial statements after accounting crises at Enron, WorldCom, and other public companies.

U.S. companies spent $5.5 billion last year on Sarbanes-Oxley related compliance initiatives, according to a recent study by AMR Research. AMR forecasts that Sarbanes-Oxley spending will grow by 11 percent in 2005 to $6.1 billion. The study, which involved surveying more than 225 companies, found that 80 percent of companies had Sarbanes-Oxley compliance projects slated for this year, and a majority believed that this law comprised their largest compliance-related investment.

In the wake of the Sarbanes-Oxley deadlines, some major companies have had to restate earnings, or discovered accounting problems that prevented them from attesting to the effectiveness of their internal financial-reporting controls. Other companies have found flaws in the way they documented manual controls or controlled employee access to sensitive data. Still others are trying to figure out how to disclose potential flaws in their controls in a timely fashion, as required under the law.

Many companies have been in for a rude awakening: While they can breathe a sigh of relief over meeting Sarbanes-Oxley deadlines, they are realizing that it's not over yet.

"They might have passed the deadline, but Sarbanes-Oxley is not a project, it's an ongoing process," said Michael Rasmussen, an analyst with Forrester Research. "When there are business changes, user changes, when business partners change or the IT department gets a new application, there should be an ongoing process to make sure the company is still in compliance."

Already, CIOs have been brought before their boards of directors and ordered to fix something because an "out of compliance" event occurred in the course of business. In one case, according to Capgemini's Parkinson, the out of compliance event involved an employee going online and changing the company's product prices after a colleague called to say the prices were out of date. The ease with which the company made such updates now needs to be weighed against questions of controls and separation of responsibilities for financially related processes.

The starting point for CIOs who want to assess how well their companies complied often lies in carefully reviewing issues raised by an auditor. Members of the accounting firm Ernst & Young's Technology and Security Risk Services practice recently outlined in a Webcast a more general checklist of some important technology-related questions that IT executives can use to assess the state of their internal controls:

• Does the company allow too many programmers access to production?
• Is it necessary for a company to capture and record each keystroke?
• Are there too many "super users" authorized on the IT systems?
• Is IT access revoked quickly after employees are terminated (either voluntarily or involuntarily)?
• Are data backups run properly and also documented?
• Does the company properly manage third-party service organizations to ensure they are in compliance, too?

After assessing their Sarbanes-Oxley compliance, some companies may opt to make a technology investment. Among the most popular Sarbox-related IT projects: enhancing internal security by ensuring that employees have a separation of duties relative to financial-reporting processes. Companies are also improving document retention capabilities primarily because of a Sarbanes-Oxley requirement to retain documents for up to seven years, according to John Hagerty, vice president with AMR Research and author of the recent compliance report.

CIOs may even find a pot of gold at the end of the rainbow in terms of Sarbanes-Oxley spending, instead of a bottomless pit. Some forward-looking companies are using compliance mandates as a means to improve business processes that do more for the company than help it meet regulatory deadlines. Some of those initiatives can help an organization streamline processes, better manage sensitive data, and operate in a more efficient manner.

"People can either complain about compliance or they can embrace it and move on," Hagerty said. "We're starting to hear from people that they are embracing it and seeing some of the benefits from the increased discipline it forces throughout an organization. The benefit will ultimately be a more smoothly run organization."

Elizabeth Wasserman has written about technology and business for Inc., CIO Insight, and the San Jose Mercury News. She is a freelance writer based in Fairfax, Virginia.