Sarbanes-Oxley: What IT Can Do - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture
News
3/30/2004
11:36 AM
50%
50%

Sarbanes-Oxley: What IT Can Do

In the anxious rush to comply with the Sarbanes-Oxley Act, too many financial organizations have ignored the great potential of IT systems. Not only can IT ease current headaches: IT systems can establish efficient, cost saving processes for the future.

Public companies are in the process of completing their initial Sarbanes-Oxley Act Section 404 compliance efforts, which involve identifying and correcting financial control issues. Meanwhile, after an infamous string of business scandals, public accounting firms have increased the amount of work they perform verifying transactions, testing financial controls, and so on. Audits, once discounted as a way for accounting firms to snag more lucrative consulting engagements, have become much pricier now that firms have largely divorced audit and consulting activities. Ventana Research believes that this year, both public and private companies will address escalating audit fees and the factors that drive them.

Finance executives and audit committees should investigate to what extent deficiencies in their companies' IT systems are making audit fees higher than necessary. One of the biggest barriers I find is that finance people are unaware of how IT systems can address process issues - and that IT people are unaware of how systems they are familiar with can save the finance organization money by lowering audit fees. Three key objectives should be the focus of efforts to correct deficiencies:

  • Automate and integrate of processes to decrease vulnerability to fraud (that is, limit the number of items that need to be checked).
  • Upgrade reporting systems where necessary to enhance control and facilitate audits (that is, make the checking process more efficient).
  • Add document (or content) management capabilities to finance department processes, thereby making the record of supporting information more complete and available on a timely basis (that is, reduce the audit burden and increase process efficiency).

SOX: An IT Perspective

"Sarbanes-Oxley" — "SOX" for short — has become a buzzword. However, it is important that those involved in designing and implementing IT systems that support SOX compliance have a clear idea of the legislation and its purpose. Many use the term to loosely refer not just to the legislation passed in mid-2002 to shore up corporate governance in publicly held companies, but also to other rules enacted in the wake of corporate scandals and the tighter regulatory climate in general.

Some of the fuzziness on the meaning of SOX is also the result of the breadth of the Act itself. It is an omnibus bill that incorporates a variety of provisions. Some — auditor independence, for example — have no direct bearing on IT issues.

Adding to the confusion, a single entity does not handle enforcement of the key sections of the law. Instead, various authorities and agencies are charged with enforcement and regulation: a federal agency, such as the Securities and Exchange Commission (SEC) for Section 409; nongovernmental entities, such as auditors, for Sections 404 and 302. Each enforcement organization has different methods, rules, and histories. The SEC tends to be very specific in setting rules, whereas auditors must work within more general guidelines. It is necessary to keep these differences in mind. There was much discussion during 2003 that compliance with Section 409 would require massive investments in reporting and building dashboards. People who read the law carefully, however, understood that the SEC had enumerated the specific "events" that public companies need to disclose — none of which had much to do with beefing up reporting and dashboards, let alone IT systems.

For most public companies, compliance with Sections 404 and 302 has been the focus over the past 12 months. Section 404 didn't come out of nowhere; it was the culmination of attempts begun in the 1970s to achieve greater control over IT systems to prevent financial fraud. Section 404 requires that public company management have adequate internal control over financial reporting; Section 302 requires management to make periodic formal assessments of the effectiveness of the company's internal controls and attest to the accuracy of the financial statements. To comply with the law, senior managers must identify its framework for evaluating the effectiveness of internal controls over financial reporting. The company's public auditors must provide an opinion on the adequacy of those controls. The control "framework" defines how a company identifies the ways in which its systems are vulnerable to fraud, the controls it has in place to prevent the exploitation of vulnerabilities, and the tests it uses to ensure that the controls are working.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
News
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
News
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll