[Editor's note: This is an abbreviated version of an article that originally appeared in the June 2006 issue of Upstream CIO magazine.] The Sarbanes-Oxley Act (SOX) has transformed the business and regulatory environment for most American public companies, particularly the oil and gas industry.
The act's charge was to enhance corporate governance through measures that strengthen internal checks and balances and, ultimately, enhance corporate accountability. It is important to emphasize, however, that Section 404 of SOX does not require senior management and business process owners merely to establish and maintain an adequate internal control structure. These individuals must also to assess and report the structure's effectiveness annually. This is a huge endeavor and, in general, Section 404 represents a significant investment.
Organizations that have begun the compliance process quickly discover that IT plays a vital role in internal control. Systems, data, and infrastructure components are critical to financial reporting. This means that IT professionals--especially chief information officers (CIOs)--need to be well-versed in internal control theory and practice to meet Sarbanes-Oxley requirements.
Todayís CIOs must:
The nature and extent of internal controls depend to a great extent on the size and complexity of the company. Despite the companyís size or complexity, there are seven ways to sabotage your companyís efforts toward instituting economically and legally workable IT controls:
Letís go into each one of these individually. Necessary services for any department or business, such as security, telecommunications and storage, are often managed by a central IT function. Not fully understanding how large a stake you have in compliance--and the financial future of your company--is a mistake. IT enables critical financial controls, such as:
An IT department is the foundation of an effective system of internal control over financial reporting. Many IT leaders and teams are held accountable for the quality and integrity of information generated by their systems; however, they are not typically well versed on the intricacies of internal control. They are used to, and good at, managing risk in a strategic sense, but often not in a way thatís structured around management or auditors. All groups must work jointly as leaders to assure compliance. Organizations need representation from IT on their Sarbanes-Oxley teams to ensure that IT general controls and application controls exist.
Stock options aside, often CIOs for private companies consider their current non-public corporate structure a blessing when it comes to Sarbanes-Oxley compliance. What they eventually find out, however, is that when they start doing business with larger public companies, Sarbanes-Oxley compliance with respect to IT controls is expected of them as well. Public companies need to ensure that their non-public venders have also mitigated their risks. The CIOs of private companies that donít initiate basic IT controls are likely to pay more to become compliant in the future. When it comes to putting IT controls in place, you have probably already done most of the work. They may be informal. They may lack documentation. Not everyone may know how to define the controls or find evidence their effectiveness. But IT controls generally exist in areas such as security and change management, and many organizations can tailor existing IT control processes to comply with Sarbanes-Oxley. Donít make the mistake of starting from scratch.
Frequently, it is the consistency and quality of control documentation that is lacking, but the general process is often in place, requiring only a little modification. Of course, performing an effective discovery of IT control processes and their documentation is time-consuming. The effort is even more daunting given that the design and assessment of IT controls, as well as the skills or management structure to identify and focus on high-risk areas, is a specialized portfolio of knowledge. Not all teams have the expertise in place.
If you perceive all of this investment in IT control understanding as mere compliance, youíre making a big mistake. The work required to [comply with the] Sarbanes-Oxley Act is also an opportunity to establish strong governance models that ensure accountability and responsiveness to business requirements.
There are no risk-free environments; Sarbanes-Oxley compliance is not a silver bullet for assured governance. But the processes that most organizations will follow to enhance their system of internal control to meet Sarbanes-Oxley standards will likely provide lasting benefits. Good IT governance over planning and lifecycle control objectives helps ensure more accurate and timely financial reporting.
Because of the devastating cost of noncompliance, it is crucial to adopt a progressive approach toward enacting effective and efficient IT controls. A C-level executive who gives the SEC incorrect certification could be slapped with a fine up to $1 million--plus up to 10 years in prison. Thatís if the mistake was unknowingly committed! Intentional noncompliance could result in a $5 million fine and 20 years in jail.
The stakes are high, and ITís role in compliance often takes time to master as an organization. Engaging the challenge sooner rather than later will help you build a better organization, both now and in the future--and help everyone get a better nightís sleep!
Most Popular Articles
From the Career Center
Jobs that may interest you