Control IT Threats to SOX Compliance and Get a Better Night's Sleep

[Editor's note: This is an abbreviated version of an article that originally appeared in the June 2006 issue of Upstream CIO magazine.]

The Sarbanes-Oxley Act (SOX) has transformed the business and regulatory environment for most American public companies, particularly the oil and gas industry.

The act's charge was to enhance corporate governance through measures that strengthen internal checks and balances and, ultimately, enhance corporate accountability. It is important to emphasize, however, that Section 404 of SOX does not require senior management and business process owners merely to establish and maintain an adequate internal control structure. These individuals must also to assess and report the structure's effectiveness annually. This is a huge endeavor and, in general, Section 404 represents a significant investment.

Organizations that have begun the compliance process quickly discover that IT plays a vital role in internal control. Systems, data, and infrastructure components are critical to financial reporting. This means that IT professionals--especially chief information officers (CIOs)--need to be well-versed in internal control theory and practice to meet Sarbanes-Oxley requirements.

Today’s CIOs must:

  • Enhance their knowledge of internal control
  • Understand their organization’s overall Sarbanes-Oxley compliance plan
  • Develop a compliance plan to specifically address IT controls
  • Integrate this plan into the overall Sarbanes-Oxley compliance plan
  • Adopt effective and economical compliance maintenance systems.

The nature and extent of internal controls depend to a great extent on the size and complexity of the company. Despite the company’s size or complexity, there are seven ways to sabotage your company’s efforts toward instituting economically and legally workable IT controls:

  • Underestimating the role of IT
  • Thinking non-public companies are immune
  • Reinventing the wheel
  • Missing the inherent opportunity
  • Neglecting the smaller systems
  • Overlooking multi-location issues
  • Waiting.

Let’s go into each one of these individually. Necessary services for any department or business, such as security, telecommunications and storage, are often managed by a central IT function. Not fully understanding how large a stake you have in compliance--and the financial future of your company--is a mistake. IT enables critical financial controls, such as:

  • Information management and data classification
  • Role-based user management
  • Real-time reporting
  • Transaction thresholds and tolerance levels
  • Data processing integrity and validation.

An IT department is the foundation of an effective system of internal control over financial reporting. Many IT leaders and teams are held accountable for the quality and integrity of information generated by their systems; however, they are not typically well versed on the intricacies of internal control. They are used to, and good at, managing risk in a strategic sense, but often not in a way that’s structured around management or auditors. All groups must work jointly as leaders to assure compliance. Organizations need representation from IT on their Sarbanes-Oxley teams to ensure that IT general controls and application controls exist.

Stock options aside, often CIOs for private companies consider their current non-public corporate structure a blessing when it comes to Sarbanes-Oxley compliance. What they eventually find out, however, is that when they start doing business with larger public companies, Sarbanes-Oxley compliance with respect to IT controls is expected of them as well. Public companies need to ensure that their non-public venders have also mitigated their risks. The CIOs of private companies that don’t initiate basic IT controls are likely to pay more to become compliant in the future. When it comes to putting IT controls in place, you have probably already done most of the work. They may be informal. They may lack documentation. Not everyone may know how to define the controls or find evidence their effectiveness. But IT controls generally exist in areas such as security and change management, and many organizations can tailor existing IT control processes to comply with Sarbanes-Oxley. Don’t make the mistake of starting from scratch.

Frequently, it is the consistency and quality of control documentation that is lacking, but the general process is often in place, requiring only a little modification. Of course, performing an effective discovery of IT control processes and their documentation is time-consuming. The effort is even more daunting given that the design and assessment of IT controls, as well as the skills or management structure to identify and focus on high-risk areas, is a specialized portfolio of knowledge. Not all teams have the expertise in place.

If you perceive all of this investment in IT control understanding as mere compliance, you’re making a big mistake. The work required to [comply with the] Sarbanes-Oxley Act is also an opportunity to establish strong governance models that ensure accountability and responsiveness to business requirements.

There are no risk-free environments; Sarbanes-Oxley compliance is not a silver bullet for assured governance. But the processes that most organizations will follow to enhance their system of internal control to meet Sarbanes-Oxley standards will likely provide lasting benefits. Good IT governance over planning and lifecycle control objectives helps ensure more accurate and timely financial reporting.

Because of the devastating cost of noncompliance, it is crucial to adopt a progressive approach toward enacting effective and efficient IT controls. A C-level executive who gives the SEC incorrect certification could be slapped with a fine up to $1 million--plus up to 10 years in prison. That’s if the mistake was unknowingly committed! Intentional noncompliance could result in a $5 million fine and 20 years in jail.

The stakes are high, and IT’s role in compliance often takes time to master as an organization. Engaging the challenge sooner rather than later will help you build a better organization, both now and in the future--and help everyone get a better night’s sleep!