As a key Sarbanes-Oxley Act deadline looms, CIOs are coming to grips with the central problem of determining where financial controls leave off and IT controls begin. The problem isn't an academic one: Those companies that fail to learn the lesson could find their top execs behind bars.

Beginning Nov. 15, companies must, under section 404, include a statement attesting to the effectiveness of internal controls over financial reporting with their 2004 annual reports.

The point was driven home by this week's disclosure by SunTrust Banks that it is restating its earnings upward for the first two quarters of 2004 and delaying its third-quarter earnings statement because of improper accounting procedures in its auto finance division. The bank revealed that it had mistakenly used gross charge-offs instead of net charge-offs to compute its loan-loss reserves.

A charge-off occurs when a loan is written off. Gross charge-offs include all such loans, including those that have been subsequently recovered via collections; net charge-offs include only those loans that haven't been recovered. Loan-loss reserves are amounts set aside to cover bad loans.

As a result of the error, SunTrust underreported earnings for the first two quarters by $17 million and $5 million, respectively. Two executives--its chief credit officer and its controller--were put on paid leave.

In order to achieve compliance, CIOs need to work closely with CFOs and other key execs to map out business processes and controls used to produce financial statements. In SunTrust's case, the business process was the production of loan-loss reserve figures for quarterly earnings statements; the control was, or should have been, a circuit breaker in its financial system to detect that it was using incorrect numbers in preparing its first- and second-quarter earnings statements.

That such a control was either missing or not working properly--despite an abundance of resources aimed at getting the company into Sarbanes-Oxley compliance--was all too evident. "If they had tested both the business process and the control, they would have been able to catch the error earlier," says John Logan, head of Obian Inc., a developer of software for IT controls and documentation. A SunTrust spokesperson declines comment but says an internal investigation is under way.

An auditing standard adopted earlier this year for section 404 defines four categories of IT controls: program development, program changes, computer operations, and access to programs and data. Access to programs and data, or lack thereof, is where most companies get burned by accounting scandals, Logan says.

Management's job is to create a strategy for preventing such scandals; IT's job is to implement it. Says Logan, "IT has both the responsibility and the tools to ensure that financial statements are accurate."