Sarbanes-Oxley: What IT Can Do - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture
11:36 AM

Sarbanes-Oxley: What IT Can Do

In the anxious rush to comply with the Sarbanes-Oxley Act, too many financial organizations have ignored the great potential of IT systems. Not only can IT ease current headaches: IT systems can establish efficient, cost saving processes for the future.

Public companies are in the process of completing their initial Sarbanes-Oxley Act Section 404 compliance efforts, which involve identifying and correcting financial control issues. Meanwhile, after an infamous string of business scandals, public accounting firms have increased the amount of work they perform verifying transactions, testing financial controls, and so on. Audits, once discounted as a way for accounting firms to snag more lucrative consulting engagements, have become much pricier now that firms have largely divorced audit and consulting activities. Ventana Research believes that this year, both public and private companies will address escalating audit fees and the factors that drive them.

Finance executives and audit committees should investigate to what extent deficiencies in their companies' IT systems are making audit fees higher than necessary. One of the biggest barriers I find is that finance people are unaware of how IT systems can address process issues - and that IT people are unaware of how systems they are familiar with can save the finance organization money by lowering audit fees. Three key objectives should be the focus of efforts to correct deficiencies:

  • Automate and integrate of processes to decrease vulnerability to fraud (that is, limit the number of items that need to be checked).
  • Upgrade reporting systems where necessary to enhance control and facilitate audits (that is, make the checking process more efficient).
  • Add document (or content) management capabilities to finance department processes, thereby making the record of supporting information more complete and available on a timely basis (that is, reduce the audit burden and increase process efficiency).

SOX: An IT Perspective

"Sarbanes-Oxley" — "SOX" for short — has become a buzzword. However, it is important that those involved in designing and implementing IT systems that support SOX compliance have a clear idea of the legislation and its purpose. Many use the term to loosely refer not just to the legislation passed in mid-2002 to shore up corporate governance in publicly held companies, but also to other rules enacted in the wake of corporate scandals and the tighter regulatory climate in general.

Some of the fuzziness on the meaning of SOX is also the result of the breadth of the Act itself. It is an omnibus bill that incorporates a variety of provisions. Some — auditor independence, for example — have no direct bearing on IT issues.

Adding to the confusion, a single entity does not handle enforcement of the key sections of the law. Instead, various authorities and agencies are charged with enforcement and regulation: a federal agency, such as the Securities and Exchange Commission (SEC) for Section 409; nongovernmental entities, such as auditors, for Sections 404 and 302. Each enforcement organization has different methods, rules, and histories. The SEC tends to be very specific in setting rules, whereas auditors must work within more general guidelines. It is necessary to keep these differences in mind. There was much discussion during 2003 that compliance with Section 409 would require massive investments in reporting and building dashboards. People who read the law carefully, however, understood that the SEC had enumerated the specific "events" that public companies need to disclose — none of which had much to do with beefing up reporting and dashboards, let alone IT systems.

For most public companies, compliance with Sections 404 and 302 has been the focus over the past 12 months. Section 404 didn't come out of nowhere; it was the culmination of attempts begun in the 1970s to achieve greater control over IT systems to prevent financial fraud. Section 404 requires that public company management have adequate internal control over financial reporting; Section 302 requires management to make periodic formal assessments of the effectiveness of the company's internal controls and attest to the accuracy of the financial statements. To comply with the law, senior managers must identify its framework for evaluating the effectiveness of internal controls over financial reporting. The company's public auditors must provide an opinion on the adequacy of those controls. The control "framework" defines how a company identifies the ways in which its systems are vulnerable to fraud, the controls it has in place to prevent the exploitation of vulnerabilities, and the tests it uses to ensure that the controls are working.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll