Where Was IT?

CIOs need to rethink their responsibilities as companies fight to restore investor confidence in financial reports
As regulators, legislators, and investors scrutinize the actions of CEOs and financial executives at companies with questionable business practices, senior technology managers seem to have escaped notice. But with scandals widening each week, IT executives might ask themselves whether they're doing enough to prevent the kind of irregularities that can get their companies into trouble and erode investor confidence. CIOs, after all, wanted greater business involvement. Now that they've got it, it may be time to re-examine the responsibilities that go with the territory.

So far, no technology managers have been publically implicated in the problems at Adelphia, Enron, Global Crossings, Tyco, WorldCom, or Xerox. Both WorldCom and Xerox admitted last week to improperly recording billions of dollars in an effort to improve their financial results.

The job of being a high-level IT managers has changed a lot in recent years. As technology leaders increasingly make their way into boardrooms, they must rethink their duties and responsibilities. "You're just as responsible as the other executives," says Eduardo Vital, executive VP and CIO at Ryder System Inc., the $5 billion logistics and transportation company. "You can't excuse yourself by saying, 'I'm just IT.'" Ryder holds weekly executive meetings at which an eight-person group, including Vital, discusses issues facing the company and its business units. "You do have to know what's going on in transportation, in supply chain, in finance," he says.

At some of the companies under scrutiny, it's unclear whether even the most conscientious and plugged-in business-technology manager could have uncovered the financial games being played. But, particularly where CIOs have greater authority, their responsibility goes deeper than ensuring that systems work, says attorney Joseph Rosenbaum, a partner at Reed Smith LLP and head of its E-commerce practice. The CIO holds "a significant degree of responsibility to work with internal and external auditors to ensure a high degree of integrity, that the information is secure, and can be authenticated and reliably reproduced in real time," he says.

Such expectations are reasonable but only to a point, say others. United Airlines CIO Eric Dean believes that IT does have a role in ensuring the integrity of financial reporting systems but says that's not the same as guaranteeing the material accuracy of financial statements. Dean says his department makes sure that databases are designed with integrity, that they function according to design, and that the transaction-processing systems that gather data have adequate controls. "I don't have time to be paying attention to the output our computer systems are generating," he says. "If we have to do both, we're basically suggesting we should abdicate the responsibility of managing the company to the computer people."

Feelings run high on both sides. On behalf of InformationWeek, executive placement firms Tatum CIO Partners LLP and Tatum CFO Partners LLP asked its executive-level clients whether technology managers could prevent accounting misconduct. The answers ran the gamut from the adamant position that IT people cannot prevent such activity to ringing declarations that they "absolutely, without a doubt" can.

The question prompted soul-searching by some. "If IT wants to be truly part of top management, then they have overall management responsibilities," says Richard Carter, a CFO who takes assignments arranged via Tatum CFO Partners. Even so, "I don't think that IT management has the opportunity to detect this type of fraud."

Mireille Staub, a CIO with Tatum and a former CIO at software developer Starbase Corp., thinks differently. "Where there's intent to defraud, the CIO ought to have a clue," she says. CIOs should set up cross-checking and reports of crucial data, then make these available to the executive team, particularly the CFO. "In my experience, this has helped catch problems," she says.

Harvey Kelly, a forensic accountant and partner in PricewaterhouseCoopers corporate investigations group, agrees. Kelly and his colleagues sift through corporate systems after accounting irregularities are uncovered, looking for the culprits. He contends that IT leaders and their staffs are in a unique position to detect fraud.

One way is to observe user behavior, Kelly says. Those taking advantage of complicated computer applications to perpetrate fraud are often resistant to upgrading to more user-friendly software, he says. Kelly also advises that those who oversee financial applications watch for suspicious activity, such as breaking up a large sum of money and moving it into multiple accounts or reversing audit-book entries after the financial report has been released by the auditors. "People greatly altering their behavior around reporting periods-those are the things the IT officer might detect as something that looks unusual," he says. (See "Using IT To Prevent Fraud," /895/prevent.htm).

None of this requires extensive accounting expertise, just close knowledge of IT systems. "CIOs aren't going to be fluent in accounting language," says Joseph Carcello, accounting professor at Tennessee College of Business Administration in Knoxville and the VP of auditing for the American Accounting Association. "But general ethics say that you need to make an effort to get yourself comfortable that your information system isn't being used for something that's not legal."

IT departments can be drawn into trouble. Carcello cites a case involving a company, which he wouldn't name, where the IT department manipulated its accounting systems to hold open accounts past the closing of a fiscal quarter to book revenue from sales that took place after the deadline. "That's coding to help perpetrate the fraud," he says. "I've seen a number of those instances."

Vari-L Company Inc., a Denver maker of components for mobile communications devices, faced a different problem, according to company press releases, reports by the SEC, and executives now running the company. They say the company overbooked revenue in 1999 by $30 million to $35 million, a substantial amount for a company with annual revenue of just $41.4 million in 2001. That happened, in part, because the IT department at the time limited access to data that might have revealed the problem, says Jeramy Cooper-Leavitt, who was hired in September as the new director of IT and charged with changing the department's culture and processes.

"IT slapped such a rigid wall

around information to keep the rest of the people veiled from what was going on," says Rick Dutkiewicz, Vari-L's VP of finance and CFO, who joined the company after the incident. Things have changed: The business and technology leaders work closely to enforce a system of checks and balances. An XML-based infrastructure with strict access controls ensures that documents flow to the appropriate users. "No one saw these reports back then, and no one cared, either," Dutkiewicz says. "They weren't reviewing the data. The accountability wasn't there."

Technology vendors should do a better job of helping IT staff understand the ways in which misconfigured software can create opportunities for perpetrating fraud, says Bill Ferguson, director of technology and a partner at Tatum CIO. "I've implemented financial software many times, and those just aren't questions that are asked in the design and configuration of software."

Indeed, technology can be used to help prevent irregularities. Financial reporting and management tools from vendors such as Cognos, Hyperion, PeopleSoft, and SAP can automate and speed the process of collecting and disseminating information throughout a corporation (see "Fast-Track Financials," Feb. 18, p. 55; informationweek .com/876/fast.htm). And vendors are developing tools to create better transparency and ensure data integrity. PeopleSoft, for instance, sells CFO Portal, a browser-based system that gives line-of-business managers the ability to monitor transactions. The company also plans this summer to unveil an application that will gather financial information in a single data warehouse and provide more visibility into corporate numbers.

More businesses are asking for financial systems that provide real-time data feeds and updates of expenditures and sales, says Renee Lorton, senior VP and general manager of financial-management solutions at PeopleSoft. "Surprises are no longer tolerated after the close of the quarter, so the business managers need to have the information throughout the quarter so they can ensure their numbers are right," says Lorton, who's also a certified public accountant.

Tax Technologies Inc., a Haworth, N.J., taxation and accounting software developer, suggests that an Internet-based document depository could allow all documents used in the auditing process to be reviewed in real time by a company's auditors, management, and board of directors. Currently, most boards don't see the numbers until just a few days before the final report must be sent to the SEC. Jeff Wenger, VP and chief technology officer at Tax Technologies, says his company's approach lets all parties ask questions as the auditing process moves forward, producing more accurate data more quickly.

Meanwhile, the movement toward standardizing electronic financial reports using eXtensible Business Reporting Language is gaining momentum. Some 140 companies, as well as government organizations, have joined the XBRL Organization, which was founded by the American Institute of Certified Public Accountants. The XBRL language lets companies provide hyperlinks that connect numbers in financial statements to explanatory footnotes; the idea is to make financial statements easier to understand so that investors can make better-informed decisions. Reuters and Microsoft publish financial statements using XBRL.

"We're at the point now where we've sold the concept to enough parties that the people who don't adhere to it are going to have a competitive disadvantage," says Liv Watson, director of XBRL at Edgar Online Inc. and the VP of the XBRL consortium.

Technology and IT personnel can indeed help make people more aware of what's happening in a world of complicated auditing rules, but they can't solve everything, says Bob Williamson, CFO at financial services firm VFinance. "From an IT perspective, you can put in increasingly sophisticated systems and auditing tools, but they can always be overwhelmed by fraudulent activity." Yes, there is that added factor called honesty.

--with Diane Rezendes Khirallah and Sandra Swanson

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer