Time Is Running Out

Like most business-technology executives at public companies, Atefeh Riazi can't wait for 2005 to arrive. The CIO of global advertising agency Ogilvy & Mather faces the daunting task of ensuring compliance with Section 404 of the Sarbanes-Oxley Act. As much as she looks forward to putting behind her the rush to meet the law's first deadline at year's end, allowing the company to focus on other projects, the biggest relief may come in the form of employee morale. "If they thought this was their job for the next 10 years, you'd see them run away very quickly," Riazi says. "IT people want to deploy new technologies. They don't want to run around deploying controls on applications."

As the deadlines near, the scramble to establish, document, and audit internal controls threatens to disrupt normal IT operations. Companies have halted production, delayed upgrades of core systems, and shifted staff hours by the thousands. Nearly a third of 446 respondents to an informal InformationWeek Web poll last week say their companies have yet to complete even half of the compliance work. And a survey released last week by PricewaterhouseCoopers and Corporate Board Member magazine found that 20% of board members believe Sarbanes-Oxley is such a distraction to management that it will hurt company performance. But even as they curse Sarbanes-Oxley, IT executives say compliance ultimately will help their companies by creating leaner, more-focused business processes.

Section 404 of Sarbanes-Oxley requires public companies to verify that their financial-reporting systems have the proper controls, such as ensuring that revenue is recognized correctly. Senior executives must attest that these controls are in place for fiscal-reporting periods that conclude after Nov. 15. For companies with revenue of less than $75 million, the deadline is July 15.

To accommodate the Sarbanes-Oxley effort, Ogilvy's Riazi has frozen most changes to the company's production environment until year's end. A planned upgrade of its IBM Lotus Notes E-mail system has been put on hold. That will create a scramble during the first months of 2005, when Ogilvy will try to upgrade as many desktops as possible before IBM cuts off support of the agency's old version early next year. Still, some Asian, Eastern European, and Latin American employees will be stuck with the older, unsupported version for a while. Ogilvy, a unit of WPP Group Inc., earmarked 1% of its IT budget for Section 404 compliance, and Riazi estimates that as much as 10% of IT staff time has been spent on the effort in the second half of 2004.

Yet Riazi sees an upside now that Ogilvy is 80% compliant and on its way to meeting a goal of 99.5% compliance by year's end. Using a homegrown application and IBM's Lotus Workplace document-management tool, Ogilvy will have better documentation of its systems and applications and an improved process for documenting all changes. Perhaps the most desirable outcome will be frequent discussions between IT and senior management regarding system performance, reliability, and usability. "It's not fun stuff, but it's a window to a closer relationship," Riazi says.

But companies that maintain they will return to business as usual once the deadline passes may be surprised by continuing challenges. The rules in a Sarbanes-Oxley-controlled world aren't clear beyond the fact that companies must conduct quarterly tests of their internal controls to stay compliant, says Lynn Edelson, global leader for systems and process assurance for auditor PricewaterhouseCoopers. "It's uncomfortable ground people are standing on," she says.

Sixty percent of companies won't meet this first round of Section 404 deadlines, estimates Bill Cook, head of business continuity and security practice for Chicago law firm Wildman, Harrold, Allen & Dixon. Companies that don't have good reasons for being noncompliant won't find the Securities and Exchange Commission very understanding. "If they say they didn't know about the regulations or didn't have the money to implement them, the SEC will regard that the same as 'the dog ate my homework,'" Cook says.

For casino operator Mandalay Resort Group, Sarbanes-Oxley serves as an opportunity to transform what had been a piecemeal approach to IT. CIO Tracy Austin looked upon compliance as an opportunity to make Mandalay's process of building, maintaining, and changing systems and applications more formal. Her staff has "dusted off" the company's outdated compliance controls and updated them to match current technology. Working with Mandalay's external auditing firm, Austin compared the company's existing IT controls against a standard IT-controls framework to determine what needed updating. By last fall, the company had a project team in place, guided by a steering committee of IT managers and internal auditors, and the project took off from there. "I've boosted the economy for several consultants," Austin jokes.

While Mandalay has delayed a planned update of its hotel- and casino-management systems and spent more than $1 million on compliance, Austin says it has been worth it to emerge with a new system-development life-cycle methodology, particularly as the company prepares to be acquired by MGM Mirage Inc. She expects to be 100% compliant come Dec. 31: "We'll have a very clear and simple cookbook for people to change or create or select systems, and that positions IT to not only be able to do projects internally but with outside consultants and vendors."

Sarbanes-Oxley could be a good thing for many IT groups, PricewaterhouseCoopers' Edelson says, because it lays a foundation for more efficient and effective business processes. "The pain they're feeling right now will turn around," she says.

QuadraMed Corp., which develops software for the hospital industry, is marching ahead on a number of projects, including consolidation of numerous contract- and project-management systems. Top managers said the company could weather the deployment work and compliance efforts simultaneously without threatening its ability to meet the Section 404 deadline, says Kevin Haggerty, senior director of internal audit. As it wraps up that work, the company's ability to meet future compliance requirements will be improved greatly, Haggerty says. "Companies that have made changes have said, 'It's really important for us to make changes in controls for our business--404 be damned,'" he says.

Even in the world of IT, it seems the best defense is sometimes a good offense.

--with Charles Babcock and Steven Marlin