Sarbanes-Oxley: Where Do You Stand?

By Tom Schmidt

As November 15 marks a key Sarbanes-Oxley Act milestone, questions remain over how financial institutions and other enterprises are faring with their compliance efforts. Are they ready? It depends whom you ask.

According to the results of a recent CIO Insight/Gartner Inc. survey of Sarbanes-Oxley compliance programs, most CIOs feel optimistic about their efforts. The majority of respondents said their compliance mechanisms will be completed on time, and that the necessary financial data will be rationalized -- although it will take a lot of work. They observed that becoming compliant will cause significant business disruption for a while, but said that things should "calm down" after the first year. Half the CIOs expect to reap a range of business benefits, including business process improvements, from their efforts.

Interestingly, almost half the CIOs said that their enterprises would do the minimum necessary to become compliant.

These results come in the wake of a survey conducted in March, by Gartner's Executive Programs group, of almost 1,000 CIOs worldwide. Respondents to that survey cited enabling new products, business intelligence, and process improvement as the biggest new IT priorities with regard to Sarbanes-Oxley. Respondents who saw Sarbanes-Oxley as a significant business disruption -- meaning that they are putting more effort into it -- were also most likely to think they are going to get business benefits.

In fact, at companies valued between $100 million and $1 billion, 61.5 percent of respondents said they expect business benefits through compliance with Sarbanes-Oxley.

According to a study conducted this summer by PricewaterhouseCoopers, 49 percent of companies consider Sarbanes-Oxley compliance a major challenge, and 29 percent consider their business information processes less than acceptable.

Finally, nearly one-third of 446 respondents to an informal InformationWeek Web poll late in October said their companies have yet to complete even half of the compliance work for Sarbanes-Oxley.

No more delays

Since the Sarbanes-Oxley Act was passed in 2002, the Securities and Exchange Commission has twice postponed compliance deadlines. Beginning this month, however, companies with publicly owned shares exceeding $75 million and whose fiscal year ends on or after November 15 must comply with the internal control reporting and disclosure requirements of Section 404 of the law. (Companies with less than $75 million in publicly owned shares have until July 15 of 2005 to comply with Section 404.)

Stan Lepeak, an analyst at Meta Group Inc., told Computerworld in October that he wouldn't be surprised if 25 percent of so-called accelerated filers are found to have inadequate controls. Lepeak based his estimate on several factors, including discussions with clients, Sarbanes-Oxley readiness surveys conducted with client firms, and concerns expressed by customers who outsource IT that service providers won't be able to document IT controls in time.

How much will all these compliance efforts wind up costing financial institutions and other U.S. companies? AMR Research recently estimated that Sarbanes-Oxley alone will set them back $5.5 billion in 2004. At the company level, that averages out to $1 million per $1 billion in revenue.

Cultivating a 'culture of compliance'

What does it signify that the deadline for compliance with Section 404 has twice been pushed back? Most observers have blamed the delays on the broadness of the provision, citing companies' difficulty in determining what "adequate" controls really are.

For their part, SEC officials have spoken frequently of the need for U.S. companies to cultivate a "culture of compliance," especially in the wake of the scandals at Enron and WorldCom. The message, experts say, is clear: Maximize the return to investors and promote transparency, credibility, and accountability. Companies that make a good-faith effort to cultivate a culture of compliance, they say, are less likely to be the subject of an SEC inspection. For these reasons, "minimum" compliance efforts are not likely to be welcomed by the SEC.

Gartner, meanwhile, reports that compliance efforts are not leading to big IT budget increases. Instead, most CIOs are squeezing the funds needed from existing budgets.  As a result, Gartner recommends that enterprises take a structured approach to compliance:

• Step 1: Set up the compliance project, led by finance, with IT as a key team member.
  
  
• Step 2: Identify the critical IT processes. Finance must define what is material to the enterprise, after which IT can use this to decide which IT processes could affect financial reporting.
  
  
• Step 3: Assess risks and design controls. Conduct a risk analysis for each of the critical IT processes to see where internal controls are needed. These controls are then designed and implemented.
  
  
• Step 4: Test controls and document the results. Create a test plan and test internal controls. Identify, rectify, and retest weak internal controls.
  
  
• Step 5: Attest to the results. Prepare and submit the correct documentation to the regulator.

Gartner and numerous other experts believe Sarbanes-Oxley ultimately could be a good thing for many IT groups because it lays a foundation for more efficient and effective business processes. In order for a company to have confidence in the integrity of its financial data it must have strong internal controls over those business processes.

While the importance of IT controls is embedded in the SEC-endorsed framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (or COSO), numerous observers have pointed out that it doesn't do enough to help identify, document, and evaluate those IT controls.

Another framework, the Control Objectives for Information and related Technology, or COBIT, was established by the IT Governance Institute (ITGI), in an effort to interpret COSO from just such an IT perspective. With the SEC's approval, COBIT is also likely to be adopted by many corporations as a guide for their Sarbanes-Oxley compliance efforts.

In the words of the ITGI, "COBIT is a ... robust framework, comprising four domains, 34 IT processes and 318 detailed control objectives. It is a comprehensive approach for managing risk and control of information technology."

Last fall, the ITGI examined COBIT specifically in regard to Sarbanes Oxley. The result is "IT Control Objectives for Sarbanes-Oxley," which proposes that a company's "first priority should be demonstrating that strong IT controls over financial reporting are in place." Information security professionals are strongly urged to read this document.

Are you ready?

So what, finally, does it mean to be ready for Sarbanes-Oxley? It means being able to prove to your auditors -- who are ultimately going to attest to your assertions -- that you have a strong system of internal controls that can reasonably ensure the reliability of your financial reporting. It means being able to provide documentation that supports your internal control structure. And it means you regularly test that control structure.

Chances are, many of these controls were in place in the past, but they were informal and not completely documented. Sarbanes-Oxley changes all that. Senior executives are now personally accountable for the accuracy of the financial data provided to the SEC and the public, and they face jail time if the information isn't accurate or if anything is inappropriate. With Section 404 compliance upon us, much that was theoretical about Sarbanes-Oxley is now very real indeed. That's why now is the time for financial institutions and other organizations to seize the opportunity to create a strong information security program that exceeds the minimum regulatory requirements.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.