Thinking Outside of Sarbox
There is a wealth of material and speeches now on Sarbanes-Oxley (Sarbox). With great diligence, many companies, accounting firms and consultancies have closely examined the law and developed their policies, strategies and products. The need for Sarbanes-Oxley diligence is duly recognized, as should be.
There are some other, less encouraging behaviors going on at this time that requires caution on the part of companies in search of Sarbanes-Oxley assistance and guidance. Some of these issues originate within the public companies themselves. Additionally, the actions of some consultancies, accounting firms and vendors require scrutiny.
Many companies implementing Sarbanes-Oxley require the use of audit professionals, in fact, will only consider accounting firms for Sarbox assistance. This is disconcerting for two reasons. The laws of supply and demand are at work and, as demand is far outstripping supply, the financial windfall for accounting companies is going to be eye-popping. This is the same industry that created the unethical accounting practices that led to Sarbox, received the biggest fines and now gets a payoff of a multibillion-dollar service line to add to their portfolio. Should your organization require Sarbox help and insist on public auditors, it is good due diligence to consider regional or local accounting firms that do not have dependence on large audit engagements. (Sarbox does prohibit a company's auditor from assisting on Sarbox compliance, but large audit practices are not as lucrative as they once were, therefore causing these firms to cast about for higher margin work.)
Additionally, the insistence on financial auditors also means that the information management requirements of Sarbox are being left to non-IT auditors. The old-fashioned "information auditing" became pass in the late 1990s. This function is probably best suited to deal with the technology aspects of Sarbox.
|Regardless of whether the philosophy of SOX is new or not, there is now momentum to manage information correctly. This article does not alter that approach in one bit. (Carpe Sarbox!)|
Finally, many companies, when they understand the extent of their Sarbox challenges are taking another path. They are acquiring additional insurance to guard against accidental errors by director and executive miscues. The people are expendable, but they will insure themselves from the costs of non-compliance until they are prepared.
The final issue originating within the companies is the philosophy of dealing with Sarbox. Companies are treating this as though this was brand new stuff. "Oh, but you don't understand, my CEO could go to jail," you might say. This is new. Yes, he could, but then again he could have still gone to jail before Sarbanes-Oxley. If you as a CIO have studied the bill in detail (and you should READ IT END TO END), you will have noticed that the main purpose of the bill is not different from the day-to-day purpose you have been responsible for since the day you started at the company as a low-level technician or business grunt. Do your job well and protect the company from fraud and fraudulent activities. Is that not true? So why is it different today? I have had discussions at conferences relating how wonderful it is that we now have rules for classifying data and determining materiality. Those rules and guidelines have been there for years. Sarbox has gathered them into one place.
The other area of Sarbox problems stems, alas, from consultants (yes, my peers) and vendors. Many consultancies are now "experts" on Sarbox. The only advice here is to ask for Sarbox references. However, many firms have very few references. If you prefer an IT consultant, but he is light on experience, blend him with an independent auditor. In addition, many BI vendors have now tied their product sets to Sarbox compliance. At this time, it is doubtful that any vendor has enough experience to have built Sarbox functions into general BI tools.
There is a strong analogy to be drawn between Y2K and Sarbox when it comes to the vendor/service issues. Consultants and software companies who are looking to make a lot of money off Sarbox are following the same marketing strategies they did with Y2K. They talk to business heads (making an end run around the CEO). CIOs may exploit this to get budget and support for SOX efforts. But this is a two-edged sword - if the overstated services and products don't work, the CIO will be relegated back to the "data supplier" role and CFOs will again dominate technology decisions. The FUD factor is strong with Sarbox.
If you really want to implement Sarbanes-Oxley in a way that makes sense for the business you need to have your company follow the simple plan outlined below:
- Draw up a contract that holds the board of directors accountable for the unethical behavior of the executives of the company, not an insurance company.
- Buy additional insurance coverage to mitigate the risks inherent in the new Sarbanes-Oxley era. All the information initiatives based on Sarbox still have to be executed well and, more so, institute cultural changes. This is not a rapid effort.
- Make sure your auditor conducts an actual audit (as in the old days, before fees got so small for real audits that they were no longer profitable so no longer happened). This should include bringing in the IT auditors (remember they used to be part of an audit).
- Write a memo that clearly states the benchmarks for how fast the company needs to communicate changes, material and otherwise, and then hold the CFO responsible for beating those benchmarks.
- Hire/retain ethical CEOs, CFOs and CIOs
- Thoroughly assess and plan for the culture changes that may be required
Once you have completed these steps, go back to executing your technology strategy and infrastructure migration that may or may not be tied to Sarbox.
The contents of this article are Copyright 2003 by DM Review and KI Solutions. Any use, quotation, repurpose, duplication or replication of the diagrams, concepts or content without permission of DM Review and the author is prohibited.
For more information on related topics visit the following related portals...
John Ladley is a director for Navigant Consulting, which recently acquired KI Solutions, a management consulting firm specializing in knowledge and information asset management and strategic business intelligence planning and delivery. Ladley is an internationally recognized speaker and, more importantly, hands-on practitioner of information and knowledge management solutions. He can be reached at firstname.lastname@example.org. Comments, ideas, questions and corroborating or contradictory examples are welcomed.
Donn Vucovich is a principal of KI Solutions (formerly Knowledge InterSpace and short for Knowledge and Information Solutions,) a management consulting firm specializing in knowledge and information asset management and strategic business intelligence planning and delivery. Vucovich can be reached email@example.com.