Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search

View all Portals

Scheduled Events

White Paper Library
Research Papers

View Job Listings
Post a job


DM Review Home
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

Buyer's Guide
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

About Us
Press Releases
Advertising/Media Kit
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Thoughts from the Integration Consortium:
Sarbanes-Oxley Act and IT: Why There is No "I" in "SOX Team"

online columnist  Integration Consortium     Column published in DMReview.com
September 30, 2004
  By Integration Consortium

This month's column is contributed by Rob Smith, co-chair of Industry Solutions - SOX Committee Integration Consortium.

Why IT is Left Out of Sarbanes 404 and 409 Committees

Sarbanes-Oxley (SOX) compliance has become the number one issue facing CXO executives today. Compliance with the terms of the SEC's SOX Act of 2002 has become the number one pain point of most public organizations and boards of directors both in the U.S.A. and around the world. They are in a desperate race to ensure they have documented and tested a range of financial controls all to ensure the integrity of the financial number they make public at each year end and at each quarter. But the extensive and elaborate team of senior executives that meets once a week to discuss the progress of SOX compliance is often without a critical member of the team, the CTO or CIO. Information system executives are often left off the SOX compliance committees and teams simply because they are viewed as outside the realm of financial reporting.

The Public Company Accounting Oversight Board (PCAOB) was created by the SOX Act of 2002 to oversee the auditors of public companies. They are appointed by the SEC, and their role is to "ensure that public company financial statements are audited in accordance with the highest standards of quality, independence and ethics." They do this by enforcing the rules contained in the Sarbanes-Oxley Act and any new rule added by the SEC. The bulk of the enforcement issues and rules relates to the presentation of financial information by public companies. However, with the creation of Sections 404 and 409, SOX went well beyond the role of financial professionals.

Section 404 states in brief that executive managers and boards of directors of public organizations must acknowledge their responsibility for the financial controls within the organization and the accuracy of the financial information made public. Then they must provide an assessment of the effectiveness of these controls and have an auditor attest to this assessment. Section 409 stipulates that the same board and executives must disclose real-time information "concerning material changes in the financial condition or operations of the issuer including trends as the Commission determines necessary for the protection of investors and in the public interest." The ability to report real-time information and set controls to ensure the validity of financial information was thought by the SEC and the PCAOB to be fully within the realm of the financial professionals that posted the information. But they were wrong.

The Pandora's Box of 404 and 409

When the SEC created SOX they inadvertently open a Pandora's box because the short statements contained in section 404 and 409 spoke volumes about how much the financial numbers and accounting operations in organizations were driven by the information technology and the physical operations of organizations. Risk managers and compliancy specialists quickly realized that in order to ensure the accuracy of the financial disclosures, they would have to ensure the validity of all the underlying processes that fed the numbers. Things such as inventory flow, contract disclosure and oversight, counter-party credit risk, system integration and development, real-time exception reporting, market-to-market evaluations, value-at-risk assessments, etc. Suddenly two small regulations had opened an entire world full of potential compliance failure points. But in most cases very few of the SOX compliance teams contained more than a single representative from the IT side of the company.

It was evident in the very hazy and wide-open way that the commission drafted the 404 and 409 regulations that their understanding of the impact of the underlying physical operations of organizations was clear. Process controls had to extend beyond the scope of financial and audit teams, and they even drafted amendment to this effect. Once the box was open there was no turning back. However, the audit organizations tried. A recent review of a major Tier 1 SOX 404 Guide presented to public companies include such statements as "Management need not assess internal control over operations and compliance" and "A company's business continuity or contingency plans have no effect on its ability to initiate, authorize, record, process or report financial data and are not part of SOX compliance." The concept that accounting is a standalone function unto itself is where most companies will be caught by SOX 404 and 409 compliance regulations in the coming years.

Remember that most of the great corporate failures over the last few years had nothing to do with financial reporting. The companies were dead by the time the public read the annual report even though the financial statements followed generally accepted accounting standards. Companies such as Enron and WorldCom went bankrupt because the underlying physical processes of the organization were failing and the company did not have to report in publicly released financial statements for many periods. For public companies to avoid a SOX compliance failure they must accept the fact that accounting is the score of what has happened and is not a predictor of things that will happen. To this end information technology executives must become active and equal participants on SOX executive committees as must risk and continuity experts, security experts and market traders capable of understanding market trends as noted in 409.

Winning the SOX Game

SOX is a rigged game in which you play against the regulators, and your failure in the game will result in very personal repercussions. All executive members must participate and be included on compliance teams and not just accounting or audit staff. Any board that fails to include its information technology staff in its compliancy efforts risks losing the game, placing its shareholders in peril and itself in the gun sights of the SEC regulators.

Rob Smith is an author for Penguin Publishing on technology and business He is the CEO of Riskstream Inc., a business continuity and regulatory specialist. He is also the co-chairman of the Integration Consortium (www.integrationconsortium.org).


For more information on related topics visit the following related portals...

The Integration Consortium is a non-profit, leading industry body responsible for influencing the direction of the integration industry. Its members champion Integration Acumen by establishing standards, guidelines, best practices, research and the articulation of strategic and measurable business benefits. The Integration Consortium's motto is "Forging Integration Value." The mission of the member-driven Integration Consortium is to establish universal seamless integration which engages industry stakeholders from the business and technology community. Among the sectors represented in the Integration Consortium membership are end-user corporations, independent software vendors (ISVs), hardware vendors, system integrators, academic institutions, non-profit institutions and individual members as well as various industry leaders. Information on the Integration Consortium is available at www.integrationconsortium.org or via e-mail at info@integrationconsortium.org.

E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.