Business Imperatives:

• Sarbanes-Oxley has no specific computer requirements. However, the controls auditing, reporting, and record retention directives clearly affect how IT systems must behave. Part of the change is increased frequency of reporting, thereby driving shorter cycles in financial data collection, validation, and analysis. On the other hand, record retention is more comprehensive. Controls auditing will likely present unprecedented scrutiny on corporate operations. IT executives should examine financial reporting and record retention processes and the systems responsible to determine where changes may need to occur to meet the new regulations.
• Typically, financial reporting involves data from multiple corporate systems. With not only increasing frequency of reporting, but also significant scrutiny of financial reports and controls, integration is more critical than ever. IT executives should make sure enterprise architecture documents are up to date, and that integration, especially any involving data quality or cleansing operations, are completely understood and ready for audit.
• With the increased examination of corporate controls and legal accountability of officers, security of systems and data is paramount. Management will likely rein in access to financial data that feeds reports, as it attempts to reduce the chances of errant data entry or modification. However, on the reporting end, the Act requires broader and more frequent release of information. In addition, new procedures may require IT executives to sign documents attesting to the IT elements under their purview. IT executives should review security procedures and technologies to be sure they meet these new necessities.

Signed into law by U.S. President Bush on July 30, 2002, Sarbanes-Oxley (Public Law 107–204) is a reaction to the many visible corporate accounting scandals that plagued Wall Street over the past year. According to a report by the U.S. General Accounting Office (GAO), in the past five years, one in 10 public companies made financial restatements because of accounting irregularities. Sarbanes-Oxley is enacted to "protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes." The Act not only legislates additional controls, it significantly increases penalties.

The Act dictates improved corporate governance and increased accountability of officers and boards of directors of publicly traded companies. The independence of audit committees must improve, and penalties for corporate misconduct must intensify. While this legislation does not oblige private companies to comply, sweeping changes in corporate accounting reflected in Sarbanes-Oxley will likely eventually percolate into private firms as well.

The Act also directs that accounting firms are prohibited from engaging in "non-audit services," such as financial systems design and implementation or IT work. Most accounting firms have split or discontinued their consulting practices to accommodate this change. However, IT executives should make sure when signing up with consultants that they indeed have no association with any of the auditors for the company. Furthermore, IT executives should survey existing consultants to clearly determine affiliation.

Section 302 of the Act, entitled "Corporate Responsibility For Financial Reports," requires the SEC to issue rules that officers certify with signed statements the validity of each quarterly and annual financial report. The Act also directs these officers to be responsible for "establishing and maintaining internal controls," and "have evaluated the effectiveness of such controls as of a date within 90 days prior to the report, and have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date." Section 906, "Corporate Responsibility For Financial Reports," directs immediate written certification of financial reports by the CEO and CFO.

Section 404, "Management Assessment Of Internal Controls," discusses internal control evaluation and reporting associated with the annual report. (See the RFG Research Survey "Sarbanes-Oxley (SOX) 404 Compliance.") Annual reports will need to include an internal control report that shows the procedures and structure of financial reporting, as well as an assessment of the effectiveness of them. The SEC's "Proposed Rule: Certification of Disclosure in Companies' Quarterly and Annual Reports" proposes "to require a company to maintain procedures to provide reasonable assurance that the company is able to collect, process and disclose the information required in the company's quarterly and annual reports, as well as current reports on Form 8-K, and also to require periodic review and evaluation of these procedures."

Interpretation of these sections of Sarbanes-Oxley suggests public companies will need to audit internal systems on a regular basis to comply. However, in many large companies, it is not feasible to examine all systems on an ongoing, cyclical basis. Those systems are typically distributed across the globe. In public comment on these proposed rules, Computer Sciences Corp. (CSC) states "upgrading to a new software application "could" have an adverse, significant effect on controls. Companies seek to mitigate these inherent weaknesses with compensating controls such as a review by competent, professional staff. A complete evaluation of internal controls within 90 days of issuing each annual or quarterly report for a global company, such as CSC, will be challenging and costly, at best. At worst, performing complete re-evaluations every quarter could prove to be impossible."

Therefore, some companies may develop a strategy in which they analyze risk associated with these systems, to thereby decide frequency of checking and improvement targets. Risk management is applicable to many IT endeavors. (See the RFG Research Note "Risk Management in IT.") A risk management approach to Sarbanes-Oxley makes good sense, as legal departments interpret the legislation, and the SEC delivers specific rules. However, IT executives should review with legal departments and finance groups such approaches in light of other corporate responses to Sarbanes-Oxley.

Section 409, "Real Time Issuer Disclosures," directs companies to publicly disclose "on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission [SEC] determines, by rule, is necessary or useful for the protection of investors and in the public interest." This section suggests the need for financial systems to be able to produce easily understood reports that reflect the ongoing changes in a business. Furthermore, finance departments will begin preparing reports earlier, to assure completeness and timeliness.

Document management procedures and systems should get a fresh review in light of the new requirements. Central gathering of key contracts and other important documents will enable meeting SEC disclosure responsibilities. IT executives should review the ability of financial systems to perform information gathering and reporting functions in a real-time manner, and in some cases, may need to enhance, supplement, or upgrade to accommodate these requirements.

Other parts of the Act direct to electronically file public disclosures, and to post statements "on a publicly accessible Internet site not later than the end of the business day following that filing. The SEC's "Final Rule: Acceleration of Periodic Report Filing Dates and Disclosure Concerning Website Access to Reports" encourages companies to post disclosures on their Web sites "as soon as reasonably practicable after, and in any event on the same day as, such material is electronically filed with or furnished to the Commission." The government expects companies to use the Internet as a means to inform the public. IT executives should evaluate internal Web site posting procedures, and ensure they allow for such rapid posting of disclosures and reports.

Record retention is certainly central to the Act. The SEC's "Proposed Rule: Retention of Records Relevant to Audits and Reviews" is directed by Section 802 of the Act. The rule states that the SEC will announce rules and regulations concerning "the retention of records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review." (See the RFG Research Note "The Importance of Electronic Record Retention.")

Under the new law, the retention time is generally five years; however, periods of retention vary according to document type and party responsible for storage. Furthermore, the government wants companies and their auditors to retain more records than previously required. IT executives need to formulate and formalize an enterprise-wide strategy to best manage such data now and into the future, so as to reduce the enterprise's legal exposure, and ensure future data integrity.

Some technologies that are neither implied nor controlled by the Act can nevertheless be useful in meeting its requirements. For example, Lightweight Directory Access Protocol (LDAP) servers can support some of the user access control and auditing facilities required to provide application and document controls. IT executives should review technology projects planned and in progress, to determine whether the Act supports their implementations, and where they do, use it as further justification.

In summary, IT has to provide some information and support to meet the requirements of the Sarbanes-Oxley Act, and prepare for eventual and regular audits. IT should document procedures, the physical and logical infrastructure, and keep records of its controls. Where necessary, IT should enact new procedures. However, IT should only implement those procedures deemed essential, and that are realistic to follow. Auditors are likely to view procedures not followed in a negative fashion. Where some functions related to financial reporting are handled by outsourcing, IT executives should review contracts to be sure the arrangements guarantee data integrity.

RFG believes IT needs to understand and respond to Sarbanes-Oxley in step with the rest of the enterprise. Sarbanes-Oxley directs improved accountability, controls, and reporting across the corporation; therefore, IT must provide automated systems that support these extended requirements. However, the legislation is new, and interpretations and rules are still evolving. IT executives should work with legal departments to determine specific compliance actions, but should also consider the Act as an opportunity to justify needed data integrity, integration, and security improvements.

RFG analyst Ron Exler wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Mr. Exler.

Copyright © 2002 Robert Frances Group, Inc. All rights reserved. Agenda products are published by Robert Frances Group, Inc., 22 Crescent Road, Westport, CT 06880. Telephone (203) 291-6900. Facsimile (203) 291-6906. http://www.rfgonline.com. This publication and all Agenda publications may not be reproduced in any form or by any electronic or mechanical means without prior written permission. The information and materials presented herein represent to the best of our knowledge true and accurate information as of date of publication. It nevertheless is being provided on an "as is" basis. Reprints are available.