The burden of compliance will fall to those who already know the system, according to a new Cutter report
Arlington, MA — January 7, 2004 — The Sarbanes-Oxley Act is much more than just corporate governance for accounting and finance professionals. At most companies, financial reporting systems are heavily reliant on IT and may include highly complex hybrid and legacy systems. How can CEOs and chief financial officers (CFOs) stand behind the accuracy of financial data without solid assurances from the chief information officer (CIO) regarding the reliability of such information systems?
According to IT consultancy Cutter Consortium, business units aren't likely to understand which system changes are required and may put off contacting the IT department until late 2004. This would likely mean that your company could not fully comply with Sarbanes-Oxley because IT will need weeks — or even months — to identify the systems that need attention.
Cutter Consortium Fellow Peter O'Farrell said, "It is the rare CEO or CFO who knows the details of a company's IT architecture and how the systems actually work; rarer still would be any deep understanding of how the data is processed or even how it was originally obtained."
Therefore, the burden falls to the CIO to devise processes to create accurate accounting data, then implement these processes in an era when CIOs have been continually directed to reduce IT costs, whatever the implications for the integrity of the firm's IT functions.
"IT has an important role to play in ensuring that systems are transparent enough and controls are good enough to prevent business cheating," asserted Cutter Consortium Fellow Robert Austin. "This has important implications for IT, one that puts a lot of extra effort on the CIO's plate. But when it comes to IT, I believe there is an even greater concern that has nothing (or much less) to do with financial shenanigans or cover-ups, but rather has to do with how well boards of directors are overseeing the management of IT, an area that has its own significant transparency problems."
Austin continued, saying that while the emphasis in much of the discussion of corporate governance tends to be on misbehavior, when it comes to IT, the much bigger concern may be competence, specifically senior executive and board member competence to oversee IT activities.
"A major IT screw-up can be plenty scandalous, without any concerns about cheating. Sarbanes-Oxley's broader, long-term impact on IT may be that it forces general managers and board members to get into the CIO's business in a very deep way. This may not happen right away; it may take a major IT snafu to cause it, but it will happen," said Austin.
But Cutter Consortium Fellow Tom DeMarco offered a different perspective of the effects of the Sarbanes-Oxley Act. He remarked that when the cost of a new control is small compared with the legal exposure it covers, CIOs would implement the control. He also predicted that Sarbanes-Oxley would still be the law of the land 20 years from now, although it will be universally ignored. He cited the example of the blue laws that are still in existence in most states that prohibit a Wal-Mart from being open on Sundays, even though Wal-Mart is open on Sundays in all 50 states.
The Business Technology Trends and Impacts Opinion "What Does Sarbanes-Oxley Mean for the CIO?" is a collection of the reactions, explanations, and recommendations relating to the Sarbanes-Oxley Act and its impact on IT and CIOs, according to Cutter.