Hackett Group survey reveals that nearly half of companies ignore IT in Sarbanes-Oxley compliance efforts
Atlanta, GA — December 18, 2003 — Despite the need for IT to play a major role in helping companies achieve Sarbanes-Oxley Act compliance, nearly half of all surveyed companies still do not have IT representation on critical steering committees, according to recent research conducted by The Hackett Group, a business advisory firm. Two research reports from Hackett's Business Advisory Services recommend actions IT organizations can take to support Sarbanes-Oxley compliance efforts.
The research reports, "IT Involvement is Critical to the Success of Sarbanes-Oxley Compliance," and "Sarbanes-Oxley Compliance: It's Not Just for Finance" detail the major steps IT organizations can take to support Sarbanes-Oxley compliance efforts. Key findings and recommendations include:
IT Participation is a Critical Element to Successful Sarbanes-Oxley Compliance — "It's almost impossible for a company's Sarbanes-Oxley compliance efforts to be fully successful unless IT plays a major role," said Hackett Senior Business Advisor Dr. David Oppenheim. "Sarbanes-Oxley mandates that companies do more than just attest to the accuracy of their financial results. They must also prove that controls are in place, so that if the financials weren't accurate, the CEO and chief financial officer would know. Given IT's responsibility for the acquisition, management and operation of the information systems which form the basis of virtually all operations and financial management, it must take responsibility for making this happen."
Many Companies Continue to Ignore IT — A survey of 22 companies by The Hackett Group found that nearly half do not have IT represented on their Section 404 Project Steering Committee, which is leading the Sarbanes-Oxley compliance efforts. Other key areas, including human resources, legal, operations and internal auditing, are also not being brought to the table by most companies, the survey found.
Efforts Must Begin With a Business Perspective — It is critical for the IT team to begin its Sarbanes-Oxley efforts by working with the functional areas and business units to understand, from a business perspective, what the risks are and what controls are in place to mitigate them. The business perspective is important because it helps to set priorities for subsequent efforts, and because it differs from the traditional IT emphasis on broad solutions to issues such as network security and access control. This assumes that the scope of business processes affected by Sarbanes-Oxley has already been determined as part of enterprise-wide compliance planning.
Take a Comprehensive Look at Internal Controls — IT should take as broad an approach as possible when considering whether internal controls need to be improved. In particular, they should be sure to extend their efforts to examine policies and procedures that govern how systems are modified and enhanced, and how systems are administered on a day-to-day basis. IT should also ensure that any outsourcers meet Sarbanes-Oxley compliance requirements. In establishing controls, companies should consider using Control Objectives for Information Related Technologies (COBIT), a framework now published by the IT Governance Institute. COBIT is designed to be consistent with the broader COSO framework for internal controls as well as the ISO 17799 standard. While 100 percent of the companies surveyed by Hackett had already adopted the COSO governance framework, only slightly more than half had adopted COBIT and only 5 percent had formally adopted ISO 17799.
Consider All Systems — Chief information officers should see to it that usage rules and audit trails are established for every system from which financial information is drawn for reporting. In particular, they should take into account the fact that according to Hackett's research, the average $1 billion company maintains 2.7 enterprise resource planning (ERP) systems and 48 financial systems. Nearly half (47 percent) of average companies still use stand-alone spreadsheets in some aspect of their financial reporting process. Interfaces between these systems, which often require human intervention, are often the points at which errors and fraud are likeliest to occur.