|
|
|
|
 |
|
Home |  |
Contacts | |
Editorial | |
Advertising | |
Subscribe | |
Archives | |
Search | |
CMA Canada | |
|
|
|
|
Features
Table of Contents
Printer Friendly
There’s no question that meeting the requirements of the Sarbanes-Oxley Act (SOX) and good IT management go hand-in-hand, but companies should be aware that there are greater benefits to be had from this link than simply meeting mandated compliance requirements. SOX should usher in new and more effective ways of managing businesses. Leaders can take advantage of this. By Sally Chan, CMA and Stan Lepeak
Most companies subject to the Act’s requirements have been busy with the implementation of first year certification and the compliance requirements of Section 302 (Corporate Responsibility for Disclosure Controls) and Section 404 (Management Assessment of Internal Controls). While the Act primarily affects public companies with a market capitalization greater than $75 million listed on U.S. exchanges, many smaller and private companies are also pursuing SOX compliance. These companies are also re-examining their strategies and game plans following the March 2004 approval of the new standard on audit of internal controls by the Public Company Accounting Oversight Board (PCAOB). These pronouncements clarified how to audit internal controls of financial reporting and the relationship of those audits to financial statement audits. However, there are other critical sections of SOX, including 409 (Real Time Issuer Disclosures) and 802 (Criminal Penalties for Altering Documents), that deserve equal attention. This article should redress the balance. Our survey of the current Sarbanes-Oxley literature reveals that very few publications focus on the Act as an integral part of a practical corporate governance framework, or acknowledge the contribution of IT over and above the pervasive IT controls operating at the infrastructure and business application levels. Yet IT and the IT group have important roles in key corporate governance paradigms. An intelligent adaptive reuse of existing IT solutions towards compliance with Sections 409 and 802 can only help an organization. Corporate frameworks with IT The META Group, a research and consulting firm, describes the corporate governance paradigm as four critically linked legs:
To build a sound governance framework, organizations must address each of the four legs of the corporate governance stool holistically. While this approach has been a particular challenge in less regulated industries, greater coordination is also required for highly regulated organizations. Banks, for example, have addressed risk management for reserve requirements, investment portfolios, derivative holdings, etc., but in some instances, they extend their current credit risk assessment to consider exposure to Internet security breaches and associated vulnerabilities that may lead to SOX control deficiencies. The imperative, therefore, is to address individual corporate governance issues as part of the whole governance package. Organizations must address these efforts from the executive level down, driving and coordinating them via an enterprise chief compliance officer or similar designation, leveraging the critical supporting role that IT can play. Section 409: Real time issuer disclosures SOX Section 409 mandates the rapid reporting of events that could affect a company’s financial performance. This requirement impacts the IT group head-on. Organizations must know whether key financial systems are capable of providing data in real time, or if the organization will need to add such capabilities or use specialty software to access the data. Expanding the scope of this challenge, organizations must also account for changes that occur externally — changes by customers or business partners that could materially impact its own financial positioning (e.g., key customer/supplier bankruptcy and default). To prepare a smooth transition, IT control professionals should take a cue from the practitioners of real time customer relationship management and the event-driven capabilities in the e-business and capital markets trading environment. But for starters, it’s worth assessing the technology capabilities of your organization in the following categories: Quality of financial modelling capabilities: Good financial modelling capabilities help organizations anticipate and possibly avoid awkward reporting situations and help them adapt to rapidly changing situations. Availability of internal and external portals:Portals help route and identify reporting issues and requirements to investors and other relevant parties. These capabilities address the need for rapid disclosure. Breadth and adequacy of financial triggers and alerts: Here, an organization sets the trip wires that will kick off a Section 409 disclosure event. Adequacy of document repositories: Repositories play a critical role both from the standpoint of event monitoring to assess disclosure needs as well as providing a mechanism to audit disclosure adequacy. Adequacy of captured document audit trails:This is a critical element in establishing adequate disclosure processes and records of that disclosure. Capacity to be an early adopter of Extended Business Reporting Language (XBRL): XBRL will be a key tool to integrate and interface transactional systems, reporting and analytical tools, portals and repositories. Looking ahead, we expect that business performance management (BPM) tools and applications will play a key role in enabling Section 409 compliance. These products are primarily stand-alone today, but over time and driven by market demand, representative capabilities will become embedded in financial and enterprise resource planning (ERP) systems. Section 802: Criminal penalties for altering docs Compliance with this section requires complete, secure and timely access to documents. The immutability of audit records and the audit or review work papers must be assured. We will limit our discussion to managing electronic documents. The manual controls of records retention, though not discussed here, must be considered in relation to the risks and IT controls of overall records management to ensure that the retention program is comprehensive and effective. This is an area where organizations need to involve not only the IT group, but also qualified legal counsel, as records retention requirements are very exacting. Under Section 802, organizations will be expected to respond to questions on the management of SOX content. IT-related issues include policy and standards on records retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management (RM) program; comprehensiveness of RM practices (e.g. paper, electronic, and transactional communications), adequacy of retention life cycle, immutability of RM practices, audit trails and the accessibility and control of RM content.
Section 802 clearly spells out that audit records must be retained for five years. As external auditors rely on the work of internal audit to an extent, it sends a strong message that internal audit records must also comply with Section 802. Interestingly, this collateral requirement completely negates the unsound practice of retaining audit records from audit to audit in the past. Audit cycles are risk-based — the higher the risk, the more frequent the audit. This section rightly eliminates the illogical correlation: the lower the risk, the longer the retention period. A corollary to document retention is the security of storage media and how well electronic documents are protected for both current and future use. The five-year requirement means that current technology must be able to support what was stored five years ago. Given the rapid obsolescence of technology, some of today’s media might be outdated in the next three to five years. Audit data retained today may be unretrievable not because of data degradation but because of obsolete equipment and storage media. We should view this as a critical records management imperative. Organizations need to integrate cross-functional IT management and sections 409 and 802 into their overall SOX compliance efforts. To reiterate, there should be a single point of contact akin to a chief compliance officer leading and driving these efforts. Key to 409 and 802 efforts are defining a time line with milestones and a set of key deliverables and capabilities to implement. While minimal compliance levels might succeed, we encourage organizations to address these sections enthusiastically and not just seek a passing grade. Beyond meeting minimal SOX requirements, adopting practices based on 409 and 802 requirements bring organizations residual benefits. These include improved financial process visibility and transparency that can aid service improvements. The benefits of enabling “event-driven” capabilities in financial reporting are potentially significant if organizations can take advantage of them. Organizations shouldn’t underestimate the threat and repercussions of not complying with sections 409 or 802, or 404 for that matter, and risk their reputation. Implementation challenges There are many challenges organizations face when pursuing Section 409 and 802 compliance. Not the least is that until users and their peers have completed an audit cycle, it won’t be clear exactly how external audit firms will interpret SOX and PCAOB enforcement requirements. No standard checklist for what constitutes compliance does or will ever exist. Required documentation levels, depth of testing requirements, etc. are still open questions. While lessons can be learned from existing internal and external audit best practices, these are only directional indicators. Organizations — management, internal audit and the IT group — in coordination with external auditors (to the extent possible, given limitations on the “coaching” they can provide) and related SOX experts must define and document what constitutes their best faith effort and why, given existing interpretations. We are at a “learn as we go” stage of SOX implementation. Pilots are great, but in the interim, the best we can do is apply proper due diligence at each stage, from scope and plan to documenting controls; from evaluation of control design and operating effectiveness to ongoing monitoring. Clearly this is an opportunity for thought leaders to emerge. Those who meet the SOX challenge will be rewarded handsomely. Start acting now The Sarbanes-Oxley Act represents new and unprecedented expectations for affected companies. It will have far-reaching implications on boards of directors, senior executives, legal advisers, internal and external audit, line managers, IT service providers, business unit staff and many other groups. How organizations respond to these challenges will determine whether it will be yet another unproductive compliance burden that solves little, or the start of serious efforts to restore the trust of all stakeholders. Sally Chan, CMA, is the IT subject matter expert for the Sarbanes-Oxley initiative within RBC Financial Group’s Financial Controls Office in Toronto. Stan Lepeak is a vice-president at the research, advisory and consulting firm the META Group. He covers regulatory compliance as well as the business and IT services markets. The findings, interpretations and opinions expressed are solely those of the authors. |
In the post-Andersen and post-Enron era, the unending stories of corporate malfeasance that
have rocked the boardrooms of North America are equally matched by volumes of governance recommendations
ushered in by the Sarbanes-Oxley Act (SOX) of 2002. 
Note that SOX hasn’t changed the classic principles of sound records management — records must
be complete, accurate and authentic at all times. Section 802 places extremely high importance on the
authenticity of the records retained, particularly in bankruptcy and audit investigations. Good
governance, however, shouldn’t discriminate document retention in one business scenario (e.g. bankruptcy)
from another (business as a going concern).