As if IT managers don’t already have enough to do, there are current activities in the marketplace that affect IT from a compliance and legal perspective. IT leaders, depending on their industry and regulatory environment, should be aware of XBRL, IFRS, PCI, SOX, Nevada, FRCP, and the Model Audit Rule.
If the Securities and Exchange Commission’s (SEC) proposal goes through, public companies must begin submitting financial statements to the SEC in an electronic format called eXtensible Business Reporting Language (XBRL) in early 2009. The largest 500 U.S. public companies will need to send their information in XBRL format to the SEC for filings after their fiscal years ending on or after December 15th of this year. This is only a few short months away for the largest companies, and all others would have to comply in the following two years. The taxonomy for IFRS has been published and if you don’t know what that means then you need to ramp up your team’s XBRL skills.
Structurally, XBRL is like EDI or other business-to-business systems. You can outsource this, buy software, or “rent” software on a monthly basis so there are several options available. The most complicated part of XBRL is footnotes to the financial statements. I recommend reserving as much time for this portion as the rest of the project combined. Training classes are available for XBRL.
This is the “big-one” to globalize accounting standards. While the timing proposed by the SEC for U.S. public companies of 2014 to 2016 is a big question mark, most practitioners believe it is simply a matter of time before U.S. companies will need to convert to International Financial Reporting Standards (IFRS). If the largest of public companies indeed need to comply by 2014, they will need to have their accounting system tweaked to IFRS three years earlier to accommodate financial statements as required to be filed with the SEC. The IT implications will vary from company-to-company, including factoring in decisions on ERP conversions and upgrades.
The Payment Card Industry is mandating certain security procedures related to credit card transaction processing. There are four tiers with increasing requirements, depending on the number of transactions processed by your organization. Immediate evaluation is needed to determine which tier your company falls into so you can understand the requirements and set-up IT procedures. Implementing the PCI standard is becoming more urgent as enforcement is starting and as identify theft events are causing people to inquire whether the standards were being followed. Also, your compliance will be audited annually if your transaction count is above a threshold.
The Sarbanes-Oxley Act continues to drive IT action. The smaller public companies, otherwise known as “non-accelerated” filers, should be scrambling to complete their controls over financial reporting assessments per Section 404(a) of SOX. The vast majority of SOX’s 66 sections currently apply to all U.S. public companies. Section 404(b) pertaining to the external audit requirement of financial reporting control is the last remaining section waiting out a SEC-approved delay. This delay only applies to non-accelerated filers and has no impact on the current requirement for smaller U.S. public companies to assess their financial reporting controls. Obviously, this has a large impact on IT controls since financial reporting data flows through a company’s software, hardware, networks, databases and servers.
On October 1, 2008, the Nevada Legislature passed NRS 597 which includes a requirement for encrypting transmissions (such as e-mail) when they include personal information (a short section at NRS 597.970). If you are a Nevada-based company you must immediately gather information and pursue compliance. Of course, “encryption” and “personal information” are described in other legislation so also see sections NRS 205.4742 and NRS 603A.040, respectively.
The Federal Rules of Civil Procedure (FRCP) continue to drive action with email retention and retrieval. If you have not yet addressed e-mail retention, you should now. Admittedly, administering retention periods and purging e-mail is more complicated than traditional structured database systems. However, the need still exists and solutions are finally available.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of Wisconsin Technology Network, LLC. WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.