Sarbanes-Oxley Act: The Next Y2K For IT Budgets?

Sarbanes-Oxley Act: The Next Y2K For IT Budgets?

CHICAGO – There are lots of concerns by companies today to start reviewing the Sarbanes-Oxley Act and its effects on the IT area. Is the act a healthy antidote for devastated market faith? Adjunct Northwestern professor James Carlini explores in this week’s edition of Carlini’s Comments.
The Sarbanes-Oxley Act was enacted in 2002 to focus financial companies to comply with new rulings and regulatory procedures for reporting trades and other actions in an orderly basis.
It’s basically a financial compliance act that requires stricter record keeping and the ability for SEC auditors to be able to review transactions, any supporting e-mails and other documentation relating to a trade or financial transaction.
This act was the result of the days of Enron, WorldCom, Andersen and the whole accounting and stock trade debacle that spread like a virus, which killed off investors and their flow of money into the markets. Something radical had to be done to restore the faith of investors in the stock market.
The markets were devastated and some say the integrity of the foundations of capitalism were actually in jeopardy. The Sarbanes-Oxley Act was the antidote.
While many software companies (such as Oracle, SAP and JD Edwards) are already hawking their solutions, an article that I ran across by attorney Michael Fleming of Faegre & Benson stated exactly what I would have warned: “There are no magic bullets out there for solutions.” This is good advice as companies begin to review their options and seek out solutions.
I would also add to the article’s advice that “a one-size-fits-all solution should be avoided as well.” We should already know that there’s no such thing as a “universal solution”.
Just Like Y2K? No Way
In talking with a chief compliance officer at a pension management company, I asked if this is going to be another critical IT initiative like a Y2K project. She said that it’s different from the standpoint that Y2K had a definite “target for completion” date. Sarbanes-Oxley is going to be more of an ongoing commitment to stay on top of latest changes and requirements for information.
It’s not going to be as easy as “install this software package and you’re done” (even though that’s what some software package companies want you to believe). They are looking at this as purely a target market that has a clearly defined audience for their products. “Buy this and you’re compliant” is the sales pitch du jour.
It’s also not going to be “change this procedure and add this one and you’re done.” It’s going to be a continual challenge as trading processes change and mature. There will be continuous new rulings and policies that dictate the need for adding new reporting components and tools.
Soft-dollar issues and the discovery of new undermining schemes will dictate that new policies be amended to the act. Therefore, it is going to be an ongoing commitment of resources and budgets.
Many Already Proclaiming ‘Expert’ Status
Though some people have already professed expertise in this area, I fail to see how they can claim that when the whole issue is so new.
In fact, the people who have been the compliance officer at these financial companies have to go back for many courses and seminars to understand the major changes that have occurred. It intrigues me when companies and individuals proclaim “expertise” when the ink is still wet on the paper on which the act was printed.
This is clearly a work in progress. Though no one has “years of expertise” on this, some people are already saying they have all the answers. I remember the mantra from the e-commerce pseudo-experts. Is Sarbanes-Oxley the new cash cow for consulting firms whose Y2K and e-commerce sales pitches have died out?
I distinctly remember many firms going out and changing their marketing brochures to reflect an in-depth expertise in e-commerce. Even though their backgrounds didn’t change overnight, their brochures touting new expertise did.
There are many facets that comprise the IT needs for Sarbanes-Oxley compliance. While an element of compliance is security, it’s actually much greater than that. It’s a new way of doing business.
If you look at your company like a car with a problem, it’s not a quick safety check and an oil filter change. Sarbanes-Oxley is more like a total revamp of the engine, suspension and exhaust system (not to mention tacking on some new equipment to streamline some of the operations).
Read the Act Thoroughly
As there are many articles and opinions coming out on the impact of Sarbanes-Oxley, I warn you that you should invest some time into really reading what it says. Don’t just rely on someone else’s summary or interpretation. If you are in charge of IT, the CFO or anyone else in charge, you must totally understand the full ramifications of this act.
Some people are saying that the CIO or some other person in charge of IT is going to be held responsible or have liability for IT information. There is no specific mention of the CIO or CTO as even a corporate officer in section 302 on “corporate responsibility for financial reporting” or anywhere else.
While the CFO and CEO are mentioned along with lawyers and accountants throughout the document for having liability, there’s no mention of the IT area. Still, the IT area is critical to ensuring that some of these functions get accomplished. So much for IT getting its recognition as a critical part in an organization and its chief executives and advisors.
The government still sees only accountants and lawyers as important.
There are also no specifics mentioned in section 409 on “real-time disclosures” as to what is needed as far as IT compliance or new IT initiatives. Another section that could loosely be tied to the IT area is section 1102 on “tampering with a record or altering or impeding an official proceeding”. There’s no mention of IT people there either.
I guess IT hasn’t really been recognized by those trying to make reforms. It’s not just lawyers and accountants any more who are the business advisors. It’s the technology people as well. There should have been more specifics defined in the Sarbanes-Oxley Act for IT measures and responsibilities.
Carlinism: Invest time in reading documents thoroughly. Don’t rely on somebody else’s summary or interpretation.
_____
James Carlini is an adjunct professor at Northwestern University. He is also president of Carlini & Associates. Carlini can be reached at carlini@northwestern.edu or 773-370-1888. This article has been syndicated on the Wisconsin Technology Network courtesy of ePrairie, a user-driven business and technology news community distributed via the Web, the wireless Web and free daily e-mail newsletters. They can be found at www.eprairie.com.
*****
The opinions expressed herein or statements made in the above column are solely those of the author, & do not necessarily reflect the views of the The Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.