28 Jan Technology Implications of Sarbanes-Oxley
Corporate America is currently facing major government-mandated change as a result of the Sarbanes-Oxley Act (Sarbox). While the act requires near real-time reporting and companies to continually evaluate their financial controls and regulatory compliance, it is not explicit as to the technology requirements and information technology (IT) solutions. In fact, Sarbox does not mandate any technology; however, it is difficult to envision compliance without IT implications. Most companies will need to create an IT infrastructure for rapidly assessing and reporting critical events that materially impact a company operations and financial reporting.
Sarbox compliance may cause companies to examine and potentially redesign all of their financial business processes and supporting technology solutions. Convergence, simplification and centralization of information will be keys to compliance. Companies that lack records management (RM) processes risk legal troubles when disputes arise. A RM process evaluates documents for their fiscal, legal, operational and historical value and minimizes risks by periodically destroying unneeded items.
Many companies do not have good internal controls, especially when it comes to e-mail, content management and processes. The ramifications, especially in light of Sarbox and related rules, are now magnified. Gartner, Inc. estimates that by 2005, 90 percent of information that is not explicitly stored and managed by RM systems will be potentially recoverable using business continuity or forensic analysis tools, even if efforts are made to delete it. Compound this with the proliferation of e-mail at work and you have the potential for huge risk exposures. Improper destruction is a significant risk which can trigger a material weakness and criminal penalties. Companies should seek legal counsel in building retention guidelines and check with their internal auditors regarding materiality thresholds.
Three of the 66 sections of Sarbox have implications for content, document and processes technologies. Section 302 explicitly puts the accountability burden on chief executives with hefty fines and criminal ramifications for material financial misstatements. Section 404 requires companies to document financial reporting controls in great detail and create a system to monitor and test effectiveness. If management misses, or fails to correct, a material weakness, the company’s external auditor is obligated to report it, which then becomes a matter of public record and a potential public relations nightmare for the company.
While section 302 received the most attention when Sarbox was enacted in July 2002, it is section 404 that is now receiving the most attention as compliance deadlines begin this June. However, it is section 409 which could trigger the most attention towards technology since it requires near real-time reporting for material events. This section has received little attention to date since the SEC has not yet decided upon final rules or implementation dates.
Many companies have gaps in their internal financial controls and relating technology processes. While Sarbox will not be the last piece of regulation corporate America faces, it is likely to remain significant, especially for those companies who report to the SEC.
Here are some best practices to consider when looking at technology options relative to Sarbox:
Assess paper and electronic RM policy along with technology options relative to government mandates as well as competitive best practices.
Look at initiatives to merge content management (trusted repository, security, eSignatures, e-mail archiving for example) with process issues such as monitoring, documentation and auditable workflows. Enhancing content management capabilities can open up efficiency opportunities as well as strengthening controls and collaboration efforts. XBRL (eXtensible Business Reporting Language) is likely to become the standard in facilitating content integration.
Enforce a standard approach to documentation and workflow to ensure accuracy of information and continuity across the organization.
Establish a central repository for data. Data must be easily accessible and fully searchable by executives and auditors.
User cooperation is vital for any RM program. All employees must be made aware of the importance of record keeping and the consequences of not complying with a RM program.
Categorize e-mail based on content and apply retention rules per corporate counsel advice.
Be skeptical of standalone or Sarbox specific solutions. Utilizing non-integrated systems can be costly from a training standpoint as well as not providing the flexibility of enterprise-wide solutions.
Ron Kral is the founding partner of Candela Solutions, a specialized public accounting firm focusing on governance, internal auditing and technology. For more information regarding trickle down to private businesses and non-profit organizations refer to “Sarbanes-Oxley for the Rest of Us” by Matt Storms and Ronald Kral.