04 Jan The role of IT in Sarbanes-Oxley Section 404
If you have been following the news recently, you have probably heard about the collapse of Refco, the commodities trading firm that filed for bankruptcy after being accused of allegedly hiding a $430 million bad debt from its shareholders.
Refco’s CEO has been arrested, and while his innocence or guilt remains to be determined, Refco provides us with an excellent opportunity to understand the serious interdependencies between IT and Sarbanes Oxley compliance.
Some background: Refco went public in August, 2005, and was warmly received by the market despite the fact that its auditors noted deficiencies in its internal controls and financial staff. Per the Sarbanes Oxley Act, these deficiencies would need to be rectified as Refco complied with disclosure rules set by the SEC. However, before that cycle could even commence, an internal auditor discovered the notorious alleged $430 bad debt. What the auditor actually found was the receipt of an interest payment from a client that appeared to be too high for the actual loan balance that the client was carrying. An experienced auditor observing the Refco disaster in the press stated that finding such a discrepancy in a company the size of Refco was not like “finding a needle in a haystack.” It was like “find a needle in a stack of needles.”
Indeed, “finding a needle in a stack of needles” shows the challenge of designing and enforcing sound internal controls at a public company. In order to comply with Sarbanes Oxley Section 404, the management of a public company must attest to the existence of internal controls. Ideally, those controls need to be good enough to assure accurate financial statements. If the internal controls are not good enough, then the company can suffer a variety of fates, including costly SOX remediation, loss of investor confidence, SEC punishments, shareholder lawsuits, and more. The stakes are quite high, as Refco’s dramatic collapse shows.
How, then, can a public company institute internal controls that can find needles amongst needles? Invariably, internal controls are derived in large part from the IT systems that support the business transactions that are subject to those controls. Controls are not only about IT, but there is IT in virtually all significant internal controls. This makes for good news and bad news from a SOX perspective. Distinguishing good needles from bad needles requires sophisticated, real time correlation of data between multiple systems. This is a major IT challenge.
Well designed, well-implemented, and well-maintained IT solutions can deliver critical components of effective internal controls. Poorly designed and maintained IT can hamper internal controls. As many public companies have found in the last two years, IT is the wellspring of many true compliance headaches. To add confusion to the mix, the IT industry has added its quota of noise and overblown solutions to the SOX process. Some SOX software solutions are excellent. Some are not so good. Others are incomplete. Any software package that claims to be “SOX Compliant” – as if there were some kind of Underwriters’ Laboratory certification for SOX, is making an over-hyped claim. There is no such thing. What should be done about this?
Finding the IT solution to Sarbanes Oxley is a subjective, complex matter, but one in which any serious public company must involve itself. While every company’s compliance situation is different, several underlying factors will be constant: To achieve compliance, IT, accounting, and line of business managers will need to work together more closely than they ever have before. They will have to work through a number of challenging, integrated business process, control, audit, and IT issues to be successful. It is not easy, but it is worth doing. Once tackled, the integrated IT and business issues required for SOX compliance should lead to improved operations and control over financial reporting.
The opinions expressed herein or statements made in the above column are solely those of the author and do not necessarily reflect the views of The Wisconsin Technology Network, LLC. (WTN). WTN, LLC, accepts no legal liability or responsibility for any claims made or opinions expressed herein.