Not long ago, a customer approached Ray Nissan, CEO of Cybermation, a company that provides enterprise software products for use in corporate data center operations. The customer said that his company's Big 4 accounting firm had recommended that the company implement a software change management solution. Although developers and application administrators know that software change management is an important tool, in the past it hasn't been high on many accountants' list of essential IT investments. So why was an accounting company worried about a subject as technical as software change management?
The answer is simple—because of the Public Company Accounting Reform and Investor Protection Act, officially known, after its principal sponsors in the U.S. Congress, as the Sarbanes-Oxley Act of 2002. Congress passed the act in the wake of corporate scandal at Enron and Tyco International, whose senior executives either willfully misled the public about their companies' financial operations or claimed that they didn't know what their subordinates were doing—and whose company auditors dutifully certified financial statements jammed with false information.
With outrage about these and other recent scandals still high and further corporate malfeasance still coming to light, Sarbanes-Oxley represents the most sweeping corporate governance and accounting reforms in more than half a century in the United States. The act's goal is simple: to deter corporate and accounting fraud and protect the interests of shareholders and workers by ensuring the accuracy of data in corporate financial reports and public filings. However, compliance with the act is far from simple.
Complying with Sarbanes-Oxley provides an opportunity to improve IT processes. As a byproduct of the act's reforms, the IT infrastructures of the companies subject to Sarbanes-Oxley regulations—which, generally speaking, means publicly traded companies that have valuations of more than $75 million—must be re-examined to ensure that companies can comply with the new rules. Although IT has been subject to regulation in many vertical sectors—most notably the financial, pharmaceutical, and health care sectors—Sarbanes-Oxley subjects the IT infrastructures of all reasonably sized public companies in the United States to regulatory scrutiny. "Business processes are encapsulated in your software," said Cybermation's Nissan. "You are going to have to be able to audit the changes in your systems and recreate your system for auditors."
IT Challenges
Sarbanes-Oxley is a multifaceted bill with many provisions. Since the act's passage in June 2002, Section 302 has probably received the most fanfare. Effective September 2002, this section compels CEOs and chief financial officers (CFOs) to personally attest that all financial disclosures fairly represent in all material respects the financial condition and results of company operations—or face criminal liability. And the potential penalties are stiff: Corporate executives who willfully violate the act can be fined up to $5 million and sent to prison for as long as 20 years.
But if Section 302 got the attention of senior management and sent public companies' financial offices scrambling to determine what they had to do to comply with Sarbanes-Oxley, three other sections of the act promise to have a long-term impact on IT.
- Section 404 establishes management's responsibility for providing an adequate internal control structure and procedures for financial reporting. Most companies have until November 15, 2004, to comply with Section 404. (Companies that are on a calendar fiscal year must comply by December 31, 2004.)
- Effective August 23, 2004, Section 409 requires companies to rapidly disclose material changes to their financial conditions and operations.
- Section 802, which went into effect October 31, 2003, mandates complete, secure, and timely access to documents.
Finally, Sarbanes-Oxley also stipulates that corporate assets, including software assets, must be fairly valued.
Section 404 To-Dos
On the front burner in most publicly held companies today is the question of how to comply with the requirements of Section 404. Companies must soon have in place internal controls and business processes that ensure transactions are recorded as necessary for the accurate preparation of financial statements. For example, a company must be able to verify that sales are booked only once and are assigned to the correct customer. Companies must also make sure that unauthorized transactions that could materially affect the company's financial condition are either prevented or are detected in a timely fashion. Moreover, an outside auditor must review and report on management's assessment of the company's internal controls, and the auditor's statement must be published in the company's annual report.
Although seemingly straightforward, Section 404 has profound implications for IT. "IT has to start thinking about operational transparency," said Delbert Krause, director of enterprise planning product marketing at business-software company Cognos.
IT professionals have to address Section 404 from four directions. First, they must ensure that processes are in place to capture and correlate all relevant transactions. This task is often easier said that done in large, multinational corporations and in companies that actively engage in merger and acquisition activities. "You have to document everything you are doing in the accounting area, and companies with loose accounting practices are struggling with Section 404," said Barbara Swartz, director of financial management programs at Teradata.
To address the need for a central "source of truth," Swartz believes that Section 404 will stimulate new uses for data warehouses as the central repository for all corporate information flowing in from the company's disparate divisions. Heretofore, data warehouses have been used as the foundation for corporate decision-making applications. But they also can provide a unified view of a company's transactional activities. "A warehouse offers a single view of all the financial activity," Swartz said. "You can have everything come together."
Companies are moving in that direction. In a recent survey of 386 top-level executives at U.S. public companies conducted through its Web site, Teradata found that 66 percent are using data warehousing to meet the requirements of Sarbanes-Oxley.
The second aspect of Section 404 requires companies to be able to prevent and detect unauthorized transactions. This requirement has led companies to look at auditing solutions. "The whole idea is to ensure data integrity by providing an audit trail," said Richard Lee, product marketing manager at DataMirror, which offers auditing software. Auditing products can monitor and document the changes to databases; track all database inserts, changes, and deletions; and generate alerts and warnings for changes that don't conform to established business rules.
Third, from an IT perspective, implementing internal controls means having the ability to lock down the entire technology stack for financial applications. Controls must be in place to ensure that software is properly implemented, maintained, and protected from unauthorized changes. Application change-management software that can track patches, fixes, and customization is an essential element. In the past, companies could get away with sloppily documenting changes. With Sarbanes-Oxley, what once was merely sloppy could now be criminal.
Previous
Register
