F E A T U R E

Feds Reach Out and Touch IT

July 10, 2003
By Sean Doherty

>> continued from previous page

Sarbanes-Oxley

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	All in the Implementation
	Gramm-Leach-Bliley
	Whip Out the Crystal Ball
	HIPAA
	An Open Door Policy
	Sarbanes-Oxley
	Executive Summary
	Law vs. Regulation
	FYI
	With 1386, California Leads the Way
	Hospitals Get HIPAA
	Web Links
	Epoll Results

Following on the heels of the Enron and WorldCom debacles last year, legislators fired the first salvos to combat corporate fraud and abuse in securities with the passage of the Sarbanes-Oxley Act of 2002. This year, the SEC is finalizing regulations to implement Sarbox. Contrary to what you might read or hear in the news, the sky is not falling on IT. But it may fall on your corporate directors and officers unless you help.

In one sense, Sarbox is a knee-jerk response to corporate abuse. Among other things, it prohibits record tampering with the intent to impair a record's integrity or availability for use in official proceedings. It requires any accountant who conducts an audit of a public company to maintain his or her working papers for a period of seven years after the audit or review is completed. In addition, it mandates directors, officers and principal stockholders to publish beneficial ownership reports of equity securities issued to them by the company. Beyond the reflexive action, Sarbox makes clear that Congress wants some accountability in financial reporting that will involve information systems and IT.

Sarbox aims to protect investors and improve the accuracy of corporate disclosures (read: reporting) by issuers under the Securities and Exchange Act of 1934 (read: public companies). Section 404 requires that management teams of public companies establish and maintain adequate internal controls over their financial reporting systems. In addition, management must assess the effectiveness of these internal controls in their annual reports to the SEC. The company's auditor must also attest to and report on management's assessment of the effectiveness of their internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board.

The PCAOB was established by the SEC (pursuant to Sarbox) to oversee the audit of public companies. The PCAOB's mission is to protect investors and secure the public interest in the preparation and publication of informative and accurate audit reports of public securities. The board registers public accounting firms, establishes rules and standards related to audit reports, and conducts investigations and disciplinary proceedings.

Sarbox in a Nutshell

click to enlarge

Defining internal controls over financial reporting will be the key to satisfying the requirements of Sarbox. These internal controls are largely in the realm of IT, where business processes meet software algorithms. Adequate controls will include processes designed or supervised by the company's principal executives and financial officers that provide reasonable assurances that financial reporting and preparation of financial statements are in accordance with generally accepted accounting principles. The controls include the policies and procedures to maintain accurate records that reflect the transactions and dispositions of assets; ensure that transactions are properly recorded and reported; and safeguard assets against unauthorized or improper use.

Sound familiar? Sarbox's controls are not unlike those in GLBA and HIPAA to safeguard data against unauthorized and improper use--except the SEC is squarely focused on corporate accountability in financial reporting. And blind faith in an IT financial reporting system will not be a good defense. The rules formally acknowledge corporate responsibility to create and maintain controls to identify and manage the risks that result in inaccurate data or fraudulent reporting.

The risks associated with accurate reporting are not far removed from the risks identified in industries governed by GLBA and HIPAA. IT security risks are nondiscriminatory and apply equally to banks, financial institutions and medical facilities as well as educational organizations, manufacturing and transportation.

Many IT shops look to a risk-assessment framework from the ISO 17799 standard; 17799 treats IT security as a business issue and covers all the familiar topics, such as system operation and maintenance, backup and restore, document handling and data integrity. Beyond that, many of the same solutions that satisfy GLBA and HIPAA--specifically, policy-management packages, log analyzers and change-control procedures--can apply to Sarbox to assert and monitor controls over financial reporting systems.

Many vendors are updating their products or announcing new ones aimed to comply with Sarbox. For example, Oracle and PricewaterhouseCoopers developed Internal Controls Manager, which works with Oracle's

E-business suite. And Plumtree Software, with HandySoft Corp., released Accelerator, which brings business-process software to Plumtree's portal to create and establish internal controls and reporting procedures while maintaining collaboration tools for corporate officers, directors and their auditors. These and other solutions will bring business processes in line with software logic and put them in plain view for investors' review.

Management also needs to assess the reliability of internal controls and disclose any material weakness in their financial reporting. If one or more weaknesses exist, management will not be able to conclude that the company's internal controls are effective, and this will affect the bottom line. Investors will be leery about supporting a public company without effective controls on its internal financial systems. This may require consultants and service organizations that can supply more than IT security solutions. Public companies can look to full-service consultants such as EDS, Greenwich Technology and PricewaterhouseCoopers for technology as well as financial and legal help. Other providers are vying for a growing market to advise and consult enterprises on IT and government regulations. An example is PeopleSoft's bid to acquire J.D. Edwards.

Sarbox will be remembered as the regulation that fights the good fight against corporate fraud and abuse. But for IT, Sarbox means Uncle Sam is demanding corporate accountability in financial reporting systems. If that does not happen, heads may roll. Anyone who falsely certifies that financial conditions and the results of operations are accurate while knowing that they do not reflect financial reality will be fined up to $1 million or imprisoned up to 10 years--or both.

But there is a rhyme to all the government's reasons for Sarbox. Investors will be more confident when reviewing financial reports and more willing to invest. Unfortunately for the public, the reporting requirements do not go into effect for most companies until April 15, 2005.

Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. A former project manager and IT engineer at Syracuse University, he helped develop centrally supported applications and storage systems. Write to him at sdoherty@nwc.com.

Post a comment or question on this story.