Gartner: Savor the Sarbanes Extension

The extension of the Sarbanes-Oxley Act (SOA) deadline is good news for overburdened IT managers in the Fortune 500, but they should use the borrowed time wisely, according to analyst firm Gartner Inc.

The SOA, passed in response to the scandals at Enron, WorldCom, et al., requires company managers to attest that they have established and maintain internal control over their companys financial reporting. Because so much of what goes into a company’s financial reporting is tied to technology these days -- you have to query databases, inventory management systems, etc. -- then the IT manager has to figure out how to get specific information from a variety of sources in the IT infrastructure.

Section 404 of the SOA also requires IT managers to report material changes to the financial reporting process. So, for example, any major software system update in a company’s IT infrastructure could require more compliance paperwork from the IT department.

Given all that background, it’s not surprising that the SOA deadline extension is particularly welcome relief for major corporations.

Here’s how the deadlines have changed: Companies on an accelerated filing schedule -- meaning companies with a $75 million-plus market cap that have filed at least one annual report with the Securities and Exchange Commission (SEC) -- must now comply with the Act for their first fiscal year ending on or after November 15, 2004. The original deadline for accelerated filers had been June 15, 2004.Companies on the non-accelerated filing track also received a boon from the SEC last month. They must begin to comply with the requirements for their first fiscal year ending on or after July 15, 2005, a three-month extension on the original deadline of April 15 next year.

Even with the extra time to comply with SOA, there is still much work to do, Gartner’s analysts say.

Lane Leskela, research director at Gartner says, “The biggest challenge is the management of the underlying unstructured IT systems. A lot of the SOA-affected information could be in systems like email, for example."

During the borrowed time with the deadline extension, Leskela suggests, IT managers should perform a gap analysis -- a study of where the IT systems are now, compared to where they need to be after they’re SOA compliant.

He also suggests they improve their records management systems and risk-management infrastructures, although this may not necessarily involve buying new kit. "Before going out to buy additional risk management software, companies should check whether they already have the applications in place that can do the job, such as operational risk and records management software."Gartner also believes that most Fortune 500 firms haven’t yet figured out how to deal with the SOA. Leskela says, "For those companies that were already close to getting things done, this gives them the chance to risk-check their work or do additional testing...

"Those firms that haven't started on this yet should hurry up: Now there is a possibility to do the necessary checking, as long as there is an efficient way of doing it."

— James Rogers, Site Editor, Next-gen Data Center Forum