Sarbanes-Oxley: The Upside for IT

Though some companies are still doing this without automation, maintaining these controls in a manual fashion is too cumbersome and too apt to result in errors or omissions, says Sanjay Anand, chairman of the SOX Institute, New York."It wasn't long before 'Sarbanes-Oxley' changed from a financial reporting issue to an information technology issue," Anand says. "A lot of the things that SOX requires are things that organizations know they should have been doing anyway. A good systems management policy is needed to keep track of the data."

Companies have so many "moving parts" when it comes to financial reporting processes, that the only realistic way they can provide the proper reporting is through automation, according to Anand.

While technologies to automate this reporting may have been on a CIO's budget wish list before, it's just been the last couple of years--since SOX became effective--that CIOs are starting to get these projects approved, according to Anand.

Chris Farrow, director, Configuresoft's center for policy and Compliance, Colorado Springs, Colo. agrees, calling SOX and other compliance issues as being main drivers of systems budgets and purchases today.

"The biggest thing about SOX and other compliance rules is that companies are moving back to the idea of compliance technology as helping to improve the business," Farrow says. "Compliance technology had always looked to be a cost center; but now companies are finding it can produce opportunities."So systems administrators are getting approval for systems that not only meet the needs of SOX and other compliance regulations, but also help the company provide more complete financial reporting. The better the reporting, the better the confidence not only of the SEC and other regulators in the company's business, but also of other companies who do business with the firm and investors in the company, Farrow says.

"Companies are looking at how to run an efficient organization and how to do it right," Farrow says.

"Even if you can justify a 'technology' on the basis of SOX, it still has to be a reasonable purchase," Anand cautions.

Beyond just automating processes, the SOX rules are also aiding systems managers in getting approval for more advanced automation systems, Anand adds. "It used to bed policies and procedures would be written and then stored on backup tapes, but that's a very clumsy way of doing it."

With Sarbanes-Oxley, most firms want better accessibility to those policies and procedures on a more immediate basis. So systems managers are starting to deploy WORM (write once read many) and related technologies to make policies and procedures more easily retrievable, according to Anand.The financial reporting data must also be easily retrievable and traceable. So many systems managers are finally getting approval to replace older legacy systems based on technologies as many as 30 years old.

"Companies are starting to accelerate the replacement rates of these technologies," Anand says. "The biggest reason for this is internal audit control. You have to understand what you have in order to audit it."

The legacy systems run on older technologies that a decreasing amount of active systems managers understand, Anand explains.

Another key element of Sarbanes-Oxley is the separation of duties among corporate executives and line personnel responsible for financial reporting and accounting, Anand adds. Therefore, companies are better defining the processes, technologies and procedures that help ensure this separation. Several companies sell technologies that track who accesses what systems and what information within those systems. Inappropriate access or use can be the basis for dismissal or other disciplinary action.

Additionally, the monitoring capabilities of these technologies are being extended out to include those outside of the IT department, says Warren Perry, compliance advisor for Qumas Inc., Florham Park, N.J."The change management process is becoming mission critical within companies," adds Kristin Lovejoy, chief technology officer for Consul Risk Management, Herndon, Va. "What breaks 'Sarbanes-Oxley rules' is people. People are realizing it's the IT infrastructure that makes everything else run."

So, according to Lovejoy, if there are failures with systems changes, those failures could be material enough to be reported under the Sarbanes-Oxley rules, though the definition of a material event affecting a company's finances is open to a wide variety of interpretations.