Compliance with the Sarbanes-Oxley Act (SOX) requires more than CEOs and CFOs of publicly-traded companies personally certifying and attesting to the accuracy of their companies’ financial results. In addition, there are clear expectations for internal controls and the need for reporting of material variances in real-time laid out in Section 404 and 409 of the same Act.
To achieve compliance, a collaborative effort will be required from key executives of the management team. The most critical relationship will be between the IT and finance departments since IT will need to provide the tools to make compliance with SOX a reality. While many IT and financial professionals may have worked closely on projects in the past, the Sarbanes-Oxley Act creates a new urgency and intensity for unique convergence.
“In terms of timeframe, we are down to the wire with respect to the direction and decisions that need to be made,” says one manufacturing CFO. To meet the June 15, 2004 SOX Section 404 deadline, CFOs/CIOs need to have their IT plans in place by early fall 2003.
In observations of firms that are preparing to ensure their compliance with the Act there appears to be four primary approaches used to date:
Approach A- Companies are buying new software that has built-in accountability and sign-offs through the upwards consolidation of results reporting. In essence, this approach uses the new technology as a catalyst for change. It requires that IT departments integrate the new software with existing systems and create a workable solution.
Approach B- Companies adopt a comprehensive outsourced model through business process re-engineering. The requirement for SOX compliance has provided some companies with the impetus to start over, and they have come to the conclusion that initiating the processes and tools to attain SOX compliance is not within their set of core competencies. Rather, skilled vendors can perform the work more effectively. Payroll outsourcing is often cited as their successful example of a parallel situation in that there is severe financial workload intertwined with heavy legislative accountabilities. This approach has to be so successful there is now acceptance that third parties can perform well. The whole process is done off-site with the company assigning liaison responsibility to staff, and the IT role becomes that of managing the vendor and being a member of the steering and selection committee.
Approach C- Similar to Approach B, these organizations are sourcing the workload and retaining existing assets, especially recently upgraded software and hardware. As a result, rather than being faced with write-off charges from the disposal of existing assets, they are selecting third parties to manage their SOX IT infrastructure either in-house or remotely. The rationale for this direction is that third parties provide separation of duty and force tighter controls of assets while allowing for “digital dashboard” results reporting. This approach requires IT leadership to code the application (or manage the coding) to meet the requirements prior to turning over operational workload to the provider.
Approach D- Firms believe that they are in good shape and require only minor fine-tuning of processes and a reaffirmation of internal control procedures.
It is interesting to note that two of the four approaches utilize external providers –not the traditional direction one would expect. The use of sourcing to perform the functions of business organizations that were formerly done in-house is increasingly becoming more the norm. BearingPoint (formerly KPMG) estimated it will require 100,000 person hours for the average Global 500 firm to reach SOX compliance. In conjunction with severe cost-cutting in IT staff and an unrelenting daily workload, this has produced an unprecedented open-mindedness for new alternatives and thinking.