Act of punishment
- Article 2 of 2
- Technology for Compliance, January 2005
Many non-US companies are seeking to sidestep the Sarbanes-Oxley Act rather than risk non-compliance.
Page 1 | Page 2 | All 2 Pages
For three years, vendors have talked of little other than Sarbanes-Oxley. Of all the compliance legislation being enacted around the world, SOX is the one that is causing most nightmares, if only because of the powerful – and personal – penalties that will be enacted on board members if they fail to comply.
Fortunately for some, not everyone need worry about SOX. Unless others start to feel pressure from larger partner organisations to comply as well, only a thousand non-US companies around the world are affected by SOX. These are the companies that have primary or secondary listings in the US. Every other company is spared the legal remedies than can be taken against those that fall within SOX’s purview.
Worryingly for them, however, the deadlines for SOX compliance are also very close now. Any company with a market value of greater than $75 million whose financial year ended on November 15th 2004 has already passed the first deadline. They now have until January 29th 2005 to file SOX financial statements. Those with later year-ends have 75 days after year-end to submit, while those with smaller market caps have until July 15th. The penalties for failure to comply include personal fines for board members of up to $5 million and jail terms up to 20 years.
Even with the serious penalties SOX brings, many companies are still not sure if they’re going to make it. “It’s likely to be a sprint to the finish,” Donald Nicolaisen, the chief accountant for the SEC suggests, while a survey by PwC of 700 companies revealed that only 20% of companies were on schedule to meet their deadline and 10% had experienced problems and time will be tight if they are to hit their target.
“Companies have identified many more deficiencies than they originally anticipated and they’ve found some real control gaps,” Dennis Nally, PwC’s chairman and senior partner says.
Those that have been lagging behind or have not been taking SOX seriously need to look closely at the experiences of others and see if they have perhaps underestimated their liability. Depending upon the size of the company, the obligations SOX imposes are either slight or overwhelming. At the extreme, UK entertainment company Rank Group announced in December that it would consider delisting from the US because its SOX obligations would be “onerous” while potentially as many as half of the 13 Dax 30 companies with US listings want to withdraw.
Much of these onerous obligations come from IT costs. While many parts of SOX have nothing to do with IT, there are some sections that do apply and these have serious implications. As well as requiring CEOs and CFOs to certify the accuracy of their financial reporting, SOX also calls for CEOs, CFOs and outside auditors to attest to the effectiveness of internal controls for financial reporting and to report significant changes in their financial conditions “on a rapid and current basis”. Depending on how strictly these rules are interpreted, CEOs, CFOs and by extension CIOs could have to produce real-time reports of their entire IT infrastructure for the entire financial year, right down to the smallest detail.
“You do have to be very granular,” argues Philip Yarnall, who leads compliance consulting issues at PinkRoccade. “The practical elements of compliance with SOX come down to people signing off on elements of the business. Do you know the impact of IT and IT risk on the business unit? Do you know if a particular comms link down how high an impact that can have on the business? A single cable might be a single point of failure.” To a bank, a loss of a comms line for an hour could mean millions in lost revenue. And since it affects the financial conditions of the company, it needs to be reported on for SOX.
Yarnall advocates a combination of systems monitoring and dependency-mapping by the IT department. The dependency-mapping comes first, so that the IT department knows what to monitor. This should fall within a control framework designed to show an auditor that the IT department has everything under control. Yarnall suggests COBIT (Control Objectives for Information and Related Technology), a control framework developed by the IT Governance Institute (ITGI) and based on a mixture of international standards documents. “Auditors have been using COBIT for many years, and there are 17 areas of COBIT that relate directly to SOX.” Show compliance with COBIT and the chances are that the auditor will be convinced that the IT department knows what’s going on with its systems.
Yarnall’s advocacy of COBIT is supported by the SEC’s own rulings. It has published advice to clarify the intent of SOX, including rulings that limit the requirement for internal controls to financial reporting systems only. It has also ruled that controls must follow a recognised framework. COBIT and ISO 17799, the international standard for information security management systems, are two such frameworks, although the SEC favours the US Commission of Sponsoring Organizations (COSO) set by the National Commission on Fraudulent Financial Reporting, since that encompasses other systems as well as IT. COBIT is an attempt in part to interpret COSO from an IT perspective, so many corporations are using it as a guide for their IT SOX compliance efforts.
Page 1 | Page 2 | All 2 Pages