Act of punishment

• Article 2 of 2
• Technology for Compliance, January 2005
• View a PDF of the original article ~ 44K

Page 1 | Page 2 | All 2 Pages

With financial reporting systems the main focus of SOX, a cost-focused and practical approach to examining areas of SOX liability is to work from the final financial report backwards, to see which systems and processes affect it. Peter Fawcett, director of Atos Consulting and the company’s SOX expert, puts this as the centre of its advice. “We tend to start with the balance sheet and profit and loss and work backwards through the various processes that feed into the balance sheet. Then we work backwards into applications that support the processes. Then we look at the infrastructure that supports the applications: anything that could a misstatement on the balance sheet, be it a spreadsheet, an Internet process, or an Access database somewhere in the end-user system. It’s not just the accounting systems.”

While many vendors are now selling their products as either the route to a SOX nirvana or a piece of the solution to the compliancy problem, Fawcett advocates looking at all of these systems purely in terms of this process. “If it turns out to be a storage problem or an email problem that can lead to a misstatement of accounts, then those point solutions come in. It’s premature to say, if I’ve got a write-once, read-many storage system, I’m going to be okay.”

So while instant message archiving and monitoring, email archiving, records management systems, single-sign on security systems, business process management and other applications and systems might seem necessary at first, it’s only if the systems they interact with could affect the financial reporting system or the balance sheet that they need to be fully controlled. While some sections of SOX do impose penalties on companies that destroy records relating to problems with their balance sheets, these penalties only apply if the records were destroyed maliciously and deliberately. Companies with a policy of deleting all emails after six months, for instance, would not be found liable under SOX in this instance, unless it could be shown the company policy was motivated by a desire to destroy incriminating evidence. And although there is a provision stating that companies must reveal flaws in their internal processes, there is no penalty for having these flaws other than public disclosure.

Nevertheless, working back through all the company’s processes to find these flaws could potentially be a large amount of work. But ITGI does point out that when the checking has been done, many companies will find they have little work to do afterwards: “There is no need to reinvent the wheel; virtually all public companies have some semblance of IT control. While they may be informal and lacking sufficient documentation, IT controls generally exist in areas such as security and availability. Many companies will be able to tailor existing IT control processes to comply with the provisions of Sarbanes-Oxley. Frequently, it is the consistency and quality of control documentation and evidential matter that is lacking, but the general process is often in place, only requiring some modification.” So only companies whose IT systems were generally out of control in the first place should worry about the cost of compliancy: complying with SOX is liable to bring bonuses to some companies as a result of the savings they can make from proper IT management.

Ultimately, Sarbanes-Oxley compliance is about making sure the company’s auditor feels that the CEO, CFO and CIO understand their company and their systems well enough that they can be sure that everything in their financial statement is true. If the auditor is comfortable, he or she will sign off the company’s financial statements. Depending on the auditor and the existing state of the IT systems, that could take considerable investment – or very little. But misjudge it and the company’s board could be in serious trouble.

Page 1 | Page 2 | All 2 Pages