Act of punishment
- Article 2 of 2
- Technology for Compliance, January 2005
Many non-US companies are seeking to sidestep the Sarbanes-Oxley Act rather than risk non-compliance.
For three years, vendors have talked of little other than Sarbanes-Oxley. Of all the compliance legislation being enacted around the world, SOX is the one that is causing most nightmares, if only because of the powerful – and personal – penalties that will be enacted on board members if they fail to comply.
Fortunately for some, not everyone need worry about SOX. Unless others start to feel pressure from larger partner organisations to comply as well, only a thousand non-US companies around the world are affected by SOX. These are the companies that have primary or secondary listings in the US. Every other company is spared the legal remedies than can be taken against those that fall within SOX’s purview.
Worryingly for them, however, the deadlines for SOX compliance are also very close now. Any company with a market value of greater than $75 million whose financial year ended on November 15th 2004 has already passed the first deadline. They now have until January 29th 2005 to file SOX financial statements. Those with later year-ends have 75 days after year-end to submit, while those with smaller market caps have until July 15th. The penalties for failure to comply include personal fines for board members of up to $5 million and jail terms up to 20 years.
Even with the serious penalties SOX brings, many companies are still not sure if they’re going to make it. “It’s likely to be a sprint to the finish,” Donald Nicolaisen, the chief accountant for the SEC suggests, while a survey by PwC of 700 companies revealed that only 20% of companies were on schedule to meet their deadline and 10% had experienced problems and time will be tight if they are to hit their target.
“Companies have identified many more deficiencies than they originally anticipated and they’ve found some real control gaps,” Dennis Nally, PwC’s chairman and senior partner says.
Those that have been lagging behind or have not been taking SOX seriously need to look closely at the experiences of others and see if they have perhaps underestimated their liability. Depending upon the size of the company, the obligations SOX imposes are either slight or overwhelming. At the extreme, UK entertainment company Rank Group announced in December that it would consider delisting from the US because its SOX obligations would be “onerous” while potentially as many as half of the 13 Dax 30 companies with US listings want to withdraw.
Much of these onerous obligations come from IT costs. While many parts of SOX have nothing to do with IT, there are some sections that do apply and these have serious implications. As well as requiring CEOs and CFOs to certify the accuracy of their financial reporting, SOX also calls for CEOs, CFOs and outside auditors to attest to the effectiveness of internal controls for financial reporting and to report significant changes in their financial conditions “on a rapid and current basis”. Depending on how strictly these rules are interpreted, CEOs, CFOs and by extension CIOs could have to produce real-time reports of their entire IT infrastructure for the entire financial year, right down to the smallest detail.
“You do have to be very granular,” argues Philip Yarnall, who leads compliance consulting issues at PinkRoccade. “The practical elements of compliance with SOX come down to people signing off on elements of the business. Do you know the impact of IT and IT risk on the business unit? Do you know if a particular comms link down how high an impact that can have on the business? A single cable might be a single point of failure.” To a bank, a loss of a comms line for an hour could mean millions in lost revenue. And since it affects the financial conditions of the company, it needs to be reported on for SOX.
Yarnall advocates a combination of systems monitoring and dependency-mapping by the IT department. The dependency-mapping comes first, so that the IT department knows what to monitor. This should fall within a control framework designed to show an auditor that the IT department has everything under control. Yarnall suggests COBIT (Control Objectives for Information and Related Technology), a control framework developed by the IT Governance Institute (ITGI) and based on a mixture of international standards documents. “Auditors have been using COBIT for many years, and there are 17 areas of COBIT that relate directly to SOX.” Show compliance with COBIT and the chances are that the auditor will be convinced that the IT department knows what’s going on with its systems.
Yarnall’s advocacy of COBIT is supported by the SEC’s own rulings. It has published advice to clarify the intent of SOX, including rulings that limit the requirement for internal controls to financial reporting systems only. It has also ruled that controls must follow a recognised framework. COBIT and ISO 17799, the international standard for information security management systems, are two such frameworks, although the SEC favours the US Commission of Sponsoring Organizations (COSO) set by the National Commission on Fraudulent Financial Reporting, since that encompasses other systems as well as IT. COBIT is an attempt in part to interpret COSO from an IT perspective, so many corporations are using it as a guide for their IT SOX compliance efforts.
With financial reporting systems the main focus of SOX, a cost-focused and practical approach to examining areas of SOX liability is to work from the final financial report backwards, to see which systems and processes affect it. Peter Fawcett, director of Atos Consulting and the company’s SOX expert, puts this as the centre of its advice. “We tend to start with the balance sheet and profit and loss and work backwards through the various processes that feed into the balance sheet. Then we work backwards into applications that support the processes. Then we look at the infrastructure that supports the applications: anything that could a misstatement on the balance sheet, be it a spreadsheet, an Internet process, or an Access database somewhere in the end-user system. It’s not just the accounting systems.”
While many vendors are now selling their products as either the route to a SOX nirvana or a piece of the solution to the compliancy problem, Fawcett advocates looking at all of these systems purely in terms of this process. “If it turns out to be a storage problem or an email problem that can lead to a misstatement of accounts, then those point solutions come in. It’s premature to say, if I’ve got a write-once, read-many storage system, I’m going to be okay.”
So while instant message archiving and monitoring, email archiving, records management systems, single-sign on security systems, business process management and other applications and systems might seem necessary at first, it’s only if the systems they interact with could affect the financial reporting system or the balance sheet that they need to be fully controlled. While some sections of SOX do impose penalties on companies that destroy records relating to problems with their balance sheets, these penalties only apply if the records were destroyed maliciously and deliberately. Companies with a policy of deleting all emails after six months, for instance, would not be found liable under SOX in this instance, unless it could be shown the company policy was motivated by a desire to destroy incriminating evidence. And although there is a provision stating that companies must reveal flaws in their internal processes, there is no penalty for having these flaws other than public disclosure.
Nevertheless, working back through all the company’s processes to find these flaws could potentially be a large amount of work. But ITGI does point out that when the checking has been done, many companies will find they have little work to do afterwards: “There is no need to reinvent the wheel; virtually all public companies have some semblance of IT control. While they may be informal and lacking sufficient documentation, IT controls generally exist in areas such as security and availability. Many companies will be able to tailor existing IT control processes to comply with the provisions of Sarbanes-Oxley. Frequently, it is the consistency and quality of control documentation and evidential matter that is lacking, but the general process is often in place, only requiring some modification.” So only companies whose IT systems were generally out of control in the first place should worry about the cost of compliancy: complying with SOX is liable to bring bonuses to some companies as a result of the savings they can make from proper IT management.
Ultimately, Sarbanes-Oxley compliance is about making sure the company’s auditor feels that the CEO, CFO and CIO understand their company and their systems well enough that they can be sure that everything in their financial statement is true. If the auditor is comfortable, he or she will sign off the company’s financial statements. Depending on the auditor and the existing state of the IT systems, that could take considerable investment – or very little. But misjudge it and the company’s board could be in serious trouble.