Upstream CIO - June, 2006
by Dave Ferdman, CEO, CyrusOne

The Sarbanes-Oxley Act has transformed the business and regulatory environment for most American public companies, particularly the oil and gas industry. Its charge was to enhance corporate governance through measures that strengthen internal checks and balances and, ultimately, enhance corporate accountability. But it is important to emphasize that Section 404 does not require senior management and business process owners merely to establish and maintain an adequate internal control structure, but also to assess and report its effectiveness annually. This is a huge endeavor and, in general, Section 404 represents a significant investment.

For those organizations that have begun the compliance process, it has quickly become apparent that IT plays a vital role in internal control. Systems, data and infrastructure components are critical to financial reporting. This means that IT professionals, especially CIOs, need to be well versed in internal control theory and practice to meet Sarbanes-Oxley requirements.

Today’s CIOs must:
• Enhance their knowledge of internal control;
• Understand their organization’s overall Sarbanes-Oxley compliance plan;
• Develop a compliance plan to specifically address IT controls;
• Integrate this plan into the overall Sarbanes-Oxley compliance plan; and
• Adopt effective and economical compliance maintenance systems.

The nature and extent of internal controls depend to a great extent on the size and complexity of the company.

Despite the company’s size or complexity, there are seven ways to sabotage your company’s efforts toward instituting economically and legally workable IT controls:
1. Underestimating the role of IT;
2. Thinking non-public companies are immune;
3. Reinventing the wheel;
4. Missing the inherent opportunity;
5. Neglecting the smaller systems;
6. Overlooking multi-location issues; and
7. Waiting.

Let’s go into each one of these individually.

Necessary services for any department or business, such as security, telecommunications and storage, are often managed by a central IT function. Not fully understanding how large a stake you have in compliance – and the financial future of your company – is a mistake. IT enables critical financial controls, such as:
• Information management and data classification;
• Role-based user management;
• Real-time reporting;
• Transaction thresholds and tolerance levels; and
• Data processing integrity and validation.

An IT department is the foundation of an effective system of internal control over financial reporting. Many IT leaders and teams are held accountable for the quality and integrity of information generated by their systems; however, they are not typically well versed on the intricacies of internal control. They are used to, and good at, managing risk in a strategic sense, but often not in a way that’s structured around management or auditors.

All groups must work jointly as leaders to assure compliance. Organizations need representation from IT on their Sarbanes-Oxley teams to ensure that IT general controls and application controls exist. Stock options aside, often CIOs for private companies consider their current non-public corporate structure a blessing when it comes to Sarbanes-Oxley compliance. What they eventually find out, however, is that when they start doing business with larger public companies, Sarbanes-Oxley compliance with respect to IT controls is expected of them as well. Public companies need to ensure that their non-public venders have also mitigated their risks. The CIOs of private companies that don’t initiate basic IT controls are likely to pay more to become compliant in the future.

When it comes to putting IT controls in place, you have probably already done most of the work. They may be informal. They may lack documentation. Not everyone may know how to define the controls or find evidence their effectiveness. But IT controls generally exist in areas such as security and change management, and many organizations can tailor existing IT control processes to comply with Sarbanes-Oxley. Don’t make the mistake of starting from scratch.

Frequently, it is the consistency and quality of control documentation that is lacking, but the general process is often in place, requiring only a little modification. Of course, performing an effective discovery of IT control processes and their documentation is time-consuming. The effort is even more daunting given that the design and assessment of IT controls, as well as the skills or management structure to identify and focus on high-risk areas, is a specialized portfolio of knowledge. Not all teams have the expertise in place.

If you perceive all of this investment in IT control understanding as mere compliance, you’re making a big mistake. The work required to meet Sarbanes-Oxley Act is also an opportunity to establish strong governance models that ensure accountability and responsiveness to business requirements. There are no risk-free environments; Sarbanes-Oxley compliance is not a silver bullet for assured governance. But the processes that most organizations will follow to enhance their system of internal control to meet Sarbanes-Oxley standards will likely provide lasting benefits. Good IT governance over planning and lifecycle control objectives helps ensure more accurate and timely financial reporting. Think of it as being like the physical training the armed forces demand of new recruits. Sure, it is inconvenient, not much fun and mandatory, but participants emerge stronger and more able to do their jobs. Building strong internal IT controls may not help you build muscle, but it will help you:
• Enhance overall IT governance;
• Propagate the understanding of IT among executives;
• Make better business decisions with higher-quality, more timely information;
• Align project initiatives with business requirements;
• Prevent loss of intellectual assets and the possibility of system breach;
• Contribute to the compliance of other regulatory requirements (such as privacy);
• Gain competitive advantage through more efficient and effective operations;
• Optimize operations with an integrated approach to security, availability and processing integrity; and
• Enhance risk management competencies and prioritization of initiatives.

With widespread reliance on IT systems, controls are needed over all systems, both large and small. Resist the urge to get tunnel vision with your mainframe; a chain is only as strong as its weakest link. Controls should cover the entire IT environment, including computer operations, access to programs and data, and program development and changes. These controls apply to all systems, from mainframe through client-server environments.

Controls may involve required authorization of change requests, review of the changes, approvals, documentation, testing and assessment of changes on other IT components and implementation protocols. And none of this happens in a vacuum. The change management process should be integrated with other critical IT processes, including incident management, problem management, availability management and infrastructure change control.

Some Sarbanes-Oxley compliance factors uniquely impact multi-location organizations, and overlooking the details of these impacts is a huge mistake. The magic word when determining multi-location compliance is “significant.” Global organizations or non-US-based companies required to comply need to determine if they are significant to the organization as a whole. The Sarbanes-Oxley Act calls for compliance only for significant business units, which can include financial or IT business units. The assessment of whether an IT business unit is significant can be impacted by the materiality of transactions processed by the IT business unit, the potential impact on financial reporting if an IT business unit fails, and other qualitative risk factors. There are financial materiality and significant risk considerations, and both quantitative and qualitative aspects provide focus. Looking at each unit in a granular fashion is important.

Because of the devastating cost of noncompliance, it is crucial to adopt a progressive approach toward enacting effective and efficient IT controls. A C-level executive who gives the SEC incorrect certification could be slapped with a fine up to $1,000,000 – plus up to 10 years in prison. That’s if the mistake was unknowingly committed! Intentional noncompliance could result in a $5 million fine and 20 years in jail.

The stakes are high, and IT’s role in compliance often takes time to master as an organization. Engaging the challenge sooner rather than later will help you build a better organization, both now and in the future – and help everyone get a better night’s sleep!