An Ongoing Process
But perhaps the most far-reaching aspect of Section 404 is the need to report—not just once, but annually—on the internal controls that have been put in place and the requirement that external auditors assess those reports. Companies might be able to document their internal controls in time to meet the November 15 (or December 31) deadline, but that isn't enough. They must also put in place a sustainable infrastructure that will let them document their internal controls on an ongoing basis as their processes and procedures naturally evolve over time.
In essence, said Cognos's Krause, Section 404 has mandated a new enterprise reporting application. Companies need to be able to measure their internal control processes and demonstrate their effectiveness in a way that can be reviewed by outside auditors. That task isn't trivial.
In fact, according to a published interview with Tom Church, a senior partner in the Assurance and Enterprise Risk Services practice at Deloitte & Touche and leader of the firm's Sarbanes-Oxley activities, many companies haven't yet begun to address the sustainability issue. Rather, they're still focused on documenting current processes and identifying weaknesses in their controls, such as the manual processes and nonstandard technologies that haven't been integrated into their infrastructures. "Even Excel has come under scrutiny," said Krause, referring to the fact that many companies store financial data in Microsoft Excel spreadsheets, which are neither secure nor tamper-proof.
Most companies have been grappling with Section 404 requirements for quite a while. And compliance projects are proving to be more difficult and costly than anticipated. In a survey that PricewaterhouseCoopers (PwC) conducted of 120 Sarbanes-Oxley project leaders, 73 percent of survey respondents reported that compliance required more effort than originally anticipated. Although only 5 percent thought that they wouldn't meet the deadlines, 64 percent indicated that they would meet the deadline only with difficulty. The biggest challenges were the level of testing and the level of documentation the regulations demand. Additionally, 90 percent of the respondents said that they've purchased new technology to meet Sarbanes-Oxley requirements, and 47 percent believe that new technology is essential to remain in compliance.
Section 409 Challenges
Several other sections of Sarbanes-Oxley also require the attention of IT professionals. In addition to mandating the timely disclosure of events that have a material impact on a company's financial condition, Section 409 lengthens the list of events that must be reported. If a company loses a major customer, for example, it might have to report that fact within 4 days.
Section 409 regulations, which went into effect in August, clearly will affect the need to ensure the integrity of corporate data repositories. Transactions can't be recorded twice or inadvertently omitted. Moreover, some experts believe that Section 409 will put pressure on companies to implement real-time, event-driven systems that can trigger immediate alerts about material events. Business-process−management software might also play a role in complying with Section 409 over the long haul.
Finally, Section 409 might have implications for the way disaster-recovery infrastructures are established. "If an event like 9/11 occurs," said Teradata's Swartz, "when would a company have to issue a statement about its impact?" Although that's an open question, companies must be prepared to address it.
Meeting Storage Requirements
Records retention is the final aspect of Sarbanes-Oxley that requires direct involvement of IT pros. Section 802 mandates that certain records be saved for a period of 5 years and that those records be retrievable in a timely fashion. Another provision of section 802 makes altering, destroying, or impairing the integrity of a record used in an official proceeding a crime punishable by as long as 20 years behind bars.
With 93 percent of all business documents created electronically and only 30 percent ever printed on paper, Section 802 will, over the long haul, require a massive increase in data storage capacity. In fact, some observers believe that in many situations paper records won't be sufficient to meet Section 802 requirements because they can't be retrieved quickly enough.
It's difficult to estimate just how much additional storage Sarbanes-Oxley regulations will require. According to some estimates, storage growth rates might triple from the current 30 percent a year. But more storage capacity is only part of the equation—data also has to be properly classified and archived. "Information Lifecycle Management is a big part of that," said Gary Zasman, director of Information Lifecycle Management (ILM) solutions at StorageTek. ILM practices call for storing data on different media depending on retention policies for that data. Ultimately, records that fall under Sarbanes-Oxley regulations can be archived on compliant media, either tape or disk.
In general, the concept of ILM has become more popular as storage infrastructures have become increasingly tiered. But Sarbanes-Oxley might stimulate the use of new applications as well. For example, The Yankee Group predicts that email archiving services will grow significantly to meet regulatory requirements. The market research group estimates that organizations with 5000 employees will need at least 1.1TB of storage per year for email—and email messages must be stored for 3 years. Companies will have to invest in storage, security, and new technologies to ensure that they can comply with the rules.
Taking a Leadership Role
Not surprisingly, given the criminal penalties CEOs and CFOs face if the financial statements of their companies are erroneous, Sarbanes-Oxley compliance has been a top-down initiative in many organizations. Many CEOs and CFOs have simply given their IT departments general mandates. "The CFO tells the IT manager, 'This is what I need. You figure it out,'" said DataMirror's Lee.
"The CFO may not know the difference between disk and tape," added Zasman. "They just want a cost-effective solution."
But as the issues involved become more complex, many IT groups are taking a more proactive role in devising Sarbanes-Oxley solutions. After the first Section 404 deadlines pass, companies will have a year to correct any deficiencies that have been identified in their internal controls. At that point, IT professionals will have to propose effective solutions to address the shortcomings. The sidebar "Sarbanes-Oxley Checklist" summarizes seven steps IT pros can take to initiate and maintain compliance.
More important, though, Sarbanes-Oxley requirements present an opportunity for IT departments to create infrastructures that reflect the best practices in their industry. "By making your financials more transparent for investors and business owners inside the company, you can more effectively run your business," said Swartz.
"The better you do this," said Zasman, "The better governed your company and the more value it will have."
Register
jrsutils November 26, 2004 (Article Rating: