Not long ago, a customer approached Ray Nissan, CEO of Cybermation, a company that provides enterprise software products for use in corporate data center operations. The customer said that his company's Big 4 accounting firm had recommended that the company implement a software change management solution. Although developers and application administrators know that software change management is an important tool, in the past it hasn't been high on many accountants' list of essential IT investments. So why was an accounting company worried about a subject as technical as software change management?

The answer is simple—because of the Public Company Accounting Reform and Investor Protection Act, officially known, after its principal sponsors in the U.S. Congress, as the Sarbanes-Oxley Act of 2002. Congress passed the act in the wake of corporate scandal at Enron and Tyco International, whose senior executives either willfully misled the public about their companies' financial operations or claimed that they didn't know what their subordinates were doing—and whose company auditors dutifully certified financial statements jammed with false information.

With outrage about these and other recent scandals still high and further corporate malfeasance still coming to light, Sarbanes-Oxley represents the most sweeping corporate governance and accounting reforms in more than half a century in the United States. The act's goal is simple: to deter corporate and accounting fraud and protect the interests of shareholders and workers by ensuring the accuracy of data in corporate financial reports and public filings. However, compliance with the act is far from simple.

Complying with Sarbanes-Oxley provides an opportunity to improve IT processes. As a byproduct of the act's reforms, the IT infrastructures of the companies subject to Sarbanes-Oxley regulations—which, generally speaking, means publicly traded companies that have valuations of more than $75 million—must be re-examined to ensure that companies can comply with the new rules. Although IT has been subject to regulation in many vertical sectors—most notably the financial, pharmaceutical, and health care sectors—Sarbanes-Oxley subjects the IT infrastructures of all reasonably sized public companies in the United States to regulatory scrutiny. "Business processes are encapsulated in your software," said Cybermation's Nissan. "You are going to have to be able to audit the changes in your systems and recreate your system for auditors."

IT Challenges
Sarbanes-Oxley is a multifaceted bill with many provisions. Since the act's passage in June 2002, Section 302 has probably received the most fanfare. Effective September 2002, this section compels CEOs and chief financial officers (CFOs) to personally attest that all financial disclosures fairly represent in all material respects the financial condition and results of company operations—or face criminal liability. And the potential penalties are stiff: Corporate executives who willfully violate the act can be fined up to $5 million and sent to prison for as long as 20 years.

But if Section 302 got the attention of senior management and sent public companies' financial offices scrambling to determine what they had to do to comply with Sarbanes-Oxley, three other sections of the act promise to have a long-term impact on IT.

  • Section 404 establishes management's responsibility for providing an adequate internal control structure and procedures for financial reporting. Most companies have until November 15, 2004, to comply with Section 404. (Companies that are on a calendar fiscal year must comply by December 31, 2004.)
  • Effective August 23, 2004, Section 409 requires companies to rapidly disclose material changes to their financial conditions and operations.
  • Section 802, which went into effect October 31, 2003, mandates complete, secure, and timely access to documents.

Finally, Sarbanes-Oxley also stipulates that corporate assets, including software assets, must be fairly valued.

Section 404 To-Dos
On the front burner in most publicly held companies today is the question of how to comply with the requirements of Section 404. Companies must soon have in place internal controls and business processes that ensure transactions are recorded as necessary for the accurate preparation of financial statements. For example, a company must be able to verify that sales are booked only once and are assigned to the correct customer. Companies must also make sure that unauthorized transactions that could materially affect the company's financial condition are either prevented or are detected in a timely fashion. Moreover, an outside auditor must review and report on management's assessment of the company's internal controls, and the auditor's statement must be published in the company's annual report.

Although seemingly straightforward, Section 404 has profound implications for IT. "IT has to start thinking about operational transparency," said Delbert Krause, director of enterprise planning product marketing at business-software company Cognos.

IT professionals have to address Section 404 from four directions. First, they must ensure that processes are in place to capture and correlate all relevant transactions. This task is often easier said that done in large, multinational corporations and in companies that actively engage in merger and acquisition activities. "You have to document everything you are doing in the accounting area, and companies with loose accounting practices are struggling with Section 404," said Barbara Swartz, director of financial management programs at Teradata.

To address the need for a central "source of truth," Swartz believes that Section 404 will stimulate new uses for data warehouses as the central repository for all corporate information flowing in from the company's disparate divisions. Heretofore, data warehouses have been used as the foundation for corporate decision-making applications. But they also can provide a unified view of a company's transactional activities. "A warehouse offers a single view of all the financial activity," Swartz said. "You can have everything come together."

Companies are moving in that direction. In a recent survey of 386 top-level executives at U.S. public companies conducted through its Web site, Teradata found that 66 percent are using data warehousing to meet the requirements of Sarbanes-Oxley.

The second aspect of Section 404 requires companies to be able to prevent and detect unauthorized transactions. This requirement has led companies to look at auditing solutions. "The whole idea is to ensure data integrity by providing an audit trail," said Richard Lee, product marketing manager at DataMirror, which offers auditing software. Auditing products can monitor and document the changes to databases; track all database inserts, changes, and deletions; and generate alerts and warnings for changes that don't conform to established business rules.

Third, from an IT perspective, implementing internal controls means having the ability to lock down the entire technology stack for financial applications. Controls must be in place to ensure that software is properly implemented, maintained, and protected from unauthorized changes. Application change-management software that can track patches, fixes, and customization is an essential element. In the past, companies could get away with sloppily documenting changes. With Sarbanes-Oxley, what once was merely sloppy could now be criminal.

An Ongoing Process
But perhaps the most far-reaching aspect of Section 404 is the need to report—not just once, but annually—on the internal controls that have been put in place and the requirement that external auditors assess those reports. Companies might be able to document their internal controls in time to meet the November 15 (or December 31) deadline, but that isn't enough. They must also put in place a sustainable infrastructure that will let them document their internal controls on an ongoing basis as their processes and procedures naturally evolve over time.

In essence, said Cognos's Krause, Section 404 has mandated a new enterprise reporting application. Companies need to be able to measure their internal control processes and demonstrate their effectiveness in a way that can be reviewed by outside auditors. That task isn't trivial.

In fact, according to a published interview with Tom Church, a senior partner in the Assurance and Enterprise Risk Services practice at Deloitte & Touche and leader of the firm's Sarbanes-Oxley activities, many companies haven't yet begun to address the sustainability issue. Rather, they're still focused on documenting current processes and identifying weaknesses in their controls, such as the manual processes and nonstandard technologies that haven't been integrated into their infrastructures. "Even Excel has come under scrutiny," said Krause, referring to the fact that many companies store financial data in Microsoft Excel spreadsheets, which are neither secure nor tamper-proof.

Most companies have been grappling with Section 404 requirements for quite a while. And compliance projects are proving to be more difficult and costly than anticipated. In a survey that PricewaterhouseCoopers (PwC) conducted of 120 Sarbanes-Oxley project leaders, 73 percent of survey respondents reported that compliance required more effort than originally anticipated. Although only 5 percent thought that they wouldn't meet the deadlines, 64 percent indicated that they would meet the deadline only with difficulty. The biggest challenges were the level of testing and the level of documentation the regulations demand. Additionally, 90 percent of the respondents said that they've purchased new technology to meet Sarbanes-Oxley requirements, and 47 percent believe that new technology is essential to remain in compliance.

Section 409 Challenges
Several other sections of Sarbanes-Oxley also require the attention of IT professionals. In addition to mandating the timely disclosure of events that have a material impact on a company's financial condition, Section 409 lengthens the list of events that must be reported. If a company loses a major customer, for example, it might have to report that fact within 4 days.

Section 409 regulations, which went into effect in August, clearly will affect the need to ensure the integrity of corporate data repositories. Transactions can't be recorded twice or inadvertently omitted. Moreover, some experts believe that Section 409 will put pressure on companies to implement real-time, event-driven systems that can trigger immediate alerts about material events. Business-process−management software might also play a role in complying with Section 409 over the long haul.

Finally, Section 409 might have implications for the way disaster-recovery infrastructures are established. "If an event like 9/11 occurs," said Teradata's Swartz, "when would a company have to issue a statement about its impact?" Although that's an open question, companies must be prepared to address it.

Meeting Storage Requirements
Records retention is the final aspect of Sarbanes-Oxley that requires direct involvement of IT pros. Section 802 mandates that certain records be saved for a period of 5 years and that those records be retrievable in a timely fashion. Another provision of section 802 makes altering, destroying, or impairing the integrity of a record used in an official proceeding a crime punishable by as long as 20 years behind bars.

With 93 percent of all business documents created electronically and only 30 percent ever printed on paper, Section 802 will, over the long haul, require a massive increase in data storage capacity. In fact, some observers believe that in many situations paper records won't be sufficient to meet Section 802 requirements because they can't be retrieved quickly enough.

It's difficult to estimate just how much additional storage Sarbanes-Oxley regulations will require. According to some estimates, storage growth rates might triple from the current 30 percent a year. But more storage capacity is only part of the equation—data also has to be properly classified and archived. "Information Lifecycle Management is a big part of that," said Gary Zasman, director of Information Lifecycle Management (ILM) solutions at StorageTek. ILM practices call for storing data on different media depending on retention policies for that data. Ultimately, records that fall under Sarbanes-Oxley regulations can be archived on compliant media, either tape or disk.

In general, the concept of ILM has become more popular as storage infrastructures have become increasingly tiered. But Sarbanes-Oxley might stimulate the use of new applications as well. For example, The Yankee Group predicts that email archiving services will grow significantly to meet regulatory requirements. The market research group estimates that organizations with 5000 employees will need at least 1.1TB of storage per year for email—and email messages must be stored for 3 years. Companies will have to invest in storage, security, and new technologies to ensure that they can comply with the rules.

Taking a Leadership Role
Not surprisingly, given the criminal penalties CEOs and CFOs face if the financial statements of their companies are erroneous, Sarbanes-Oxley compliance has been a top-down initiative in many organizations. Many CEOs and CFOs have simply given their IT departments general mandates. "The CFO tells the IT manager, 'This is what I need. You figure it out,'" said DataMirror's Lee.

"The CFO may not know the difference between disk and tape," added Zasman. "They just want a cost-effective solution."

But as the issues involved become more complex, many IT groups are taking a more proactive role in devising Sarbanes-Oxley solutions. After the first Section 404 deadlines pass, companies will have a year to correct any deficiencies that have been identified in their internal controls. At that point, IT professionals will have to propose effective solutions to address the shortcomings. The sidebar "Sarbanes-Oxley Checklist" summarizes seven steps IT pros can take to initiate and maintain compliance.

More important, though, Sarbanes-Oxley requirements present an opportunity for IT departments to create infrastructures that reflect the best practices in their industry. "By making your financials more transparent for investors and business owners inside the company, you can more effectively run your business," said Swartz.

"The better you do this," said Zasman, "The better governed your company and the more value it will have."