For the last nine months, many CEOs and CFOs have been scrambling to understand and quickly comply with the rules and regulations of The Sarbanes- Oxley Act (SOA), the accounting reform and investor protection legislation passed by Congress last summer. The first round of compliance required significant policy and procedure checkpoints to ensure the independence of board members and audit committees, along with CEO/CFO certification of financial results – in essence holding top executives personally responsible for misrepresentation of company performance.

With the Securities and Exchange Commission (SEC) – SOA's enforcer – continually issuing new rules, CEOs and CFOs are now putting their arms around information technology (IT), enlisting it to assess the impact of compliance on the firm's systems infrastructure. Depending on how it shakes out, the effect could be enormous.

As IT gets more involved with these time-critical regulations, you need to understand the following five points about SOA compliance and what it will mean to your company:

  • SOA governs publicly traded firms – SOA rules apply only to publicly traded firms that list their stock on any U.S.-based financial exchange. Even if your company is not a U.S.-based firm, as long as its stock is traded in the United States, it's on the hook to comply. Private firms are not governed by these rules. Before you breathe a sigh of relief, many experts expect private companies will abide by the spirit, intent and letter of the law.
  • Audit of internal controls and processes is mandated – The next major hurdle, expected for FY03 year-end filings, will be the auditability of the internal control structure and processes involved in financial reporting. It's no longer just the numbers you report, but how you got to those numbers. Your external auditors will be required to issue an opinion of how well these processes are followed. Many companies are manually implementing these process controls today. In the longer term, most existing applications lack thorough enforcement of business process, and may be the place where a new application or IT-supported business process is required to pass muster with auditors and let the CEO and CFO sleep better at night.
  • It will reach beyond financial processes – Financial reporting is just the beginning. It assumes the business transactions recorded in enterprise resource planning (ERP), supply chain, customer relationship management (CRM) and other operational systems are not subject to unintentional lapses in process control. A broad-based review of business practices – especially in decentralized firms – could reach back into the bowels of business operations, eventually requiring wholesale systemic change to some operational business processes and the systems that support them. Outside experts are helping companies uncover Grand Canyon-sized gaps, which will take IT support to fill up.
  • Get ready for real-time disclosure — The most ambiguous and potentially onerous regulation has to do with timely and accurate disclosure of material events to the business. Widely viewed as a call for real-time reporting, IT will need to keep a watchful eye on developments, as the firm's data infrastructure could be in for serious revamping when companies are required to disclose events that affect the business within 48 hours—the current interpretation of this regulation. Although there isn't a stipulated timeframe for this one, leading companies are already beginning to implement an Enterprise Performance Management (EPM) framework to support strategy- driven real-time analytics and decision making.
  • SOA is a process, not an event – A quick look at the SEC's Web site shows a barrage of rules issued in response to SOA, refining the requirements of the Act. The SEC will continually issue pronouncements on what will be required and when rules will take effect. Because of this, organizations must remain fluid to respond to SOA. Regulatory requirements mandated by other government agencies – the Food & Drug Administration (FDA) or the Environmental Protection Agency (EPA)— have had significant effect on firms and may offer a view into where SOA may end up.

For certain, the SOA compliance picture is still blurry, but becoming clearer with each SEC ruling. You can't hide; IT involvement starts now.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access