The Sarbanes-Oxley Act is so much more than just corporate governance for accounting and finance professionals. At most companies, financial reporting systems are heavily reliant on IT and may include highly complex hybrid and legacy systems. How can CEOs and CFOs stand behind the accuracy of financial data without solid assurances from the CIO regarding the reliability of such information systems?

Business units aren't likely to understand which system changes are required and may put off contacting the IT department until late 2004. This would likely mean that your company could not fully comply with Sarbanes-Oxley because IT will need weeks – or even months – to identify the systems that need attention.

Cutter Consortium Fellow Peter O'Farrell says, "It is the rare CEO or CFO who knows the details of a company's IT architecture and how the systems actually work. Rarer still would be any deep understanding of how the data is processed or even how it was originally obtained. So that places a great burden on the CIO to devise processes to create accurate accounting data, then implement these processes in an era when CIOs have been continually directed to reduce IT costs, whatever the implications for the integrity of the firm's IT functions.”

"IT has an important role to play in ensuring that systems are transparent enough and controls are good enough to prevent business cheating," asserts Cutter Consortium Fellow Robert D. Austin. "This has important implications for IT, one that puts a lot of extra effort on the CIO's plate. But when it comes to IT, I believe there is an even greater concern that has nothing (or much less) to do with financial shenanigans or cover-ups, but rather has to do with how well boards of directors are overseeing the management of IT, an area that has its own significant transparency problems."

Austin continues, "While the emphasis in much of the discussion of corporate governance tends to be on misbehavior, when it comes to IT, the much bigger concern may be competence – specifically senior executive and board member competence to oversee IT activities. A major IT screw-up can be plenty scandalous, without any concerns about cheating. Sarbanes-Oxley's broader, long-term impact on IT may be that it forces general managers and board members to get into the CIO's business in a very deep way. This may not happen right away; it may take a major IT snafu to cause it, but it will happen," says Austin.

But Cutter Consortium Fellow Tom DeMarco offers a different perspective of the effects of the Sarbanes-Oxley Act. He remarks, "When the cost of a new control is small compared with the legal exposure it covers, CIOs will implement the control. But this has always been true. Sarbanes-Oxley doesn't change anything. I predict that Sarbanes-Oxley will still be the law of the land 20 years from now. I further predict that it will have no effect whatsoever (other than causing a bit of panic in the first year or two) and will eventually be universally ignored. It will be like the blue laws still in existence in most states that prohibit a Wal-Mart from being open on Sundays, even though Wal-Mart is open on Sundays in all 50 states."

The Business Technology Trends and Impacts Opinion – “What Does Sarbanes-Oxley Mean for the CIO?” is a collection of the reactions, explanations and recommendations relating to the Sarbanes-Oxley Act and its impact on IT and chief information officers. To request a copy of the Trends Opinion in which these comments were made, contact Ron Pulicari at (781) 641-5114 or

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access