Despite the clear need for IT to play a major role in helping companies achieve Sarbanes-Oxley Act compliance, nearly half of all surveyed companies still do not have IT representation on critical steering committees, according to recent research conducted by The Hackett Group, an Answerthink company. Two research reports from Hackett's Business Advisory Services recommend actions IT organizations can take to support Sarbanes-Oxley compliance efforts.

The Hackett Group, a business advisory firm, is a world leader in best practices research and process benchmarking, helping clients achieve world- class performance through continuous improvement initiatives. Hackett offers analysis backed by research at nearly 2,200 client organizations, including 97 percent of the Dow Jones Industrials.

The research reports, "IT Involvement is Critical to the Success of Sarbanes-Oxley Compliance," and "Sarbanes-Oxley Compliance: It's Not Just for Finance" detail the major steps IT organizations can take to support Sarbanes- Oxley compliance efforts. Key findings and recommendations include:

IT Participation is a Critical Element to Successful Sarbanes-Oxley Compliance. – "It's almost impossible for a company's Sarbanes-Oxley compliance efforts to be fully successful unless IT plays a major role," said Hackett Senior Business Advisor Dr. David Oppenheim. "Sarbanes-Oxley mandates that companies do more than just attest to the accuracy of their financial results. They must also prove that controls are in place, so that if the financials weren't accurate, the CEO and CFO would know. Given IT's responsibility for the acquisition, management and operation of the information systems which form the basis of virtually all operations and financial management, it must take responsibility for making this happen."

Many Companies Continue to Ignore IT. – A survey of 22 companies by The Hackett Group found that nearly half do not have IT represented on their Section 404 Project Steering Committee, which is leading the Sarbanes- Oxley compliance efforts. Other key areas, including human resources, legal, operations, and internal auditing, are also not being brought to the table by most companies, the survey found.

Efforts Must Begin With a Business Perspective. – It is critical for the IT team to begin its Sarbanes-Oxley efforts by working with the functional areas and business units to understand, from a business perspective, what the risks are and what controls are in place to mitigate them. The business perspective is important because it helps to set priorities for subsequent efforts, and because it differs from the traditional IT emphasis on broad solutions to issues such as network security and access control. This assumes that the scope of business processes affected by Sarbanes-Oxley has already been determined as part of enterprise-wide compliance planning.

Take a Comprehensive Look at Internal Controls. – IT should take as broad an approach as possible when considering whether internal controls need to be improved. In particular, they should be sure to extend their efforts to examine policies and procedures that govern how systems are modified and enhanced, and how systems are administered on a day-to-day basis. IT should also ensure that any outsourcers meet Sarbanes-Oxley compliance requirements. In establishing controls, companies should consider using Control Objectives for Information Related Technologies (COBIT), a framework now published by the IT Governance Institute. COBIT is designed to be consistent with the broader COSO framework for internal controls as well as the ISO 17799 standard. While 100 percent of the companies surveyed by Hackett had already adopted the COSO governance framework, only slightly more than half had adopted COBIT and only FIVE percent had formally adopted ISO 17799.

Consider All Systems. – CIOs should see to it that usage rules and audit trails are established for every system from which financial information is drawn for reporting. In particular, they should take into account the fact that according to Hackett's research, the average $1 billion company maintains 2.7 ERP systems and 48 financial systems. Nearly half (47 percent) of average companies still use standalone spreadsheets in some aspect of their financial reporting process. Interfaces between these systems, which often require human intervention, are often the points at which errors and fraud are likeliest to occur.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access