There is none - life after Sarbanes-Oxley compliance, I mean. Why? Because there is no "after" when it comes to being in compliance with the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley (SOX) compels public corporations to file annual reports with the SEC that detail the process by which corporate management has established and maintained internal governance structures and processes for financial reporting. It also requires companies to report on the effectiveness of those efforts. In short, SOX compliance requires an ongoing effort on the part of all public (and a growing number of private) companies to put their financial reporting houses in order and to keep them that way.
If your company is like many others, you found some significant problems with your IT infrastructure during the process of complying with SOX regulations. The problems range from unnecessary complexity in data structures, processes and systems to insufficient alignment between IT and businesspeople, to ineffective use of technology to make corporate governance more efficient and successful.
Moreover, many companies have found that in complying with SOX regulations, the information quality and corporate governance initiatives they've put in place have created a disconnect between financial and other management and operational information. Indeed, the SOX compliance effort has exposed a plethora of IT and data quality problems many companies didn't even know they had.
To reach compliance with SOX regulations in the required time frame, many companies implemented temporary fixes to their IT and governance problems; however, sustained SOX compliance will take more than these provisional repairs. Sustainment will require a concerted effort to root out and fix IT infrastructure, governance and communications problems. It will also require a shift in the way you view the entire SOX compliance process.
You must develop the point of view that compliance is not a "once-and-done" effort. Sustainment requires enormous effort on the part of the people charged with SOX compliance, as well as coordination of the business processes and IT resources used initially to achieve compliance. Specifically, you must create a culture of compliance sustainment. This will require moving from a "project" to a "program" mentality.
Your goal in the initial compliance effort was to successfully complete an enterprise-wide project that brought financial processes and information systems into compliance with SOX regulations. The goal of a sustainment program, however, is more comprehensive. A successful sustainment program should create and implement a corporate governance system that ensures a measurable, effective and efficient system of internal controls and procedures, as well as a clearly defined assessment, monitoring and reporting process for evaluating the efficacy of the controls and procedures.
The key to reaching that goal will be to build a sustainment framework that integrates internal controls assessment, monitoring and reporting with financial and disclosure monitoring and reporting. You start by investing in the best business intelligence (BI) technologies on the market and then building an information architecture that leverages those technologies to integrate their management, monitoring and reporting capabilities and to provide quality information for reporting and analysis.
In the course of implementing the sustainment framework, you must also make some organizational changes. First, focus on reducing complexity and inconsistency in your business process model. Complexity and inconsistency add costs to the sustainment effort. Complex and/or inconsistent processes result in fragmented and inconsistent information, errors in execution of the processes and nonstandardized workflows, which add up to wasted time and money.
Second, focus on the human side of the sustainment effort. Use the opportunity provided by the creation of the sustainment framework to define and implement clear roles, responsibilities and accountability pathways for all the people involved in the sustainment effort. Then give these people two things: education and training on the new corporation information culture and the authority to make decisions as needed (and as their roles dictate) to adapt to changes.
In this column, I've only scratched the surface of Sarbanes-Oxley's implications for business and IT. The impact will be extensive, and it will resonate throughout the company. It has already exposed significant data problems and information quality gaps for many companies. In upcoming columns, I will delve more deeply into what it takes - from both architectural and organizational perspectives - to create a culture of sustainment that reaches far beyond mere compliance to seize the opportunity that SOX has offered to create a strong, flexible, adaptable ethos of corporate governance and information quality throughout the enterprise. Bottom line: there are tremendous business and technology improvements that can be realized from these initiatives. Stay tuned!
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access