This month's column is contributed by Rob Smith, co-chair of Industry Solutions - SOX Committee Integration Consortium.

Why IT is Left Out of Sarbanes 404 and 409 Committees

Sarbanes-Oxley (SOX) compliance has become the number one issue facing CXO executives today. Compliance with the terms of the SEC's SOX Act of 2002 has become the number one pain point of most public organizations and boards of directors both in the U.S.A. and around the world. They are in a desperate race to ensure they have documented and tested a range of financial controls all to ensure the integrity of the financial number they make public at each year end and at each quarter. But the extensive and elaborate team of senior executives that meets once a week to discuss the progress of SOX compliance is often without a critical member of the team, the CTO or CIO. Information system executives are often left off the SOX compliance committees and teams simply because they are viewed as outside the realm of financial reporting.

The Public Company Accounting Oversight Board (PCAOB) was created by the SOX Act of 2002 to oversee the auditors of public companies. They are appointed by the SEC, and their role is to "ensure that public company financial statements are audited in accordance with the highest standards of quality, independence and ethics." They do this by enforcing the rules contained in the Sarbanes-Oxley Act and any new rule added by the SEC. The bulk of the enforcement issues and rules relates to the presentation of financial information by public companies. However, with the creation of Sections 404 and 409, SOX went well beyond the role of financial professionals.

Section 404 states in brief that executive managers and boards of directors of public organizations must acknowledge their responsibility for the financial controls within the organization and the accuracy of the financial information made public. Then they must provide an assessment of the effectiveness of these controls and have an auditor attest to this assessment. Section 409 stipulates that the same board and executives must disclose real-time information "concerning material changes in the financial condition or operations of the issuer including trends as the Commission determines necessary for the protection of investors and in the public interest." The ability to report real-time information and set controls to ensure the validity of financial information was thought by the SEC and the PCAOB to be fully within the realm of the financial professionals that posted the information. But they were wrong.

The Pandora's Box of 404 and 409

When the SEC created SOX they inadvertently open a Pandora's box because the short statements contained in section 404 and 409 spoke volumes about how much the financial numbers and accounting operations in organizations were driven by the information technology and the physical operations of organizations. Risk managers and compliancy specialists quickly realized that in order to ensure the accuracy of the financial disclosures, they would have to ensure the validity of all the underlying processes that fed the numbers. Things such as inventory flow, contract disclosure and oversight, counter-party credit risk, system integration and development, real-time exception reporting, market-to-market evaluations, value-at-risk assessments, etc. Suddenly two small regulations had opened an entire world full of potential compliance failure points. But in most cases very few of the SOX compliance teams contained more than a single representative from the IT side of the company.

It was evident in the very hazy and wide-open way that the commission drafted the 404 and 409 regulations that their understanding of the impact of the underlying physical operations of organizations was clear. Process controls had to extend beyond the scope of financial and audit teams, and they even drafted amendment to this effect. Once the box was open there was no turning back. However, the audit organizations tried. A recent review of a major Tier 1 SOX 404 Guide presented to public companies include such statements as "Management need not assess internal control over operations and compliance" and "A company's business continuity or contingency plans have no effect on its ability to initiate, authorize, record, process or report financial data and are not part of SOX compliance." The concept that accounting is a standalone function unto itself is where most companies will be caught by SOX 404 and 409 compliance regulations in the coming years.

Remember that most of the great corporate failures over the last few years had nothing to do with financial reporting. The companies were dead by the time the public read the annual report even though the financial statements followed generally accepted accounting standards. Companies such as Enron and WorldCom went bankrupt because the underlying physical processes of the organization were failing and the company did not have to report in publicly released financial statements for many periods. For public companies to avoid a SOX compliance failure they must accept the fact that accounting is the score of what has happened and is not a predictor of things that will happen. To this end information technology executives must become active and equal participants on SOX executive committees as must risk and continuity experts, security experts and market traders capable of understanding market trends as noted in 409.

Winning the SOX Game

SOX is a rigged game in which you play against the regulators, and your failure in the game will result in very personal repercussions. All executive members must participate and be included on compliance teams and not just accounting or audit staff. Any board that fails to include its information technology staff in its compliancy efforts risks losing the game, placing its shareholders in peril and itself in the gun sights of the SEC regulators.

Rob Smith is an author for Penguin Publishing on technology and business He is the CEO of Riskstream Inc., a business continuity and regulatory specialist. He is also the co-chairman of the Integration Consortium (

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access