Sarbanes-Oxley ­- Now's Your Chance CIOs!

In part 1 of this series, I discussed the significant sections of the Sarbanes-Oxley Act (SOX) with regard to data validity and transparency. Business intelligence (BI) has a significant role in meeting the compliance requirements, with four components being particularly useful. We continue this series by discussing the information technology (IT) mandates implicit in the legislation that the CIO must take advantage of.

Let's start with the current situation facing corporate executives and then look at the technological environment of many of our public corporations. SOX requires that CEOs, CFOs and other corporate executives be connected to the everyday occurrences throughout their enterprises. This means that the supporting IT infrastructures must supply a never-ending set of "real-time," quality data. But let's face it, most IT infrastructures today cannot handle real-time integrated reporting. They lack the necessary integration between data, processes and technologies. The links between systems are not robust (even undocumented in many cases) and rarely does the corporation have access to a repository of quality, current data.

The shift to real-time computing can be particularly onerous for large enterprises that have a heavy reliance in their operational systems on batch processing. We are all familiar with the "batch window" in which most operational systems sync up with the day's events. This indigenous technological architecture is so much a part of our IT world that it has become the major hurdle to overcome for these corporations.

Second, many companies are unable to track changes to financial data as it moves internally from group to group. A great focus in the past decade has been on operational efficiency. We have spent billions of dollars on the implementation of massive enterprise resource planning (ERP) and customer relationship management (CRM) systems to collect operational data, but then we turn around and feed this critical information into spreadsheets! Spreadsheets are manual processes that are prone to human error, yet they continue to be widely used for planning, budgeting and crucial financial reporting. In the new world order of SOX, this entrenched dependence on human processes is simply not cutting it. We must create environments that have automated systems for reporting critical financial events, solid audit trails surrounding the creation, dissemination and ultimate disposal of financial data. Finally, we must be able to quickly and easily reconcile information either by integration (my preferred method) or at least through the use of a shared data model.

What does this mean to a CIO? It means you have your mandate, your time to demonstrate the importance and necessity of your department's role in SOX compliance. Now is the time to restart those enterprise-focused projects that lost favor over expediency ­- data quality, data integration, enterprise data warehouse, meta data consolidation and standardization projects you postponed or had to cancel because of a lack of funding or interest from the business. The best selling tool you have now to get these important projects rekindled is SOX compliance. It is the best thing to come along to improve the overall technology environment. It is your opportunity, with the business leaders' blessing, to:

Decrease IT maintenance costs. By focusing on the enterprise and consolidating independent data marts and data warehouses, you can greatly reduce the costs of these assets while contributing significantly to SOX compliance. Transparency and validity of a corporation's data require reliable, consistent data created and delivered through efficient and effective processes. The standardization from these efforts generates significant savings in licenses, storage mechanisms and resources.

Improve data integrity across the organization. The mandate to report material events and other financial data with assurance of its accuracy gives the CIO the green light to implement data quality improvements that require cross-departmental cooperation. We can now get the horizontally oriented (i.e., enterprise-focused) processes and procedures adopted by the business community. Data quality is a significant business problem that must be embraced by the business community. It is not an IT problem; IT can only support what the business mandates.

Develop an environment that supports better visibility of data throughout the organization. Dashboards, scorecard and KPI applications, and portals can help with compliance -­ but only if the underlying data is solid and dependable. The executives must contribute their requirements in an understandable fashion, and IT must then deliver the appropriate environment to satisfy those requirements.

Improve internal control mechanisms. The processes that collect, manipulate, document, access, store and ultimately dispose of data must be revamped to eliminate potential or real areas of data corruption. Manual processes must be scrutinized for validity, utilization of spreadsheets must be documented and automated (or eliminated) where possible, and customizations of ERP and CRM packages must be analyzed for validity and, where possible, backed or at least thoroughly documented. It is a good time to reengineer inefficient or nonstandard business processes.

The following are suggested steps for the CIO working toward compliance.

  1. As a first step, develop detailed plans for implementing controls on basic financial systems. This includes the creation of a steering committee of top executives to promote cooperation.
  2. Put in place a technology infrastructure based on a proven architecture that facilitates the use and integration of data from different systems.
  3. Look for places where data integrity can slip through the cracks. Watch for "customizations" to key systems -­ ensure that they have adequate audit trails. Remove the "nice to have" customizations to your ERP systems and thoroughly document those left in place.
  4. Standardize all technological aspects where possible. This includes operational systems, the entire BI environment (including the informal mechanisms such as spreadsheets and independent data marts) and infrastructural components such as networks and storage devices. Also included in this standardization effort should be: IDs, codes, numbering schemes; business definitions, names; calculations and algorithms; and software and hardware.
  5. Set up systems to automatically notify all key constituents (senior executives, board members, investor-relations managers) of material events. This is a major step toward data transparency.
  6. Finally, ensure that all IT projects are intertwined with the corporation's new or enhanced accounting processes to ensure compliance with and identification of SOX aspects. This promotes the data validity required by SOX.

The Sarbanes-Oxley legislation may turn out to be the best friend for a CIO who is struggling with support for these difficult enterprise- oriented initiatives. It certainly is a compelling argument when the alternative could be a jail sentence...

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access