RealTime IT News

Taking The Sarbox Challenge

When it comes to compliance regulations, the one that seems to strike the most fear into the hearts of company executives is the Sarbanes-Oxley Act of 2002.

Nicknamed Sarbox, and sometimes SOX, the stringent regulation was created to provide control over corporate governance, disclosure and financial accounting in the auditing community after the Enron and WorldCom financial scandals led to billion-dollar losses. The corruption affected financial markets and investor trust.

Gearing up For Sarbox

Each year, publicly traded corporations must submit an assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC).

Moreover, each company's external auditors are required to audit and report on the internal control reports of management, in addition to the company's financial statements. Failure to meet reporting criteria can lead to hefty fines or even jail time.

"The last thing they want to do is become the last Enron and WorldCom," said Aberdeen Group research analyst Jim Hurley, who specializes in global compliance regulations. "It is the No. 1 thing for firms to get their attestation from their auditors to make sure that they sign off on the processes and the financials."

So where does IT factor in the Sarbox issue? At the heart. Public companies must establish a digital accounting framework that can generate reports that are verifiable with source data. Source data must remain intact and any revisions must be documented as to what changed, who changed it, why and when.

This means companies must install gear that ensures data is securely stored and that a single file may be recalled from a trove of millions.

Deadlines in Place

Aside from the goal to track finances down to the penny, the tricky part of Sarbox was meeting several deadlines to prove they have the right internal policies or gear in place for each of the many sections of the regulation, with closing dates varying on the size or type of company.

All parts of Sarbox are effective now, with the exception of Section 409. But the one that every company seems to be especially wary of minding is Section 404.

Section 404 requires that each annual report from an auditor contains an "internal control report," in which a public company's management is responsible for setting up and maintaining an internal control and documentation for financial reporting.

Under Section 404, public companies with a market capitalization over $75 million were required to have their financial reporting frameworks operational for their first fiscal year-end report after Nov. 15, 2004, then for all quarterly reports thereafter.

For smaller companies, compliance is required for the first fiscal year-end financial report, then for all subsequent quarterly financial reports after July 15, 2005.

To make sure these rules were being followed to the letters and numbers, the Public Company Accounting Oversight Board (PCAOB) was formed along with Sarbox in 2002. Known as the "Peek-a-Boo Committee" in auditing circles, the group is charged with overseeing what the auditors are doing and reviewing financial statement by public companies.

In addition to the watchdog, there are very stiff civil and criminal penalties associated with lying about financial statements. CEOs or other executives who "knowingly" sign off on inaccurate financial statements face 10 years in jail and a $1 million fine. An executive who conspires to sign off on false statements can receive 20 years and a $5 million fine.

Is it any wonder why Sarbox is a nightmare for businesses required to report every iota of their accounting duties?

The Sarbox Nightmare?

For some businesses, the nightmare goes on. Companies that are filing Sarbox compliance reports this year are experiencing major disruptions, projects delays, and consolidations in IT operations and planning, Aberdeen's Hurley said.

The analyst, who recently published a report on the effects of Sarbox, said only 64 percent of all commercial firms currently have an active Sarbox compliance program, with 78 percent planning to have one before the end of the year.

One of the reasons companies are finding Sarbox such a burden is that it is costly. For many mid-tier firms, the cost of complying with Sarbox is as much as it is for Fortune 2000 firms and is spelling the difference between profit and loss.

"One senior executive of an industrial parts supplier said that the money spent on Sarbox in their first year meant the firm reported a loss," Hurley said. "Another company in the telecommunications sector reported that its profits vaporized due to the initial up-front costs related to Sarbox compliance."

In another problem, vendors have underestimated the challenge of Sarbox," Hurley said.

"In early 2004, companies surveyed said their compliance efforts were restricted to financial applications, and that 'things are well in hand.'"

But when these companies were contacted by Aberdeen in December 2004, their leaders had changed their tunes, telling Hurley that auditors are regularly testing information controls in data storage, software, networks, security, transaction-processing systems and desktops.

Perhaps not surprisingly, security-control software is the No. 1 technology being purchased to assist with Sarbox, Hurley said.

"The audits are finding security controls, processes and reporting procedures that introduce too much risk, so that the auditor doesn't trust the procedures and data enough to sign off on the financial statements," Hurley said.

These include everything from perimeter defenses and improved network monitoring, to identity, information and provisioning controls.

GETTING, STAYING COMPLIANT WITH SARBOX

Jim Hurley, Aberdeen Group research analyst, recommends a number of focus areas for companies that need to comply with Sarbox:

  • Establish a map of business processes and controls that flow into the income statement and the balance sheet to get a jump on auditors.
  • Avoid spreadsheet-creep by transferring spreadsheet, project management and business process flows from point productivity tools to more scalable software suites that span the entire company.
  • Better yet, automate Sarbox compliance by moving off of paper-based systems, especially if it involves hundreds to thousands of people, transactions, invoices, payments and internal transfers.
  • Implement continuous monitoring to improve how financial-related transactions enter and exit applications.
  • Weed out business inefficiencies.
  • Put low-impact documentation problems on the back burner.
  • Deliver training and controls for employee actions.

Readers may obtain a copy of the Aberdeen report here.