Firm News
Beware of Sarbanes-Oxley barriers, pitfalls
The new law could have a ripple effect affecting other IT projects
Story by Thomas Hoffman
CEOs and CFOs may be the ones on the hook to certify their organizationsโ financial controls and procedures under the Sarbanes-Oxley Act, but IT executives had better be paying attention, too.
Among other things, CIOs will need to determine whether they need directors and officers insurance in case financial missteps at their companies lead to shareholder or investor lawsuits in which they could be named as defendants. Meanwhile, they will also have to figure out how to allocate staff resources between Sarbanes-Oxley efforts and other critical projects.
Those were a few of the topics discussed at a Sarbanes-Oxley panel discussion held on Thursday at a meeting in Rye Brook, N.Y., of the Fairfield County, Conn., and Westchester County, N.Y., chapter of the Society for Information Management.
The panelists were Patti Roer, associate counsel at Wiggin & Dana LLP in Stamford, Conn.; Christopher Keegan, regional practice leader for information risk at Marsh-FINPRO in New York; Mark Keeley, a partner at PricewaterhouseCoopers LLP in Hartford, Conn.; and Hank Zupnick, CIO at GE Real Estate in Stamford, Conn.
Questions were posed by Computerworldโs Thomas Hoffman, the panel moderator and by members of the audience.
Excerpts of that discussion follow.
What are the biggest stumbling blocks that companies are facing in their Sarbanes-Oxley initiatives?
Keeley: The amount of resources they think this is going to take. Companies are really struggling with how broad this needs to be. You donโt have to assign resources to do all of your procedures all over again. [Most companies] have procedure policy manuals in place.
Whatโs the status of GEโs compliance efforts?
Zupnick: General Electric, which GE Real Estate is a part of, has taken a very proactive and aggressive approach to Sarbanes-Oxley. The government mandates that [the deadline for] compliance is June 2004 [for publicly held companies with a market cap exceeding $75 million], but we will be fully compliant by the end of this year.
Weโve determined that good governance is good business. We believe it will build and maintain investor confidence, and customer confidence as well. So we are looking at our processes and our procedures and making sure that they are all air-tight.
One of the biggest challenges is estimating the amount [of staff time and work] that is needed. Sarbanes-Oxley has not yet been tested in the courts. And what company wants to be the test case because they havenโt done as much as they should have?
Patti, what are the legal issues youโve been focusing on most with clients?
Roer: The biggest area weโve been dealing with is document management, document retention and destruction policies. A lot of the work falls on in-house legal counsel, but weโre finding more and more that the role of the IT staff [in locating and isolating data] is critical.
Do middle managers need to obtain directors' and officers' (D&O) insurance in the event of shareholder or investor lawsuits? What are the D&O implications for IT executives?
Keegan: From a Sarbanes viewpoint, weโre looking at the board of directors. Theyโre responsible for pushing this down through the ranks.
Thatโs not to say that if youโre not on the board you shouldnโt have insurance. [Shareholders and investors] will sue anybody and everybody they think has responsibility for failure [over controls]. Whether youโre legally responsible for those decisions or not, you may end up with defense costs.
Because companies will have to document and certify the procedural controls they have in place, will this prevent companies from outsourcing?
Keeley: Some of my more astute clients have said, "This is not new stuff. Controls are controls." They [the SEC] are asking the same thing in this controls framework that they were asking 10, 20 years ago.
If you outsource controls, you should ask your outsourcer to prepare a report for you with a SAS 70 opinion [an IT certification approach]. Thatโs been around for over a decade, and that takes you a long way toward Sarbanes [compliance], because it shows that the outsourcer has had to go through that controls exercise.
What do CIOs need to concern themselves with?
Zupnick: Suddenly youโve got a significant project that wonโt add a penny to your bottom line and wonโt take out a penny in costs. I have to take people out of revenue-enhancing projects or cost-cutting projects and put them on this other thing. Thereโs a challenge in getting management understanding in why these things are critical.
Another critical thing is engaging the right people. Consultants like PricewaterhouseCoopers can help answer questions, but youโve got to do the job yourself with your own staff. The people who have the most detailed knowledge about your processes and your financial systems are the people in your organization, and youโve got to involve them and youโve got to figure out how to pull them away from their day jobs.