Beware of Sarbanes-Oxley barriers, pitfalls

November 24, 2003
Computerworld, November 24, 2003
The new law could have a ripple effect affecting other IT projects
Story by Thomas Hoffman
CEOs and CFOs may be the ones on the hook to certify their organizations’ financial controls and procedures under the Sarbanes-Oxley Act, but IT executives had better be paying attention, too.

Among other things, CIOs will need to determine whether they need directors and officers insurance in case financial missteps at their companies lead to shareholder or investor lawsuits in which they could be named as defendants. Meanwhile, they will also have to figure out how to allocate staff resources between Sarbanes-Oxley efforts and other critical projects.
Those were a few of the topics discussed at a Sarbanes-Oxley panel discussion held on Thursday at a meeting in Rye Brook, N.Y., of the Fairfield County, Conn., and Westchester County, N.Y., chapter of the Society for Information Management.
The panelists were Patti Roer, associate counsel at Wiggin & Dana LLP in Stamford, Conn.; Christopher Keegan, regional practice leader for information risk at Marsh-FINPRO in New York; Mark Keeley, a partner at PricewaterhouseCoopers LLP in Hartford, Conn.; and Hank Zupnick, CIO at GE Real Estate in Stamford, Conn.
Questions were posed by Computerworld’s Thomas Hoffman, the panel moderator and by members of the audience.
Excerpts of that discussion follow.
What are the biggest stumbling blocks that companies are facing in their Sarbanes-Oxley initiatives?
Keeley: The amount of resources they think this is going to take. Companies are really struggling with how broad this needs to be. You don’t have to assign resources to do all of your procedures all over again. [Most companies] have procedure policy manuals in place.
What’s the status of GE’s compliance efforts?
Zupnick: General Electric, which GE Real Estate is a part of, has taken a very proactive and aggressive approach to Sarbanes-Oxley. The government mandates that [the deadline for] compliance is June 2004 [for publicly held companies with a market cap exceeding $75 million], but we will be fully compliant by the end of this year.
We’ve determined that good governance is good business. We believe it will build and maintain investor confidence, and customer confidence as well. So we are looking at our processes and our procedures and making sure that they are all air-tight.
One of the biggest challenges is estimating the amount [of staff time and work] that is needed. Sarbanes-Oxley has not yet been tested in the courts. And what company wants to be the test case because they haven’t done as much as they should have? 
Patti, what are the legal issues you’ve been focusing on most with clients?
Roer: The biggest area we’ve been dealing with is document management, document retention and destruction policies. A lot of the work falls on in-house legal counsel, but we’re finding more and more that the role of the IT staff [in locating and isolating data] is critical.
Do middle managers need to obtain directors' and officers' (D&O) insurance in the event of shareholder or investor lawsuits? What are the D&O implications for IT executives?
Keegan: From a Sarbanes viewpoint, we’re looking at the board of directors. They’re responsible for pushing this down through the ranks.
That’s not to say that if you’re not on the board you shouldn’t have insurance. [Shareholders and investors] will sue anybody and everybody they think has responsibility for failure [over controls]. Whether you’re legally responsible for those decisions or not, you may end up with defense costs.
Because companies will have to document and certify the procedural controls they have in place, will this prevent companies from outsourcing?
Keeley: Some of my more astute clients have said, "This is not new stuff. Controls are controls." They [the SEC] are asking the same thing in this controls framework that they were asking 10, 20 years ago.
If you outsource controls, you should ask your outsourcer to prepare a report for you with a SAS 70 opinion [an IT certification approach]. That’s been around for over a decade, and that takes you a long way toward Sarbanes [compliance], because it shows that the outsourcer has had to go through that controls exercise.
What do CIOs need to concern themselves with?
Zupnick: Suddenly you’ve got a significant project that won’t add a penny to your bottom line and won’t take out a penny in costs. I have to take people out of revenue-enhancing projects or cost-cutting projects and put them on this other thing. There’s a challenge in getting management understanding in why these things are critical.
Another critical thing is engaging the right people. Consultants like PricewaterhouseCoopers can help answer questions, but you’ve got to do the job yourself with your own staff. The people who have the most detailed knowledge about your processes and your financial systems are the people in your organization, and you’ve got to involve them and you’ve got to figure out how to pull them away from their day jobs.