Govt. Agencies Brace for Compliance Act

New federal financial reporting controls could generate turmoil for IT departments.

Finance and IT executives at government agencies across the country are about to get their own dose of some very unpleasant private-sector medicine: the Sarbanes-Oxley Act.

With the start of fiscal 2006 this month, the federal government has adopted drastic new standards for internal controls on finance and operations, much like SarbOx and its requirement that companies document and test all internal controls to ensure accurate financial reporting. Known as Circular No. A-123, the revised measure applies to all federal agencies and governs how they account for spending.

Among the new requirements: annual reports on internal controls and assurances that all of an agencys controls have been documented and tested.

Think of it as SarbOx, gone public.

"Since Sarbanes has been released, theres been lots of debate on whether federal agencies should have the same discipline," said James Deloach, managing director at Protiviti Inc., a compliance and risk consulting company in Houston. "Clearly, this is an effort to do so."

Whether A-123s new provisions will generate as much turmoil for government financial and IT executives as SarbOx did for private industry is unclear. On one hand, the feds have long had some regulation of internal controls (albeit nowhere near as rigorous as SarbOxs and A-123s latest additions). And many have taken diligent notes as private-sector colleagues struggled through their own SarbOx projects in the last two years, consultants and government financial executives say.

On the other hand, compliance will require additional resources that cash-strapped agencies do not have. Many businesses operating in regulated industries expected to find SarbOx compliance a relatively easy next step, too—but few reportedly did. Regardless, the responsibilities of government IT and financial executives have grown considerably.

"Sarbanes wasnt going anywhere, and, eventually, it would find a way to trickle down to us. This is that way," said Felicia Farrar, an auditor with the city of Houston who oversees federal funds for a local HIV-assistance program. "This is going to be the same challenge that its been with public companies."

/zimages/4/28571.gifForty-five percent of IT executives responding to a recent poll said their companies are unlikely to meet the second Sarbanes-Oxley deadline. Click here to read more.

One crucial question will be how new IT fits into agencies A-123 efforts. Already some software vendors and consultants, such as Paisley Consulting, ACL Services Ltd. and Virsa Systems Inc., are targeting the government as a lucrative new customer. IBM recently unveiled a new version of its Workplace for Business Controls and Reporting software suite specifically for government agencies. IBM has since signed on the National Science Foundation (with a $5.6 billion budget) as a client and said it is in talks with other agencies.

"Theyre just beginning to realize they need help," said Denise Rabun, an associate partner with IBM Business Consulting Services, in Somers, N.Y. Rabun said she sees many agencies manage their documentation in Microsoft Corp.s Excel or, worse, filing cabinets. "Its all over the place," she said. "The hard part is getting your arms around what should be tested."

IT managers can expect to spend considerable time (exactly how much might vary greatly from one agency to the next) working with managers in other departments to identify all those controls and document them in one standard format that is easily understood by outside auditors. That has been the prime challenge for the private sector: not the actual testing of controls and repairing of weaknesses but finding out what controls exist in the first place.

Next page: What comes next?