As corporations race to meet a June deadline for compliance with the Sarbanes-Oxley Act of 2002, its clear that the devil—and the opportunity—is in the details.
The act, officially known as the Public Company Accounting Reform and Investor Protection Act of 2002, was signed into law in 2002 to restore the publics confidence in corporate governance by making chief executives of publicly traded companies personally validate financial statements and other information. For the acts first deadline of June 15, companies with market capitalizations of $75 million or more must perform a self-assessment of risks for business processes that affect financial reporting.
While the burden is on CEOs and CFOs to take responsibility for the financial health of their companies, Sarbanes-Oxley places significant responsibility on the shoulders of IT professionals as well. To comply with the law, corporate IT systems will have to be modified or supplemented. AMR Research, an IT research company, reports that 85 percent of companies predict that Sarbanes-Oxley will require changes in IT and application infrastructure.
Bringing computing systems into compliance with the financial reporting law is no one-shot deal; it will be an ongoing process. IT managers cant afford to be less than 100 percent prepared to deal with the act, and they cant afford to leave their companies less than 100 percent prepared to comply. Should the self-assessment of risks under Section 404 not be performed, a company would face stiff penalties.
Using a software package that helps companies comply with the act does not itself guarantee compliance. IT needs to change or create internal controls to ensure that applications are secure. When company officials sign off on key financial statements, the applications must prevent surreptitious modification of data.
Training developers to code securely and having them create and test the code may be costly, but that investment will pay off not only in compliance with the act but also in the creation of more secure applications.
Reviewing processes, securing applications and generating reports will all be necessary to bring companies into compliance. However, Sarbanes-Oxley IT work will not take place in a vacuum. Some IT officials said they have been able to get funds for related projects that otherwise would not have been available. One company kicked off an identity management project, building on work mandated by Sarbanes-Oxley. Another company launched a broad-based applications upgrade, building on upgrades required by the act.
Compliance with Sarbanes-Oxley is a cost of doing business. But its more than that—its an opportunity to do things right, to do things cost-effectively and to do things with the entire IT infrastructure in mind.
eWEEK is interested in your opinion. Send your comments to [email protected].