Hackett: companies stint on technology.Despite the clear need for technology to play a major role in helping companies achieve Sarbanes-Oxley Act See SOX. compliance, too many companies surveyed recently by The Hackett Group apparently haven't gotten the message. Two research reports from Hackett's Business Advisory Services advisory services advisory services provided to the public, in their capacity as owners and managers of animals, are an important part of veterinary science. They may be provided by government bureaux, by commercial companies who deal in pharmaceuticals or animals or animal recommend actions IT organizations can take to support such compliance efforts. The reports, "IT Involvement is Critical to the Success of Sarbanes-Oxley Compliance" and "Sarbanes-Oxley Compliance: It's Not Just for Finance," detail the major steps IT organizations can take to support Sarbanes-Oxley compliance efforts. Key findings and recommendations include: 1. IT Participation Is Critical -- "It's almost impossible for a company's Sarbanes-Oxley compliance efforts to be fully successful unless IT plays a major role," says Dr. David Oppenheim, Hackett senior business advisor. "Sarbanes-Oxley mandates that companies do more than just attest to the accuracy of their financial results. They must also prove that controls are in place, so that if the financials weren't accurate, the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. and CFO See Chief Financial Officer. would know." IT, he says, must take responsibility for making this happen. 2. Many Companies Continue to Ignore IT -- Hackett's survey of 22 companies found that nearly half do not have IT represented on their Section 404 Project Steering Committee, which is leading the Sarbanes-Oxley compliance efforts. Other key areas--including human resources, legal, operations and internal auditing--are also being excluded by most companies, the survey found. 3. Take a Business Perspective -- The team must begin its Sarbanes-Oxley efforts by working with the functional areas and business units to understand, from a business perspective, what risks exist and what controls are in place to mitigate them. The business perspective is important because it helps set priorities for subsequent efforts, and because it differs from the traditional IT emphasis on broad solutions to issues such as network security and access control. 4. Take a Comprehensive Look at Internal Controls -- IT should take as broad an approach as possible when considering whether internal controls need improvement. In particular, it should examine policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that govern how systems are modified and enhanced, and how systems are administered each day. IT should also ensure that any outsourcers meet Sarbanes-Oxley compliance requirements. In establishing controls, companies should consider using Control Objectives IT for Information-Related Technologies (COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). ), a framework published by the IT Governance Institute. COBIT is designed to be consistent with the broader COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) framework for internal controls, as well as the ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799 standard. While each of the companies surveyed by Hackett had already adopted the COSO framework, only slightly more than half had adopted COBIT, and only 5 percent had formally adopted ISO 17799. 5. Consider All Systems -- CIOs should see to it that usage rules and audit trails are established for every system from which financial information is drawn for reporting. In particular, they should take into account the fact that, according to Hackett's research, the average $1 billion company maintains 2.7 ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. (enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. ) systems and 48 financial systems. Nearly half (47 percent) of average companies still use stand-alone spreadsheets in some aspect of their financial reporting process. Interfaces between these systems, which often require human intervention, are frequently the points at which errors and fraud are likeliest to occur. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion