The Sarbox conspiracy.Sarbanes-Oxley compliance efforts are consuming CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. time and budgets. Worse, CIOs are being relegated to a purely tactical role. And that may be the CFO's plan. When CIOs began installing ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. systems in the 80's .. and 90s, they unwittingly took something that used to belong to CFOs-financial controls. The things that accountants used to monitor manually--such as making sure that two signatures from the right people went on every cheque, or reconciling purchase orders against invoices--became automated inside ERP systems. The meticulous me·tic·u·lous adj. 1. Extremely careful and precise. 2. Extremely or excessively concerned with details. [From Latin met audit trail that controllers and accountants had established over generations for demonstrating that money was being handled properly (think of black, leather-bound ledgers and long ribbons of adding machine paper) disappeared into those ERP systems without a trace--or at least without being properly documented, and certainly not to the extent now required by the 2002 Sarbanes-Oxley Act See SOX. , aka Sarbox. Today, CFOs want those controls back. If they don't get them, they believe they could go to jail. Section 404 of the Sarbanes-Oxley Act mandates that CFOs have to do more than simply pledge that the company's finances are correct; they have to vouch for vouch for verb 1. guarantee, back, certify, answer for, swear to, stick up for (informal) stand witness, give assurance of, asseverate, go bail for verb 2. the processes used to add up the numbers Sane people don't want to go to prison. They can even get a little frantic about it. That's why CIOs perhaps can forgive their CFOs for getting aggressive when it comes to taking control of Sarbanes-Oxley compliance efforts. What CIOs shouldn't forgive, or take lying down are their CFOs' attempts to freeze them out of the process. A recent survey by research company Hackett Group found that just 12 of 22 companies surveyed had IT representation on their Sarbox steering committees steer·ing committee n. A committee that sets agendas and schedules of business, as for a legislative body or other assemblage. steering committee Noun . Among 75 public companies that Gartner surveyed at the end of last year, just 63 percent said IT was involved Partly, this may be because many companies have been slow in getting their Sarbanes-Oxley efforts up and running. Only 65 percent of Gartner's respondents even had a Sarbox steering committee. Twenty-eight percent had no plans to form one. However, some CIOs see a darker agenda at work--a conspiracy. They fear Sarbox has become a stalking-horse that CFOs are using to assert control over IT and displace dis·place tr.v. dis·placed, dis·plac·ing, dis·plac·es 1. To move or shift from the usual place or position, especially to force to leave a homeland: the CIO as the company's business process expert. Egging CFOs on, this theory goes, are the Big Four accounting firms, desperate to reassert reassert Verb 1. to state or declare again 2. reassert oneself to become significant or noticeable again: reality had reasserted itself Verb 1. themselves after the Enron debacle (which turned the Big Five into the Big Four after Arthur Andersen For the U.S. Supreme Court case commonly known as Arthur Andersen, see . Arthur Andersen LLP, based in Chicago, was once one of the "Big Five" accounting firms (the other four are PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young and KPMG), performing bit the dust) and needing consulting revenue to replace what they lost when most split off their consulting divisions. Finance and accounting organizations have been pushed to the background recently as IT and supply chain have been driving where companies are going said one disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see CIO. Sarbanes-Oxley is the revenge of the bean counters bean counter n. Slang A person, such as an accountant or financial officer, who is concerned with quantification, especially to the exclusion of other matters: . It's a wedge for the accounting profession to get control of the business again." The Dark Agenda Right now, CFOs are setting up compliance committees, often headed by their controllers and staffed by internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. and consultants from the Big Four accounting houses, and sending them out in pursuit of any and all business processes and IT systems that could have any impact on the balance sheet. IT systems across the country are glowing eyeshade green as accountants flock around them to figure out how they work and document those buried controls. For CIOs, this can be a huge distraction and an enormous energy drain. Sarbox is also expensive. Another utility CIO, says hi! company has already spent 'multiple millions of dollars' on compliance, most of it on labour. And just as companies are starting to loosen their purse strings purse strings or purse·strings pl.n. Financial support or resources, or control over them: the politicians who control federal purse strings; tightened the corporate purse strings. , much of that money is coming out of IT. But where there's pain, there's also opportunity. If CIOs can take Sarbox beyond mere compliance, and automate and streamline business processes and financial controls so that the cost of compliance goes down over time while business performance improves, they could become heroes. But if they just play a tactical role focusing only on IT-specific controls and leaving the rest to the CFOs and the accountants, this could fix a hard, clear varnish varnish, homogeneous solution of gum or of natural or synthetic resins in oil (oil varnish) or in a volatile solvent (spirit varnish), which dries on exposure to air, forming a thin, hard, usually glossy film. over the view in many executive suites that IT should be forever subservient sub·ser·vi·ent adj. 1. Subordinate in capacity or function. 2. Obsequious; servile. 3. Useful as a means or an instrument; serving to promote an end. to finance. Which, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. many, is just what finance has in mind. One CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. has had front-line experience on both sides of the IT-finance battleground, and he says that many CFOs would like to see CIOs left out of the Sarbox equation. Why? Because, he says, 'it would give CFOs control over one of the largest fixed costs fixed costs, n.pl the costs that do not change to meet fluctuations in enrollment or in use of services (e.g., salaries, rent, business license fees, and depreciation). in the company: IT'. It's beginning to look as if Sarbanes-Oxley will be the greatest test yet of CIOs' standing w the enterprise. The Sarbox Disconnect disconnect - SCSI reconnect Running Sarbanes-Oxley efforts is not an option for most CIOs. Sarbox is about financial processes. Each year when they sign off on the numbers, it's the CFOs' necks on the line (along with the CEOs'). A recent AMR (1) (Adaptive Multi-Rate) A variable rate speech codec selected by the 3GPP for the 3G evolution of the GSM cellphone system (WCDMA). Using the Algebraic CELP (ACELP) compression technology, AMR provides toll quality sound at transmission rates from 4.75 to 12. survey found that 72 percent of Sarbanes-Oxley compliance teams were led by finance, and just 4 percent by IT. (The remainder were led by other business functions plus legal and the board of directors.) But CFOs will not be able to prove compliance without the CIO. In most cases, the CFO's expertise ends where his numbers feed into information systems. Most CFOs are aware of that. However, they have options about where to go to get help. They could delegate compliance to internal audit (another group lacking a good understanding of IT issues) or hire external consultants. But if CFOs do an end run around IT and keep Sarbox efforts within the domain of the accountants and consultants, they could lose an opportunity to make the business run better. Hackett Group found that 47 percent of companies it recently surveyed still use stand-alone spreadsheets as part of their financial reporting process, meaning that the controls used to trace and audit the processes are essentially manual. Somebody throws numbers into a spreadsheet and passes them to someone else until they wind up in the annual report. Manual financial controls are time-consuming, labour-intensive and costly; they're why companies abandoned those black ledgers in the first place. AMR estimates that of the roughly $US3 billion spent on Sarbanes-Oxley compliance in 20001, about 90 percent was spent on internal staff and consultants. To keep Sarbox from becoming an annual, recurring re·cur intr.v. re·curred, re·cur·ring, re·curs 1. To happen, come up, or show up again or repeatedly. 2. To return to one's attention or memory. 3. To return in thought or discourse. nightmare, companies need to automate financial controls (documenting them this time) and replace some of the labour-intensive manual detective work with software and hardware. That shift needs a leader. And that leader logically should be the CIO because the CIO will have to maintain and support those automated controls. But just like Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 , consultants and vendors are descending descending /des·cend·ing/ (de-send´ing) extending inferiorly. upon CEOs and CFOs and selling them magic-bullet software solutions for Sarbanes-Oxley over the heads of CIOs. It's ERP all over again. The financial controls gap inside most ERP systems today is partly the product :of' the communication gap between those who bought ERP systems (CEOs and CFOS) and those. who installed and maintained them (CIOs). ERP projects went sour when business leaders at CIOs could not agree on how best to automate business processes in ways that could be integrated, supported and maintained by IT. Sarbanes-Oxley could easily lead to that same disconnect. Sarbanes-Oxley means CIOs and CFOs need each other more than ever. Whether they will ever get around to admitting it is another matter. But if someone needs to swallow his or her pride and make the first move, it's the CIO. The CIOs Dilemma Today's corporate climate is not, however, conducive to compromise. Consultants and internal auditors are getting in CIOs' faces and demanding tighter controls in IT without deep knowledge of either Sarbanes-Oxley or IT. I've been told that I now need to submit every requisition A written demand; a formal request or requirement. The formal demand by one government upon another, or by the governor of one state upon the governor of another state, of the surrender of a fugitive from justice. The taking or seizure of property by government. to finance for approval before I cal spend my budget,' said one angry manufacturing company CIO. The CFO See Chief Financial Officer. has delegated it to the controller, who has hired all these young auditors and consultants who think they're on a mission. They see Sarbanes-Oxley being above and beyond everything else we're doing. It's annoying because there are more important things we should be doing. Even though she is part of the company's Sarbox steering committee, this CIO has given up hope that the project will lead to the kind of process improvement and automation that could provide a long-term benefit to the business. 'Everybody will do what they have to to get through the compliance door, and the funding and overall attention and priority for the other process improvements will go where they always go--to the bottom of the list,' she said. Mostly, CIOs resent re·sent tr.v. re·sent·ed, re·sent·ing, re·sents To feel indignantly aggrieved at. [French ressentir, to be angry, from Old French resentir, Sarbanes-Oxley. IT has been suffering through a funding drought since 2000, and now that corporate revenue is finally bubbling up again, Sarbox has moved to the front of the line. 'Now here comes Sarbanes-Oxley and you have to find money in your budget to document processes, said one. If you read through the control objectives in Sarbanes-Oxley, they're very general. Trying to burrow down to the detail and understand what will be looked for by the external auditor The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. is very difficult. It's also difficult to draw the line between IT processes, operational processes and financial processes. The CIO Solution At one company the CIO took an early leadership role by suggesting that the company approach Sarbox the same way it did Y2K. Accordingly, they created an overall steering committee that meets monthly and includes the top functional executives from around the company. Working with the finance group and consultants, the project leadership parsed the project into 10 major processes by reverse engineering the balance sheet and income statement preparation process. Each of the 10 processes was treated as a distinct project, each with its own steering committee, a business sponsor, internal audit consultant, and a business and IT lead assigned to do the dirty work of ferreting out the controls, documenting them and resolving any gaps in the process. The Knowledge Gap Without a good playbook for Sarbanes-Oxley, IT and business executives find themselves dependent for advice upon external auditors and consultants. But according to the CIOs and analysts we spoke to, consultants are also trying to figure out what compliance means. And that's yet another sore point for CIOs. I'm not getting any good advice about what I'm supposed to be doing from the consultants or the external auditor said one manufacturing CIO. They have no clue what Sarbox means for IT yet. Their most common complaint is that the rules haven't yet been finalized See finalization. by the US Securities and Exchange Commission. Complicating com·pli·cate tr. & intr.v. com·pli·cat·ed, com·pli·cat·ing, com·pli·cates 1. To make or become complex or perplexing. 2. To twist or become twisted together. adj. 1. the situation is the long-time split that has existed between financial auditing an IT auditing inside consulting firms Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a and the Big Four accounting firms. Financial auditors have traditionally focused on controls and overall business governance, while IT auditors have consulted with CIOs on best practices for running IT. And just like the businesses they serve, it's financial auditors, not the IT auditors, who are running Sarbox consulting engagements. This can lead to IT issues being ignored or shoved to the backburner. 'They send in financial auditors and IT auditors but they are usually two separate teams that haven't created a joint strategy, This is yet another reason why IT may be left out of strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. for Sarbanes-Oxley. With so much potential for confusion and consequent disaster, all top enterprise executives need to stay in the compliance loop. Even if an internal audit group is charged with leading the day-to-day effort on Sarbanes-Oxley, the steering committee is a place where other, nonfinancial voices can be heard. This will eventually allow internal audit groups to save face when they realize that Sarbox is a much bigger job than they may have originally thought. The Sarbo Compromise Most auditors and CFOs say that if IT is being left out of Sarbanes-Oxley, it is more a sin of omission, and perhaps ignorance, than a calculated plot. 'The extent of IT involvement depends on how intuitive companies have been about technology-enabled controls. If there isn't much understanding, then IT might not be there at the beginning. Finance looks at Sarbanes-Oxley and says: How can I do this from a numbers focus?' CFOs are also struggling with how to define other executives' roles in Sarbanes-Oxley. "Who signs on the bottom line?" asks one. The CFO and CEO. That's who have to put their names on the line, and that's who it comes back to. I don't see Sarbanes-Oxley as a confrontation between the CFO and CIO; I see it as being a team that has to work closer together, or the processes and internal controls will fall apart. CIOs could do everyone a favour by defining their role in Sarbanes-Oxley themselves. After companies get over the initial shock of discovering how many manual financial controls they need to document, the CIO eventually will be assigned to automate them to save time and expense in quarterly compliance efforts. The CIO will become the custodian bailee (custodian) n. a person with whom some article is left, usually pursuant to a contract (called a "contract of bailment"), who is responsible for the safe return of the article to the owner when the contract is fulfilled. of controls. The finance function has to own them because they are the last line of defence before the audit, but as the controls are distributed into the organization, you need to establish custodial and execution responsibilities. That's what Sarbanes-Oxley shines a bright light on. You have to have an accountability model for those controls.' This could be the natural role for CIOs--think access rights to systems, constructing employee portals, and other instances where the CIO already defines and manages automated controls. But it's a short step from there to a much larger role that many CIOs have been reluctant to contemplate: The move from simply owning and maintaining the IT plumbing to becoming accountable for the accuracy and integrity of the data flowing through those pipes. Just as we have financial controllers today who assure the accuracy and integrity of numbers, we will have data controllers who assure the accuracy and integrity of data. Some CIOs have already accepted that accountability. The CFO and CEO are still ultimately (and legally) accountable if the numbers are wrong, but subcertification puts functional executives' necks on the line internally and in civil lawsuits. Gartner predicts that by next year, 70 percent of publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. will require their CIOs to do it. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion