The 2002 Sarbanes-Oxley Act, passed by US Congress to
clean up corporate America's financial reporting, is casting a long
shadow over UK IT directors.
Not only does it affect any UK company with a public listing in
the US and UK firms that are subsidiaries of US public companies,
it is increasingly likely that its provisions will be echoed in
European law before too long.
Moreover, irrespective of legislative changes, UK companies are
finding that their auditors are increasingly keen for them to
voluntarily adopt the practices that Sarbanes-Oxley mandates. Those
that do will find it a good way to contain, and even reduce, their
audit costs, as well as gain other IT and business benefits further
down the line.
This is just as well, for the experience of US companies rushing
to meet Sarbanes-Oxley compliance is that the cost has been high.
However, not only are UK companies in less of a rush - even
US-listed UK companies have a year's grace before filing - they can
take advantage of the US' learning curve.
An essential lesson from the US is that, although the role of IT
in achieving compliance is critical, it is the underlying business
processes and internal controls that are fundamental for
Sarbanes-Oxley compliance.
"There is no such thing as Sarbanes-Oxley-compliant software,"
said Dennis Keeling, chairman of the British Software Developers
Association (Basda).
Instead of reaching for a quick-fix IT implementation, the IT
director will need to commit both to a major project for achieving
compliance, and then, crucially, sustaining it thereafter.
"Sarbanes-Oxley compliance is not a one-off," said Keeling. "The
IT director will need to seize the initiative and take control of
the processes and architecture within the business. He will have a
major ally in the financial director, because he has to justify the
audit fee."
Uncontrolled end-user computing has resulted in many companies
experiencing an explosion in the number of spreadsheets, which are
used for everything, including pulling year-end accounts together.
Complying with Sarbanes-Oxley will streamline these processes,
leading to a likely lowering of audit fees as processes become
automated.
End-user spreadsheets are classified by Sarbanes-Oxley as manual
processes, and although at the moment Sarbanes-Oxley permits manual
processes, it requires them to be tested regularly and
substantively, increasing cost.
"For automated controls, there is typically no further audit
cost after the first time they are audited, and for semi-automated
controls there is typically less cost after the first time. But
every manual process has to be audited every year," said
Keeling.
"The purpose of Sarbanes-Oxley is to show that the final
accounts are the same as the figures used in the business - often
there can be no relation."
By relying on end-user spreadsheets, companies are open to both
inadvertent error and, worse, deliberate fraud. "With spreadsheets,
there is no audit trail, no means of verifying who did what to them
and when," warned Keeling.
Companies that eradicate reliance on end-user spreadsheets in
their accounting processes do more than reduce their audit costs,
they also reduce their own internal costs.
"There is significant hidden cost in time and resource for
set-up, maintenance, use and audit (of end-user spreadsheets) - on
average more than nine times the cost of automated processes," said
Keeling. "If you multiply that by the manual processes that a
typical corporate runs, there is clearly huge scope for cost
reduction."
The IT department will also benefit. Creeping IT devolution over
the years has led to increasing loss of control over end-user
computing by the IT department. Wielding a Sarbanes-Oxley project
mandate gives IT a powerful lever to re-centralise IT and thereby
regain control over devolved systems.
This is not just a question of having a "shoot to kill" policy
on end-user spreadsheets, but one of constructing a coherent and
consistent corporate IT architecture.
According to a report by Basda and PriceWaterhouseCoopers, the
US experience of achieving Sarbanes-Oxley compliance made most US
companies realise that the systems underlying their controls and
processes were fragmented and often inefficient.
However, if able to be implemented in a timely manner without
rushing to meet regulatory deadlines, Sarbanes-Oxley compliance
provides an opportunity to consolidate systems.
"As a consequence, there will be a move to enterprise resource
planning systems with a single dataset and audit trail, eventually
replacing standalone, best of breed systems with discrete datasets
and audit trails," said the Basda report.
For the IT director, Sarbanes-Oxley compliance is also an
opportunity to play a leading role in a major corporate
undertaking, thus demonstrating their value to the company at a
senior level.
IT directors will also be under pressure to get as much business
benefit as possible from the money spent on becoming
Sarbanes-Oxley-compliant, over and above cost reduction.
One potential way to achieve this is to exploit the improvement
in systems, processes and controls to enable business managers to
have a much more up-to-date view of what is going on in the
business via an executive dashboard. Indeed, Sarbanes-Oxley itself
seems to be aiming eventually for much faster disclosure, which
would require real-time reporting.
Achieving and maintaining Sarbanes-Oxley compliance will, like
all regulatory governance, impose a cost on companies. However,
with planning and foresight, plus effective leadership from IT
directors, companies can leverage the investment required by
Sarbanes-Oxley to bring about other business benefits, which might
otherwise have struggled to be justified.
Sarbanes-Oxley compliance could be more than just a ticket to
ride, it could be a passport to greater profitability.
IT considerations of compliance
IT asset inventory - what systems do you have and who owns
them?
- Outsourced systems - these will need to be included for
Sarbanes-Oxley compliance
- Security - who has access to financial and operational systems
and are their actions traceable?
- IT governance - which framework do you use and is it similar to
that of your industry peers?
- Interoperability and data integrity - how do systems transfer
data between each other?
- Replacing disparate best-of-breed systems with a single
corporate-wide ERP system using master data and a single data
set
- Eradicating end-user spreadsheets
- Regular testing of processes and systems against Sarbanes-Oxley
requirements to ensure compliance is sustained
- Leveraging Sarbanes-Oxley investment to consolidate
IT
Leveraging Sarbanes-Oxley investment to support business process
management and real-time reporting.
Benefits of Sarbanes-Oxley
Business benefits
- Achieves compliance ahead of likely European legislation
- Clears a company for US listing
- Clears a company for acquisition by a US company
- Reduces the cost of annual audits
- Presents an opportunity for real-time financial and business
process management through the use of dashboards.
Implementing a Sarbanes-Oxley project provides an opportunity
to:
- Replace or upgrade systems
- Refresh and consolidate IT architecture
- Regain control of devolved IT, and centralise it
- Forge closer links with financial director and senior
management
- Be seen to take the initiative on a major corporate
programme
- Exploit the greater financial transparency that Sarbanes-Oxley
compliance affords to improve the financial management of the IT
function itself.