IT should lead on Sarbanes-Oxley, analysts urge

IT directors should take the lead in preparing businesses to meet the Sarbanes-Oxley rules and other regulations on corporate...

IT directors should take the lead in preparing businesses to meet the Sarbanes-Oxley rules and other regulations on corporate governance, analysts have advised.

British businesses with a significant US presence, such as HSBC and British Airways, are already conducting gap analyses of their IT systems in preparation for the 2005 deadline.

Experience from the US shows that businesses are likely to find thousands of IT holes that need to be filled before they can demonstrate that they meet the US standards for financial reporting, Malcolm Marshall, partner at KPMG, will tell this week’s Infosecurity Europe conference.

A review of IT systems is fundamental to comply with Sarbanes-Oxley, which requires businesses with a US stock market listing to demonstrate best practice in their financial reporting controls.

IT directors who do not take a lead in ensuring their businesses are ready for Sarbanes-Oxley risk having cumbersome systems imposed on them by the rest of the business, said Marshall.

Chief information officers can play a pivotal role in implementing Sarbanes-Oxley by drawing on the experience of their risk management staff and business continuity experts to identify key risks to the business.

"The CIO really has to be on the steering group for Sarbanes-Oxley," said Marshall. "For most organisations IT is absolutely critical for the production of their financial reporting. They need to understand how to embed processes into the IT organisations that will help them comply with the least effort."

Although Sarbanes-Oxley will only have a direct impact on IT systems used for financial control, in practice it is easier for most firms to carry out a complete review of their IT than to spend time identifying the relevant systems, said Marshall.

In many cases, US firms found that they had gaps in the access control policies of their IT systems, making it difficult for them to identify who has accessed systems and what activities they have carried out.

The regulations are likely to encourage take-up of single sign-on and user authentication systems as businesses start getting to grips with their implications, said Marshall.

"For the IT department, it is a driver to adopt new common processes. IT departments could use it as a business case for adhering to IS7799 and other international standards" he said.

Compliance systems are key

Events at oil company Shell last week highlighted the importance of compliance systems. Shell announced the removal of a third senior executive after it published an independent auditor’s report into why it had been forced to downgrade its oil reserve figures by almost 20%.

The auditor’s report quoted a memorandum exchanged between the two former Shell chiefs, Philip Watts and Walter van de Vijver, in which van de Vijver raised the issue of compliance. "If I was interpreting the disclosure requirements literally (Sorbanes [sic]-Oxley Act etc) we would have a real problem," he noted.

The independent auditors recommended that Shell enforce a culture of compliance stating that, regardless of business concerns, "all decisions must be made to insure compliance with regulatory and fiduciary obligations".

Read more on IT legislation and regulation