Corporate governance hit the headlines again last week as Shell admitted it had issued misleading information to the markets.
E-mails released by the oil company show that at least one of its directors believed that the information it disclosed on oil reserves did not meet the standards required by the forthcoming Sarbanes-Oxley Act.
The issues of compliance and corporate governance are now central to senior executives' thinking. We are approaching the 2005 deadline for compliance with Sarbanes-Oxley by multinationals with a US stock market listing, but whose head offices are outside the US. Further impetus to the issue may come from the European Union, which is considering its corporate governance legislation.
This is one area where IT directors must get involved and where, by being proactive, they can be seen to be contributing effectively to the strategic issues facing the board. Achieving compliance with Sarbanes-Oxley and other initiatives, such as Basel 2, can be seen as a headache project that requires careful handling. But it can also be an opportunity for a fundamental review of current information systems, how they are used and, in particular, how that use can be regulated and audited.
There is no doubt that the IT director is in a strong position to lead that process. This makes the findings of an Economist Intelligence Unit survey that in 63% of organisations there is no senior IT involvement in planning compliance programmes hard to understand.
Is this lack of involvement down to companies not understanding the importance of IT to the programme, or a lack of willingness among IT directors to push themselves forward to take on the role? The early planning stages are the time to shape compliance projects; leave it any longer and the ability to influence wanes. The risk of being handed a massive project to be completed within a very short timeframe increases as the deadline nears.
As a minimum, IT directors should consider how much time, money and effort it will take to document existing controls, develop new ones to plug any gaps and test their effectiveness. The requirements need to be assessed against the timescale for achieving compliance and the overall IT budget so that extra resources can be requested.
For most large organisations, compliance will be a key issue over the next 18 months. The IT department can be seen to be leading the issue, flagging up the potential benefits to information systems, or it can be dragged along behind.
Either way the work has to be completed - doesn't it make more sense to set the agenda than follow it?