IT should take the lead on Sarbanes-Oxley

US financial reporting law can be used as a catayst for better management, says Ashley Braganza

New Asset  

US financial reporting law can be used as a catayst for better management, says Ashley Braganza




We appear to be in the quiet before the storm.

The US Sarbanes-Oxley legislation aims to make companies more financially transparent and better at dealing with business risks. It is looming over all organisations with a US listing, or those planning a US listing.

Unless there is a relaxation in its current requirements, all affected organisations issuing financial information after July 2005, such as their annual accounts, will have to include a statement that the management are responsible for maintaining adequate internal controls; an assessment of the effectiveness of the internal controls; and a statement identifying the framework used to assess the effectiveness of the internal controls.

Organisations must report any material changes to internal controls on a quarterly basis. The organisation's external auditors will have to attest to the management's statement once they have tested the internal controls.

As most controls are either fully or partially automated, IT departments are at the centre of much of a key part of Sarbanes-Oxley - section 404. These controls reside in systems such as enterprise resource planning, payroll, human resources, sales, and project and programme management.

Compliance projects have brought to the fore the usual divisions between IT and finance and IT and the business. In some organisations IT directors take the view they will only get involved once the finance function decides which business cycles and activities are included in the Sarbanes-Oxley remit.

In a few organisations, IT directors are still finding out about Sarbanes-Oxley and its ramifications. Most of the work is being done by external consultants and contractors because of staffing constraints and need for the work to be completed to a deadline.

IT directors need to get to grips with Sarbanes-Oxley, working closely with business managers and colleagues in finance and taking a lead in supporting the business document it controls.

IT directors also need to change the way they plan and roll out systems. Take for instance an organisation that is changing its core sales and marketing systems in November and its financial year end is December. This new system introduces controls and processes which can affect a material figure reported in the annual accounts, namely sales.

The controls and processes need to be tested for perhaps eight weeks before they can be attested. As the testing period crosses the December financial reporting date, it may be in the best interests of the organisation to delay the implementation until after the organisation's year end.

Smart IT directors are treating Sarbanes-Oxley as a catalyst that can set the scene to improve how the organisation is managed to the benefit of customers, shareholders, employees and other stakeholders, leading to a more profitable business.

Ashley Braganza is director of nexus at the Cranfield School of Management

Read more on IT risk management