Risk & Compliance

Internal Controls

In a world gone Sarbanes-Oxley, have finance and IT found common ground?
Scott LeibsNovember 17, 2003

In a race against time,” begins an IBM press release issued late last month, “IBM…is marshaling its global resources to help businesses meet pending deadlines on new compliance regulations.”

A race against time indeed. As businesses race to comply with key provisions of the Sarbanes-Oxley Act of 2002, IT companies of every imaginable persuasion are racing to potential customer sites with elaborately crafted pitches about how their products or services will not only stave off regulatory disaster but usher in a new era of transparent, responsive, vastly more efficient operations. With immediate ROI, of course.

The marketing blitz inevitably invites a certain cynicism, particularly when contrasted with surveys (including our own) that indicate that most CFOs don’t plan a substantial investment in IT in response to Sarbox. But companies can’t completely discount the link between the enhanced internal controls that Sarbox demands and the information systems that manage data, shape workflows, and connect most employees. And some surveys have begun to show CFOs’ growing concern regarding their ability to meet the June 15, 2004, deadline.

A survey commissioned by IBM of nearly 100 large-company senior finance executives found that only 10 percent say their internal controls (which is summarized by law firm Fenwick & West LLP as “a process implemented by the board, management, and other personnel that is designed to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements in accordance with GAAP”) pass muster, but the remaining 90 percent believed they’d be ready in time.

IBM and other technology vendors are urging customers to be more than ready. They say companies should use Sarbox as an impetus to overhaul the many procedures and systems that facilitate internal reporting. IBM frames this issue as the “compliance life cycle,” in which companies first scramble to avoid SEC penalties, then pull back and decide to treat the issue more strategically. Susanne Ruschka-Taylor, a partner in IBM’s Business Consulting Services division, says: “More than one-third of the companies we surveyed want to engage in strategic transformation based on Sarbanes-Oxley, but very few even know what they’d need to make that happen.”

Apparently companies need a lot, because IBM has announced a slew of products and services, addressing everything from anti-money-laundering to E-mail archiving to new reporting software. The company argues that customers can buy what they need to fill gaps, and that since many of the new products and services streamline costly manual processes, the investment will pay off quickly. It plans to make its pitch to CFOs, identified by the company’s survey and many others as the person most responsible for Sarbox compliance.

CFOs, in turn, may want to make some sort of pitch to CIOs. “Sarbanes-Oxley…will make the IT department the CFO’s new best friend,” says Virginia Garcia of consulting firm TowerGroup. She argues that effective compliance will require detailed transaction data to “bubble up” to higher-level systems to achieve the desired transparency of operations. And that will take IT involvement.

Ed Trainor, president of the Society for Information Management, a CIO membership organization, recently said the same thing to his peers, urging them to take Sarbox to heart and see it as a chance to “demonstrate value to their organizations” and to use it as a chance to “increase mutual understanding and alignment” between IT and finance.

Indeed, that may be the real opportunity of Sarbox—to provide a core mission around which the hazy, oft-uttered goal of “business alignment” can cohere. “Sarbanes-Oxley requires a balance of business and technology contributions,” says Garcia. To date, it’s been framed as an either/or, with companies spending heavily on lawyers and consultants to evaluate policies and procedures, while technology companies claim the issue can be solved with hardware, software, and more consulting. Garcia argues that financial reporting has been largely manual and therefore prone to error, which could now be disastrous, a theme that IBM’s Ruschka-Taylor picks up on when she jokes, “One of the soft benefits of better internal controls could be avoiding jail.”

IT and finance have been working more closely, due largely to the budget squeeze. Stephen Boyd, IT controller at Boston-based electronic-components maker Teradyne Inc., reports to the company’s CIO, with a dotted line to the finance side. He says he has seen strong support from both IT and senior management to better link the departments. “At most companies, you have a significant amount of money within IT [budgets], and you have to look a little harder at things than you have in the past,” he says. Boyd sees roles such as his becoming more common, and consultants agree. As one finance executive told IBM, “Our biggest challenge [as a global company] is getting our hands around everything, to ensure that everything is included” in his company’s approach to Sarbox. That’s certain to inspire serious talks between IT and finance. Whether they can agree on what to buy remains to be seen.