It wasn’t supposed to be like this, but IT has emerged as an unexpectedly vexing aspect of Sarbanes-Oxley compliance. According to a recent CFO IT survey, almost all companies reporting weaknesses or deficiencies under Sarbox have found IT to be at least part of the problem, if not the sole source. Worse, many CFOs feel that regulators have not done a good job of explaining what companies must do to satisfy Section 404 requirements for internal controls from an IT perspective. They also say the auditors charged with giving or withholding a thumbs-up don’t understand the IT issues well enough to render an accurate judgment (see “Survey Says“).
“In some sense I’m surprised, but in another sense I’m not,” says Steve Hill, a partner in the risk advisory services practice at KPMG. “IT issues account for 20 percent of the key-controls portfolio at a typical company, which is almost twice as many as the next two areas combined.” That is, IT is so pervasive at most companies that any examination of internal controls is bound to turn into a de facto audit of IT.
Indeed, a majority of survey respondents said there is no clear line between what constitutes financial versus IT controls. That’s one reason why the Institute of Internal Auditors has inaugurated a new series of Global Technology Audit Guides that includes one that focuses on IT controls. While not intended as a Sarbox manual per se, the guide does provide useful baseline knowledge and some specific tools for understanding and implementing IT controls, according to Jay R. Taylor, general director for IT Audit at General Motors. (The guide is available at www.theiia.org.)
At this point, any guidance is welcome. “No one had a reference point,” says William Chiasson, CFO at Leapfrog Inc., a maker of children’s educational products. “It’s been an uphill battle for auditors and everyone else.” Leapfrog’s first audit uncovered material weaknesses in accounts receivable, inventory, and IT. Rob Moon, the company’s CIO, says software from Logical Apps and Oracle’s Internal Control Manager product should help the company resolve its problems, particularly regarding segregation of duties and access rights. And he says that in some sense, Sarbox has had a silver lining. “It can prevent fraud and conflicts of interest, and it is a prime motivator to simplify, simplify, simplify,” explains Moon.
But that won’t happen overnight. Chiasson believes that year two of Sarbox compliance will be even more demanding than year one. “In the first year, we described our systems,” he says. “Now we have to update and fix them, which is more work.” KPMG’s Hill says, “Sarbox can accelerate business, much as Six Sigma and IT itself did. Compliance can become a new lens through which to evaluate your company.”
So far, few companies like what they see. But if it is any consolation, last month the Government Accountability Office found that the SEC’s own internal controls suffered from several material weaknesses, including IT.
The Check Is for the E-Mail
Depending on who is defining the market, companies are already spending $4 billion a year on technologies that fight E-mail threats (including viruses, spam, and phishing) or will reach that level within four years. While the numbers from analyst firms may vary, most agree that along with a continued rise in spending will come a shift in corporate priorities, away from a reliance on multiple best-of-breed products (that each target a specific E-mail threat) and toward suites of products or a managed service that can address the many ways that E-mail can spell trouble.
Radicati Group estimates that 52 billion spam messages and 900 million viruses will be mailed each day in 2005, so there is clearly plenty of work for E-mail security products and services to do. Both Radicati and In-Stat say that a shift is under way toward E-mail “appliances,” a combination hardware/software device specifically engineered to tackle E-mail security problems. But In-Stat says that 30% of current decision-makers are unsure whether their next purchases will be software, appliances, or hosted services.
Not surprisingly, In-Stat ranked reliability as the top factor influencing purchasing decisions; Radicati reports that manageability and scalability are also at the top of buyers’ lists of requirements.
Sphere of Commitment
Companies want to negotiate good deals with their IT vendors, it’s true, but many also say they want to rely on a smaller number of vendors that can act as true business partners. Those two goals are often in conflict, leading to fractured, unproductive relationships. These are among the findings of McKinsey consultants Baljit S. Dail and Andrew S. West, who studied nearly two dozen companies. Among the firms in question, 20% regarded cost as the top priority in vendor relationships, while 70% cited a desire for stronger partnerships with a smaller number of preferred suppliers. Of those 70%, however, only 30% believe they actually do have the kind of vendor relationships they’d like.
Driving the toughest bargain tends to prolong implementation times, create an arm’s-length relationship with the vendor that can hamper subsequent efforts to customize a system or address problems, and stymie efforts to exact helpful information from a vendor’s technical team. At the same time, limited resources don’t allow for strong relationships with all vendors, so the consultants advise companies to rank vendors and focus only on those that are critical (because they provide crucial technology or big-ticket, noncommodity software, for example). Compare the skills of these vendors with those of internal IT staff to see what vendor capabilities you might best leverage. And know what you want most: information about how your competitors use the technology? Influence over the vendor’s R&D? Companies should also have clear expectations, involve senior management, and create a forum for feedback and regular evaluation.
Split Decision
It is the perennial question in IT management: to whom should the CIO report? According to Mark Cecere and Heather Liddell of Forrester Research, the answer is…it depends. At large organizations with large IT budgets, the CIO is more likely to report to the CEO than to any other C-level executive. This gives IT more influence and allows it to drive organizational change, but also ratchets up the responsibility and potential liability if things go south. The analysts say that a CEO-CIO reporting relationship is essential at companies that plan a large-scale transformation of IT, such as a move to a centralized or shared-services model, because the CIO will have the access and influence he or she needs with key senior executives. But the need to report to the CEO declines in several situations: at companies in which IT is viewed as a support organization, when the CIO doesn’t have the skills to run the department solo, where cost containment is viewed as a top priority, or if the pay scale doesn’t justify a direct line to the top dog. Those factors tend to dominate at smaller and midsize companies, where a CIO is most likely to report to the CFO (at companies with fewer than 5,000 employees) or is just as likely to report to the CFO as to the CEO (companies with 5,000 to 20,000 employees). Interestingly, Forrester found that CIOs who report to CEOs don’t have any more flexibility on budgets than those who report to other executives: when asked whether new IT investments require the approval of an IT steering committee or its equivalent, a nearly equal number said yes. But CIOs who report to CEOs do have bigger budgets, averaging 4.8% of revenue versus 3.3% at firms where the CIO reports to the CFO.
Major Bummer
Just when you thought all the IT jobs were moving offshore, along comes Bill Gates to say otherwise. In April, the Microsoft chairman said that a drop in the number of U.S. college students majoring in computer science was bad for his company now and would prove equally damaging to all U.S. businesses over time. Gates said the company was having difficulty filling “good-paying jobs” at its R&D facilities in the U.S. and that reducing visa restrictions on foreign workers might be one way to respond. One problem may be that the kinds of workers Microsoft wants are an anomaly. The Information Technology Association of America, a Washington-based trade group, says that non-IT companies represent 79% of the market for IT jobs and were responsible for the “overwhelming majority” of new jobs created in 2004. Despite adding those new jobs, however, overall demand is slowing. Last year, employers expected to fill 230,000 jobs, whereas the year before they reported a need for almost 500,000, and the year before that more than 1 million. Little wonder that college students aren’t beating a path to the computer lab. According to UCLA’s Higher Education Research Institute, the percentage of incoming freshman interested in a computer science major dropped by more than 60 percent between 2000 and 2004.
E Pluribus Unum, Eventually
With its protracted acquisition of PeopleSoft now a done deal, Oracle has been hitting the road of late, laying out for customers its vision of the future, one in which product lines are maintained in parallel and also merged. That geometry-defying goal will take plenty of resources, but CEO Larry Ellison insists that despite a 5,000-person layoff, the software behemoth still has what (and who) it takes to keep PeopleSoft and J.D. Edwards applications alive and well for years, even as it merges them with existing Oracle products. That effort, dubbed Project Fusion, will take place over several years. “This is not a big-bang approach,” says Steve Miranda, senior vice president for applications development. Indeed, with Oracle pledging to keep some PeopleSoft applications alive until 2013, and providing automatic upgrades to Project Fusion technology from current and next-release versions of all products, customers shouldn’t face any agonizing choices in the near term. Miranda says Oracle wants to ease the pain in other ways as well, by providing a simplified infrastructure that will begin with new middleware to be released later this year. That first dose of Project Fusion technology aims to, among other things, reduce the number of “flips and switches” that users must manipulate in order to configure the software for their needs. Oracle’s competitors are raising doubts about migration strategies, suggesting that customers will have to pony up for several upgrades. But analysts say that the migration plan as currently described by Oracle gives customers time to act and avoids a multiple-migration nightmare.
The Road Warrior As Travel Agent
Business travel, already a $153 billion industry as of 2003 (the last full year for which data is available) continues to rise, and as it does, companies are increasingly looking to technology to help pare costs. In a survey of more than 550 business travelers, Accenture found that nearly three-quarters of them regularly book on-line. Only 22 percent prefer to deal with a travel agent, a notable decline from the 36 percent who indicated that as their preferred method a year earlier. Online booking can put plenty of information at an employee’s fingertips, but it’s not a panacea: some sites do not display all available airfares, and a number of hotel chains have decided that in order to drive visitors to their corporate booking sites they won’t offer any discounts through third-party sites. “Travel is an area that has always been ripe for savings,” says Lane Dubin, vice president of business development, North America, for American Express Travel Services, “but it’s only now getting real attention from companies.” That attention takes many forms, from automated T&E systems (see “Putting More ‘E’ in T&E”) to consulting services that can help companies navigate this complex terrain. Dubin says companies are currently changing their focus, from reducing transaction costs to cutting overall travel expenditures. Last month Travelocity announced a new service that helps companies manage and reissue unused airline tickets — an expense that can sometimes amount to 5 to 7 percent of a company’s travel budget, according to Travelocity. The service relies on new technological capabilities and industry expertise, a combination that many online travel-services companies will be highlighting as they continue to woo corporate clients.
When Taxes Aren’t, In Fact, Certain
According to a new study, for all the numbers that companies crunch when deciding when and whether to purchase new technology, there is one area that goes conspicuously unexamined: taxes. More than 70 percent of companies ignore tax considerations when evaluating IT acquisitions, say Deloitte Consulting and IDC Research. These companies miss out on potential savings, while also increasing the risk that they will underpay taxes and face penalties. Sales tax overpayment (stemming from misclassified purchases or turning nontaxable deliveries into taxable events), inadequately documenting R&D tax credits, and disregarding state and local tax grants for expenses such as training staff in new technologies are but a few ways that tax issues can affect the total cost of ownership. Part of the problem is that many companies assume that the legal or procurement department looks at tax implications when, in fact, they may not. About a quarter of the survey respondents said they didn’t think tax matters would have a material impact on buying decisions, but Deloitte maintains that tax ignorance results in millions of dollars of unrealized savings.
No Room at the Internet
You might think that 4 billion of anything is plenty, but you’d be wrong. So say proponents of Internet Version 6, also known as IPv6, the next-generation foundational technology for the Internet, which so far has met with a collective yawn on the part of the technology companies that will ultimately deploy it. A recent survey by Juniper Networks of nearly 350 federal and corporate IT executives found that while 80 percent of them want better security, network management, and quality of service, only 7 percent regard IPv6 as important to meeting those goals. But IPv6 advocates say that this next-generation Internet Protocol technology will tackle those concerns and more. “The current version, IPv4, dates from the 1970s and 1980s, and only accommodates about 4 billion IP addresses, which is proving to be too few,” says Ben Schultz, managing engineer at the University of New Hampshire’s InterOperability Lab and director of Moon v6, a public-private collaboration. There are short-term work-arounds, but eventually, without new technology, the system will essentially reach capacity. Last month, in an effort to demonstrate that IPv6 is ready for prime time, a consortium that included MCI, France Telecom, Lucent, and UNH demonstrated how the system can be used to provide a global multimedia service, such as a corporate distance-learning program. But the ISPs and other companies that must ultimately swap out old gear for new and train their staffs in the new protocol have shown little inclination to move.