Government CIOs Benefit from SOX Hindsight

The January revision to OMB Circular A-123 turned up the heat on government agency efforts to comply with the public sector version of the Sarbanes-Oxley Act (SOX), leaving federal CIOs grappling with the same budgetary and deadline issues that plagued their private-sector counterparts.

“This is an unfunded mandate. There are no budget dollars coming from Congress, which is causing agencies a lot of consternation,” said Robert Markham, principal analyst at Forrester Research, of OMB (Office of Management and Budget) A-123, which governs everything that generates entries into an agency’s financial statement by requiring federal officials to improve how they document and test internal financial controls.

In January, two significant changes were issued. The first establishes the COSO internal control framework as the federal standard. The second is Appendix A, which requires agency heads to test, evaluate and report on the effectiveness of their internal controls; just like SOX Section 404 in the private sector.

As was the case with SOX, a large part of the compliance burden, in particular Appendix A, will be shouldered by IT departments that lack the manpower and funding to meet the Sept. 20, 2006 reporting date.

“Many agencies will be coming back to say ‘We need money to do this’,” said Markham. “But that’s going to be very difficult, because while it’s important to have financial integrity in government agencies, for many organizations the money just isn’t there.”

No Money, Little Time

In fact, organizations are hard-pressed to even anticipate the costs of achieving compliance.

The Association of Government Accountants’ 2005 CFO Survey, estimated costs for A-123 compliance that range from zero to $100 million; even attempts to base estimates on the average $4.36 million expenditure for SOX compliance fall short.

“We have no way of knowing what it will cost federal agencies. The problem is that a number of government agencies have multiple financial systems in place, and the number of those that are ‘home grown’ is much higher than in the private sector,” said Markham. “Controls specific to those individual systems will have to be developed and they may all work in different ways.”

This ultimately impacts not only the final tally, but also the time required to reach compliance—time that was short even before the latest revision. Where the private sector had three years between the passage of SOX and initial compliance deadlines for Section 404, the latest revisions to A-123 came less than two years before the first reporting deadline.

“If CIOs and CFOs begin their compliance projects now, they only have 10 months to fully document and assess their control environment,” said Mary Makal, managing partner, Complyant Solutions, a SOX consulting and project management services firm. “In our experience, that’s an aggressive timeframe even for those departments that already have strong controls.”

PricewaterhouseCoopers estimates that compliance efforts will take up to 15 months just to reach the remediation phase, meaning that meeting deadlines will require more than just a Herculean effort from CIOs. It will require help from their private sector friends who have already “been-there-done-that.”

In fact, since the issuance of Appendix A, there has been a surge in the number of applications released by companies such as Complyant that take the lessons learned from SOX and apply them to the public sector.

One of those came from Protiviti, a risk consulting and internal audit services firm, which, in October, released an extension of its SarbOx Portal that is specific to government.

“Compliance will be in itself a major challenge with a short timeline. The federal agencies that are required to comply have varied operations in multiple national and sometimes international locations, said Bradford Brown, managing director of Protiviti.

It will require “a great deal of planning, organization and preparation. Given the timeline, an initial effort to develop a project plan that organizes the effort is critical.”

According to Brown, the former chief counsel for Technology at the U.S. Department of Commerce, the Protiviti Government Portal helps organize the compliance process and provides the same workflow assignment, document versioning, history tracking and reporting as the commercial version.

But not everyone agrees that a “retrofit” of private-sector solutions is sufficient to meet the needs of A-123 compliance despite its similarities to SOX, which most agree was the impetus behind the mandate.

According to John Lojek, senior manager of Appian Corp.’s solutions department, while both SOX and A-123 require management to strengthen financial reporting, several critical areas remain government-specific.

“A-123 defines a multi-step assessment process, consisting of planning, evaluation, testing and reporting, as well as five components of internal control that have a pervasive effect on agencies, including control framework, risk assessment, information and communication, control activities, and monitoring,” he said. “Also important to note is that internal control objectives are broader in A-123, encompassing operational and IT functions as well as finance.”

In September, Appian introduced its Federal Internal Controls solution which Lojek says was specifically designed for federal agencies, including the ability to automatically create annual statement and performance accountability reports. It also provides process-driven tools for agency-wide compliance efforts.

“To be effective, vendors must understand how technology can support these specific requirements and create effective software tailored to the way the government works best,” Lojek added.

No Quick Fix

While there is no one-size-fits-all solution for A-123 compliance, government CIOs will have the benefit of hindsight. They should have learned enough from watching the SOX process to hopefully avoid the major pitfalls that tripped up the private sector.

“For the agencies, there may be a temptation to look for a quick fix,” said Protiviti’s Brown. “Solutions may automate monitoring of controls, for example, or may bolt on to an existing system, but … they do not address the initial hands-on effort required to organize information, and plan and execute the compliance effort. … [T]he primary lesson for first adopters in the private sector was clear: No matter how much you plan, you will always underestimate the effort required during the first-time-through. We expect federal agencies will learn that same lesson.”