Survey Reveals Companies Ignoring IT in SOX Efforts

According to a recent survey conducted by The Hackett Group, IT does not have a seat at the Sarbanes-Oxley (SOX) compliance table and this could potentially lead to problems.

“It’s almost impossible for a company’s Sarbanes-Oxley compliance efforts to be fully successful unless IT plays a major role,” said David Oppenheim, a senior business advisor for Hackett.

Sarbanes-Oxley mandates that companies do more than just attest to the accuracy of their financial results. They must also prove that controls are in place, so that if the financials weren’t accurate, the CEO and CFO would know. Given IT’s responsibility for the acquisition, management, and operation of the information systems which form the basis of virtually all operations and financial management, it must take responsibility for making this happen.”

A survey of 22 companies by Hackett found that nearly half do not have IT represented on their Section 404 project steering committees, which are leading SOX compliance efforts. Other key areas, including human resources, legal, operations, and internal auditing, are also not being brought to the table by most companies, the survey found.

“The data we see in the Hackett group is an average finance department, when you normalize for size of company, has hundreds of applications,” said Allan Frank, president and co-founder of Answerthink, Hackett’s parent company. “And if you’ve ever looked at a Rube Goldberg contraption, how some of these things are glued together — spreadsheet hell in most finance organizations.”

According to two recent Hackett research studies, the average billion-dollar company works with 2.7 ERP systems and 48 separate financial systems. Without IT’s involvement in compliance, it will be impossible to get all of these systems wrapped up in a reliable reporting structure that offers the auditable visibility required under section 404, said Frank.

“I visit many CIOs on a weekly basis and what I am noticing is … many IT departments having kind of a SWAT team project going on around Sarbanes,” he said. “Now that might be part of a larger initiatives, but in a lot of cases, it’s running in parallel” to the company’s other compliance efforts.

This doesn’t mean the company directors and board members are ignorant of IT’s importance in SOX compliance, said Frank. It just means they need to wake up to the fact that everything needed for compliance will flow out of the systems IT controls and, therefore, the CIO will play a crucial role in their efforts.

Two Hackett reports, IT Involvement is Critical to the Success of Sarbanes-Oxley Compliance and Sarbanes-Oxley Compliance: It’s Not Just for Finance, suggest steps CIOs can take to begin the process of working with the rest of the organization towards the ultimate goal of seamless compliance.

Key findings include:

  • it is critical for the IT team to begin its SOX efforts by working with the functional areas and business units to understand, from a business perspective, what the risks are and what controls are in place to mitigate them;
  • IT should take as broad an approach as possible when considering whether internal controls need to be improved. In particular, they should be sure to extend their efforts to examine policies and procedures that govern how systems are modified and enhanced, and how systems are administered on a day-to-day basis; and
  • CIOs should see to it that usage rules and audit trails are established for every system from which financial information is drawn for reporting. This is particularly important since nearly half (47 percent) of average companies still use stand-alone spreadsheets in some aspect of their financial reporting process.