In-Depth

Fatal Flaw: Compliance Planning Often Excludes Input From an Important Source—IT

Nearly half of all companies surveyed don't include IT in their compliance project planning process

• By Stephen Swoyer
• 12/23/2003

With six months to go before a deadline for compliance with certain sections of the Sarbanes-Oxley Act, a new report finds that organizations often aren’t involving an important constituency—IT—in their planning efforts.

Research firm The Hackett Group polled 22 organizations—ranging from medium-sized enterprises to Fortune 500 companies—about their Sarbanes-Oxley planning efforts, and found that nearly half did not have IT representation on their Section 404 Project Steering Committee, which in most organizations is charged with leading Sarbanes-Oxley compliance planning.

As if that’s not enough, Hackett researchers say that less than 10 percent of companies have representatives from HR involved in Sarbanes-Oxley planning, while less than one-third have legal onboard. The upshot, Hackett researchers say, is that finance is largely running the show.

That could be a fatal mistake. Section 404 of the Sarbanes-Oxley Act says that CEOs and CFOs must certify that the information contained in their annual or quarterly reports accurately portrays the financial condition of their companies. Other relevant portions of Sarbanes-Oxley include Section 302 (which says that organizations must implement controls that ensure the timeliness and accuracy of financial reports) and Section 409 (which, along with Section 404, requires improved monitoring and other controls to detect internal fraud).

Obviously, IT has a huge stake in Sarbanes-Oxley compliance. In fact, says Allen Frank, a senior fellow with The Hackett Group and a former auditor with accounting firm KPMG, it’s important that IT teams work in tandem with the different functional areas and business units in their organizations to understand—from a business perspective—what the risks are and what controls are in place to mitigate them. In other words, says Frank, it’s important that there’s IT representation on Sarbanes-Oxley-related planning committees from the start.

Why, then, is the involvement of IT decision-makers an afterthought in so many organizations? Frank has a few ideas.

“Like anything else, [the compliance process is] driven by auditors on the financial side, and to some extent risk management and auditing are still viewed from a purely financial perspective,” he observes.

The truth, however, is that the business processes associated with financial reporting draw from a benumbing complexity of ERP systems, HR systems, business intelligence tools, and asset management and tracking systems, to name but a few. Moreover, say Hackett researchers, few enterprises have made much progress in consolidating their heterogeneous data sources and data warehouses, so it’s likely that sensitive or otherwise critical information is effectively isolated in “silos” across the enterprise.

“In a Fortune 500 corporation, there are literally dozens of ERP systems feeding into data warehouses, which ultimately feed into financial reports, so if you really want to worry about the reliability of the data over time, you need to work your way backwards from those financial reports and ask yourself how did that data got there,” explains Dr. David Oppenheim, senior business advisor with Hackett. “There’s another set of issues which would be of interest to the CIO, and that has to do with the reliability of the systems that actually support that data. Are they secure? Are the controls adequate? When people make changes, are there controls in place to make sure that these can be recorded?”

The lion’s share of planning for Sarbanes-Oxley compliance, then, involves mapping business processes to IT assets. Given the heterogeneity of most enterprise environments, however, this could be an onerous process. “The processes are not instantiated because the technology was never there to instantiate them,” explains Allen. “If anything, it was instantiated in Visio, but there was nothing like this concept of taking a process flow that can be visually reviewed and assessed by people like auditors, with controls in place, monitoring and metrics, and integration with back end systems.”

As a result, Hackett researchers believe that the requirements of Sarbanes-Oxley will drive substantial development of so-called business process management solutions. “All systems that I’ve seen today are function-driven and not process-driven, and what Sarbanes requires is not only that you get comfortable so that you can say, hey, I feel secure with my financials, but also that you put in place a real-time, process-driven infrastructure so that you don’t get out of control,” he comments, noting, however, that the BPM tools that are today available aren’t mature enough to be used as the basis for a Sarbanes-Oxley compliance effort.

This creates an opportunity for vendors with strong services and BPM practices, such as IBM Corp., which last year acquired BPM specialist Holosofx, and which fields a strong business integration stack anchored by its WebSphere Business Integration (WBI) middleware. Considered in tandem with the strengths of IBM’s Global Services Unit, and with the addition of IBM Business Consulting Services (BCS), which was formed PriceWaterhouseCoopers, Frank says, IBM is well-positioned to be a go-to vendor for many companies that are struggling to tame their errant business processes and comply with the terms of Sarbanes-Oxley. “IBM is extremely well-positioned around their e-Business On Demand pitch, along with the various tools they have in place, whether it’s MQWorkflow, the Websphere tools, their integration tools, and so forth,” he comments. “Whether they pitch Sarbanes or not, they’re very far ahead in BPM, and they’re going to be the logical choice for a lot of companies that are trying to make sense of this.”

Big Blue unveiled a raft of Sarbanes-Oxley-related products and services in October, including a catalogue of Sarbanes-Oxley-oriented controls that it’s offering in tandem with professional services giant KPMG. “If a company hasn’t started to figure out the controls it needs for its systems, it provides a starting place to look,” explained Steve McLaurin, a partner and certified information systems auditor with IBM BCS, in an October interview.

Sadly, for those companies that haven’t yet involved IT in their Sarbanes-Oxley planning efforts, Hackett researchers say that it’s probably too late. The good news, says Frank, is that most of the very large organizations that were surveyed have had IT representation onboard from the start. Similarly, financial services companies and other organizations that stand to be on the front-lines of Sarbanes-Oxley compliance have relied extensively upon input from IT as they’ve worked toward Sarbanes-Oxley compliance.

For medium-sized and large companies that are behind the curve, Frank says, it couldn’t hurt to bring in outside help in the form of professional services and consulting from IBM or other vendors.