Sarbanes-Oxley mandates lead to IT certification push

CEOs and chief financial officers who are obligated by the Sarbanes-Oxley Act to stand behind the financial accounting controls used by their companies are increasingly asking operating units, including IT, to certify that they have put adequate safeguards in place.

“I’m hearing a lot of discussion about that,” said Chris McLaughlin, global director of financial services marketing at FileNet Corp., a Costa Mesa, Calif.-based software vendor that sells document management tools for use in Sarbanes-Oxley compliance projects.

With CEOs and CFOs now being held accountable for the accuracy of the financial reporting at their companies, “they are looking for ways to distribute that responsibility downward through their organizations,” McLaughlin said. That includes asking IT managers to certify the systems used to process financial data, he added.

Some companies are doing internal audits using certification standards such as SAS 70 to give their IT operations the equivalent of a Good Housekeeping Seal of Approval.

SAS 70 — known formally as the Statement on Auditing Standards No. 70, Service Organizations — was developed by the New York-based American Institute of Certified Public Accountants.

In addition, some outsourcing vendors have started offering SAS 70 audits to their clients. That was an unexpected windfall for Energy Absorption Systems Inc. after the Chicago-based maker of highway crash barriers hired an application service provider (ASP) earlier this year to manage its finance applications.

“We see them as another group to help us improve on our internal controls,” said Bob Latek, senior vice president and controller at Energy Absorption Systems.

Latek, who spoke at an IT conference for CFOs last month, said that letting the ASP run the certification process should help his company cut its Sarbanes-Oxley compliance costs in half “and save us a lot of time, too.”

Anthony Noble, director of IT audits at Viacom Inc., said that at the next meeting of the company’s divisional CIOs in January, he plans to raise the issue of whether the New York-based parent company of MTV, CBS, Blockbuster Video and other entertainment businesses should conduct IT certifications.

Noble said he understands the potential usefulness of such certifications as a sort of “life insurance policy.” But he added that he’s skeptical about the way some big auditing firms are using SAS 70 as a sales tool to generate incremental business through Sarbanes-Oxley consulting deals.

Ed Trainor, senior vice president of information systems at Paramount Pictures Corp., a Hollywood-based Viacom unit, said IT certifications “are a commendable thing to do for a variety of reasons.” However, they “require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources,” added Trainor, who is also president of the Chicago-based Society for Information Management.

The SAS 70 Type II report that companies can use to document the effectiveness of their internal IT controls will have to be updated to meet requirements specific to Sarbanes-Oxley, such as quantifying the extent of testing done on financial systems, said Lynn Edelson, a Los Angeles-based consultant at PricewaterhouseCoopers.