What you need to know about SOX…

IS Guerrilla

No, I’m not talking about the recent collapse of Boston (again) at the hands of the New York Yankees

I’m talking about Sarbanes-Oxley, that massive and far-reaching piece of U.S. legislation (named after the two U.S. senators who co-sponsored it) that was part of the U.S. government’s response to the Enron scandal and various other recent corporate unpleasantries.

Regulators south of the border expect these new laws to help drive increased public disclosure and ensure that companies listed on U.S. stock exchanges are more “open and honest” with the public about their financial transactions. One section in particular (404) requires that U.S. publicly listed companies document, test and disclose their internal controls, that – wait for it – depend heavily on technology.

To quote from the horse’s mouth, as it were, Section 404 states that “each annual report of an issuer…shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

But hold on, your company isn’t listed in the U.S. – so you’re off the hook, right? Not so fast. Canadian regulators, in an effort to keep our end up in the fight against malfeasance, and so as not to look foolish, have agreed that they must do something as well.

They have already started pushing around ideas that look and smell (pardon the pun) a lot like SOX, except not quite as strong. Although the Canadian standards will likely be a little watered-down from the U.S. version, they should prompt firms to put additional effort into making sure their internal controls are up to snuff.

“Control structures and reporting” sounds like a job for IT, no? And that’s why we want to know about SOX.

So I asked a good friend and management consultant named Sean McClimans a question: What are the three things that your typical, run-of-the-mill IT person in Canada needs to know about Sarbanes-Oxley?

First, you have information valuable to the SOX initiative. If your organization is large enough to be accessing the U.S. capital markets, then it may have difficulty communicating the scope of this project to all stakeholders. Implications? Your IT department will probably have experience with, and documentation about, the very same critical business processes that SOX aims to understand and test, but may not be brought to the table early enough to make a difference. McClimans suggests a “positively aggressive” tact.

“Find out who’s in charge of the SOX 404 project in your organization, and then make it your job to figure out how your IT department will be involved,” he said. “Provide any documentation you already have, and make sure you’re part of the review process.”

Second , there’ll be a whole lot of IT testing going on. Within the next year, your company will be overrun with consulting-IT-control-expert-accountant-types who may not understand the way your business uses its information systems to ensure it gets the right number of widgets accounted for. If you’re not careful, your company will be testing way beyond what the regulations call for. “The best way to help your company save time and effort,” McClimans advised, “is to make sure that internal IT is helping to develop the test plans in order to give the business and the external auditors what they need without going overboard.”

Finally Sarbanes-Oxley is not just a one-time project. The business will have to keep this documentation up to date. Per the regulatory requirements, management must make certifications on an annual (and in some cases even quarterly) basis. “If it’s done right,” McClimans said, “and you put repeatable processes in place, the collection of documents and conducting testing will provide a valuable template and repository for next time around.” And make sure process documentation is kept up to date, he added, “instead of waiting for the next big IT implementation to straighten it all out – imagine having the processes documented before a new version of a system is implemented.”

Hmmm. Even if SOX can’t ultimately legislate morality into our organizations, maybe it can help us be better and more disciplined IT professionals.

Hanley is an IS professional in Calgary. He can be reached at isguerrilla@hotmail.com.