Most Canadian IT executives believe local businesses are ill prepared to comply with legislation requiring the establishment of internal controls governing financial reporting and information disclosure, according to a recent study.
Around 10 per cent of C-level executives think Canadian businesses are not up to the challenge of complying with the Canadian rules on the Sarbanes-Oxley Act – also known as CSOX or Bill 198 , according to a recent survey by analyst firm Info-Tech Research Group Inc. in London, Ont.
The survey, commissioned by security and database software firm Symantec Corp, polled 215 CIOs from December 2006 – January 2007.
While 67 per cent of the respondents reported having clearly defined roles in supporting compliance, around 45 per cent regarded the legislation as unnecessary.
CSOX requires publicly held Canadian firms to:
• Implement internal controls over financial reporting and information disclosure;
• Evaluate these controls; and,
• Certify to their effectiveness in official documents filed with Canadian security regulators.
It mirrors the U.S. Sarbanes Oxley Act passed in 2002 to protect American investors.
It gave companies until December 31 last year to develop their action plans for compliance and until the end of 2007 to implement them.
“About 55 per cent of the respondents from across Canada indicated their companies were ‘mostly but not completely compliant’,” said Ed Daugavietis, senior analyst for Info-Tech. Another 35 per cent said their companies were only partially compliant.
The analyst said Canadian companies “should be embracing CSOX” but instead Info-Tech perceived “a level of denial” among respondents.
Some feedback he received ran along the lines of: “They just don’t make sense”; “this doesn’t apply to me;” and, “they’re trying to fix something that is not broken.”
“Companies are not working fast enough to conform with Bill 198 despite the potential for major fines, damage to reputation and even jail terms of up to five years,” said Constantine Karbaliotis, senior compliance specialist for Canadian businesses at Symantec Corp.
He said it seems Canadian CIOs and CFOs do not realize that they will be “personally liable” under the law if their firms are found not in compliance.
“A large number of the firms spent only half of one per cent of the revenues on compliance efforts,” Karbaliotis added.
He warned that “instead of learning from the mistakes of U.S. companies that weren’t quick to comply with Sarbanes-Oxley, we are creating the same mistakes.”
Although seven per cent of the executives admitted their companies missed the December 31 deadline for submitting an action plan, 43 per cent met the deadline with a bare minimum of effort “implying no investment in processes or tools,” the survey said.
“Canadian companies are still resisting because they view the requirements as onerous and don’t see compliance contributing to the bottom line,” the Info-Tech analyst said.
An IT industry insider, however, said while the survey might indicate a low compliance rate, a substantial number of local companies actually have elements of the requirements integrated into their internal practices.
“I think CIOs are already focused on two key issues that support compliance,” said John Boufford, president of Canadian Information Processing Society (CIPS), based in Toronto.
Boufford, whose organization represents more than 6,000 IT professionals across Canada, said part of a CIOs’ main duties include process management with the view to reducing errors, and ensuring appropriate technology and procedures are applied to support “good governance.”
But he said the cost of compliance plus the IT resources it requires are formidable roadblocks. Human and financial resources poured into compliance are often taken away from somewhere else, the CIPS president said.
“I’ve heard large companies making $30-50 million in revenue have to spend up to $1 million year to comply with the auditing requirements,” he said.
Some executives may not have enough confidence in Bill 198 because they don’t believe local regulatory bodies are strong enough to impose regulations, according to Joe Greene, vice-president, IT security research, IDC Canada Ltd. in Toronto.
He said most “medium sized and large Canadian companies still treat issues such as privacy, compliance and IT security as part of broad programs.”
Canadian organizations are not worried about their inability to meet government regulations largely because of the lack of enforcement, said Greene.
For instance, he noted that in the case of privacy, standards such as the Personal Information Protection and Electronics Documents Acts (PIPEDA), “the privacy commissioner has the ability to fine organizations for breach of or failure to comply with legislation, but has yet to impose any.”
“Compared to the U.S., we are behind on regulatory powers,” Greene added.
Non-compliance with Bill 198, however, does have some “negative consequences” for erring companies.
He said failure to comply might eventually tarnish the reputation of publicly traded firms and drive away potential investors or clients.