Download (direct link):
In 2002, the Sarbanes-Oxley Act was passed in the United States, which fundamentally stipulated that the information being reported on corporate performance within publicly traded companies must be an accurate depiction of corporate performance. Specifically, as directed by Section 404 of the Sarbanes-Oxley Act, the SEC released “Management’s Report on Internal Controls over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports,” which states, “The internal control report must include:
• A statement of management’s responsibility for establishing and managing adequate internal controls over financial reporting for the company
• Management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year
• A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting
• A statement that the registered public accounting firm that audited the company’s financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting”2
Perhaps one of the more intimidating points alluded to in the report is that Chief Executive Officers (CEOs) and CFOs must validate, certify, and sign the results. Intentionally misleading statements could result in severe personal penalties. Although not mandated by Sarbanes-Oxley, some companies are requiring sign-off by the CIO. This legislation alone has dramatically altered the role and function of
THE NEW FOCUS FOR IT: BUSINESS 75
the CIO and the governance framework within companies. Appendix 3A shows the IT road map for meeting the challenges imposed by Sarbanes-Oxley.
IT portfolio management is integral to supporting Sarbanes-Oxley compliance. IT portfolio management is particularly useful for companies that have:
• Immature processes for gathering information to assess IT investments
• Inconsistent processes and nonstandardized information and data across the company
• Sole reliance on financial measures to assess material changes and impacts3
IT portfolio management supports compliance with the Sarbanes-Oxley Act by keeping companies and management focused, aligned, and balanced, serving as a preventive framework and tool to minimize material changes due to IT investments. It enhances interim record and document management policies, provides support for identifying secure and trusted repositories and for safeguarding relevant and important data, and helps guide ready access to essential documents.
A 2004 study on Sarbanes-Oxley compliance efforts within companies demonstrates:
• 54% of Sarbanes-Oxley compliance efforts are not integrated with other compliance efforts.
• 92% expect to change the way systems are rolled out to comply with Sarbanes-Oxley.
• 93% expect to undertake Sarbanes-Oxley security control remediation.
• 82% expect to reevaluate their security strategy to ensure compliance with Sarbanes-Oxley.
• 71% are currently defining their Sarbanes-Oxley compliance blueprints; only 20% claim to have a completed blueprint.
• 43% are currently executing on their Sarbanes-Oxley blueprint; only 20% have a completed blueprint for execution.
• 59% expect to be able to certify outsourced functions or processes.
• 52% view Sarbanes-Oxley as a necessary cost of doing business; 41% believe it will ultimately make them more competitive.
As shown, many firms are recognizing the seriousness and breadth of Sarbanes-Oxley but are failing to address it in an optimal manner. This will change. Sarbanes-Oxley and other legislative and regulatory requirements are requiring better management of information, which is enabled through IT portfolio management. The Xcel Energy case study, as shown in the last section of this book, provides
76 CHAPTER 3 PEOPLE AND GOVERNANCE
further insight on how a leading company is utilizing IT portfolio management as one important means of complying with Sarbanes-Oxley.
Other legislation has also contributed to the changing role of the CIO, including the Clinger-Cohen Act, the Food and Drug Administration 21 CFR Part 11, the Health Insurance Portability and Accountability Act (HIPAA), Graham-Leach-Bliley, DoD 5015.2, Office of Management and Budgeting’s (OMB’s) Exhibit 300, and The USA Patriot Act. In Europe, the New Basel Capital Accord (Basel II) and the Higgs Report paralleled many of the relatively new regulations in the United States—an effort to reinforce the criticality of disciplined and accountable (corporate) governance practices.
Increased legislation around accuracy, privacy, and timeliness of information is a trend, not a fad. Organizations must accept this and build for it or face the consequences. An overall compliance program is called for, reminiscent of Y2K remediation efforts, and should be orchestrated in concert with enterprise architecture activities.