What Sarbanes-Oxley Changes Will Mean to You
|
|
|
The Sarbanes-Oxley Act (SOX), which was implemented to tighten corporate governance in the wake of the Enron scandal, is undergoing some changes that will mean more work for the IT department, which acts as the gatekeeper of all documents and processes.
Companies that provide payroll processing, benefits administration, claims processing and other services to public companies may be asked to provide their customers with a copy of their SSAE 16 assessment report. This has implications for the IT departments of companies that use these services as well as those which provide them to publicly traded firms.
“Your company may not be publicly traded, but if your company’s services could impact the financial statements of one of your SOX-affected customers in any way, then your company’s internal controls impact that customer’s controls,” said Amanda Finch, director of strategic alliances for Austin, Texas-based Journyx, a developer of timesheet software.
The requirements are set to take place beginning July 1 and Finch said there are steps that IT departments need to take to prepare:
Review your service contracts to ensure that the system description is complete and accurate; Review your existing controls and activities to ensure they are adequate and operating effectively; Ensure your ability to provide evidence for each control activity to your auditor; and Develop a plan for communicating the new standards (and restrictions on report use) to your customer-facing teams.
A key component of the changes is that the CEO must sign a document attesting to the strength of the internal controls, which largely falls on the IT department. “When the CEO has to sign something in blood, it gets their attention,” she said.
“The law is extremely taxing on budgets and resources, with the onslaught of new procedures and documentary change laws adding roughly 10 percent more cost and 20 percent more manpower,” said Scott McCarthy, CIO for Greenspoon Marder, a Fort Lauderdale, Fla.-based business law firm. “That’s on the conservative end, because in some cases, the laws may force companies to upgrade or replace some of their current technology. However, the technology hasn’t caught up with the requirements.”
He said the law firm has a consultant whose sole job is to try to break into the law firm’s systems, which can cost $20,000 to $50,000 per test, depending on the complexity.
While not part of the upcoming changes, SOX restricts how certain documents are shared and stored. For example, as a law firm working with lending institutions, the laws restrict the type of information that can be used in the subject line of an email between the firm and the bank, McCarthy said. “Of course, we train our staff on proper procedure, but to ensure compliance, we must put in place a fail-safe mechanism. In that case, it’s relatively easy to reprogram a system to catch a loan number, which is typically well-defined and consistent in format, but catching an address with an infinite number of possibilities is another story. Technology is trying to catch up, but the large lag time is forcing IT professionals to come up with creative, yet solid solutions to an infinite number of challenges.”
Jerry Norton, a partner with Candela Solutions, a Madison, Wis.-based CPA firm that specializes in corporate governance, said that companies should undergo a periodic risk assessment to ensure that all areas, including IT, are in compliance.
There are advantages to assess risks beyond just Sarbanes-Oxley to include all types of systems and documents that are subject to compliance, such as HIPAA and credit card PCI-DSS standards. Using this integrated approach will reduce costs. “This will vary by industry, but all companies need to identify the systems that are critical and which contain sensitive information that is subject to regulatory requirements,” he said.
Once high-risk areas are identified, it is important to build out controls to address those risks. “In many cases, it is a matter of refining and cleaning up an existing control,” Norton said. The next step in the process is a self-assessment by management.
Companies need to be sure that the controls are both designed and implemented effectively. “As an example related to data backups, the design must include all required information and then you must verify that the backups are working correctly and that the data is securely stored.”
Jon Groetzinger, visiting professor of law-international business at Case Western Reserve University School of Law, said IT departments need to be especially diligent of ensuring that all changes to systems are fully documented.
“All change orders that come through that might affect the financials should be validated by an officer of the company,” he said.
