| Recent
Articles |
Application
Security - IT Risk Management
Application Security risk assessment and risk management are vital tasks for IT
managers. Corporations face increased levels of Application Security risk from
hackers and cyber crooks...
MCSE
vs. MCSA
Technology is advancing rapidly with each passing day. The world of Information
Technology today is a forever growing vast expanse.
Digg This – Digg.com Is Expanding
The wildly popular tech site, where stories get approved or dumped based on the views of the userbase, plans to branch out into other categories and formats.
Self-Healing With IBM
International Business Machines (IBM) announced today a new line of software products they bill as "self-healing." The software finds and fixes problems before they slow down an online business and prevent IT systems from freezing.
Beware the Comfort Zone
I've seen it happen time and again to programmers, network engineers and administrators, and other IT personnel. They get a solid IT position, a good-paying job, and they get comfortable.
The Benefits of the Software-as-a-Service Model
When the Internet burst upon the scene in the early 1990's, the concept of software as a service (SAAS) seemed an idea whose time had come.
CIO Plays a Significant Role in the Decision-Making?
Information Technology (IT) took the lead in developing and implementing frameworks for business collaboration - financial and operating models and legal frameworks.
|
|
|
01.04.06
The Role Of IT In Sarbanes Oxley Section 404
 By
Hugh Taylor
If you have been following the news recently, you have probably heard about the
collapse of Refco, the commodities trading firm that filed for bankruptcy after
being accused of allegedly hiding a $430 million bad debt from its shareholders.
Refco's CEO has been arrested, and while his innocence or guilt remains to be determined, Refco provides us with an excellent opportunity to understand the serious interdependencies between IT and Sarbanes Oxley compliance.
Some background: Refco went public in August, 2005, and was warmly received by the market despite the fact that its auditors noted deficiencies in its internal controls and financial staff. Per the Sarbanes Oxley Act, these deficiencies would need to be rectified as Refco complied with disclosure rules set by the SEC. However, before that cycle could even commence, an internal auditor discovered the notorious alleged $430 bad debt. What the auditor actually found was the receipt of an interest payment from a client that appeared to be too high for the actual loan balance that the client was carrying. An experienced auditor observing the Refco disaster in the press stated that finding such a discrepancy in a company the size of Refco was not like "finding a needle in a haystack…" it was like "find a needle in a stack of needles."
Indeed, "finding a needle in a stack of needles" shows the challenge of designing and enforcing sound internal controls at a public company. In order to comply with Sarbanes Oxley Section 404, the management of a public company must attest to the existence of internal controls. Ideally, those controls need to be good enough to assure accurate financial statements. If the internal controls are not good enough, then the company can suffer a variety of fates, including costly SOX remediation, loss of investor confidence, SEC punishments, shareholder lawsuits, and more. The stakes are quite high, as Refco's dramatic collapse shows.
How then, can a public company institute internal controls that can find needles amongst needles? Invariably, internal controls are derived in large part from the IT systems that support the business transactions that are subject to those controls. Controls are not only about IT, but there is IT in virtually all significant internal controls. This makes for good news and bad news from a SOX perspective. Distinguishing good needles from bad needles requires sophisticated, real time correlation of data between multiple systems. This is a major IT challenge.
Well designed, well-implemented, and well-maintained IT solutions can deliver critical components of effective internal controls. Poorly designed and maintained IT can hamper internal controls. As many public companies have found in the last two years, IT is the wellspring of many true compliance headaches. To add confusion to the mix, the IT industry has added its quota of noise and overblown solutions to the SOX process. Some SOX software solutions are excellent. Some are not so good. Others are incomplete. Any software package that claims to be "SOX Compliant" - as if there were some kind of Underwriters' Laboratory certification for SOX, is making an over-hyped claim. There is no such thing. What should be done about this?
Finding the IT solution to Sarbanes Oxley is a subjective, complex matter, but
one in which any serious public company must involve itself. While every company's
compliance situation is different, several underlying factors will be constant:
To achieve compliance, IT, accounting, and line of business managers will need
to work together more closely than they ever have before. They will have to work
through a number of challenging, integrated business process, control, audit,
and IT issues to be successful. It is not easy, but it is worth doing. Once tackled,
the integrated IT and business issues required for SOX compliance should lead
to improved operations and control over financial reporting.
About the Author:
Hugh Taylor is the VP of Marketing at SOA Software. Contact him here
|
