Sarbanes-Oxley compliance: It's not over yet for publicly traded companies

Unless you work for a publicly traded company, you don’t need to worry about SOA compliance. The Sarbanes-Oxley Act (SOA) was enacted following the Enron and Global Crossing fiascos to increase accountability of publicly traded companies. If you do work for a public company, chances are you’ve already implemented the changes required for the first round of Sarbanes-Oxley compliance requirements.

The Sarbanes-Oxley Act's effect on IT is a hot topic with several of the largest IT analyst firms. Searches on Sarbanes-Oxley on AMR's and Gartner's sites both show that their analysts have been exploring the implications for IT. Let's look at some of the insights provided by these two firms, as well as some views from Aberdeen Group.

AMR
According to AMR Research, SOA compliance is "a process, not an event." AMR claims that SOA compliance “has the potential to be bigger than Y2K in how it affects companies in every industry of every size.” To back up this statement, AMR Research recently conducted an online survey of more than 60 Fortune 1000 public companies regarding their positions and plans for SOA compliance. The following list highlights some of the survey results:

• Many CIOs are now ready for major IT investments to help bring their companies to compliance.
  
• Fortune 1000 companies have earmarked more than $2.5 billion this year in Sarbanes-Oxley Act investigation and initial compliance-related work.
  
• 85 percent of companies predict that Sarbanes-Oxley will require changes in IT and application infrastructure that support the business.
  
• 79 percent are unsure what implications the act will have for their companies.
  
• 61 percent expect business process change will be required.
  

So what's next for SOA compliance? AMR offers the following insight:

"Companies may have been able to meet initial Sarbanes-Oxley compliance using well-defined processes and procedures, but compliance with upcoming Sections 404 (certification of financial reporting processes and controls) and 409 (real-time reporting of material events) may not be so easy."

AMR also gives some guidance to IT departments in the article "Five Things IT Needs To Know About Sarbanes-Oxley Compliance." In this article, AMR says:

• Even though SOA governs firms whose stock is traded in the United States (including non-U.S. companies), many experts expect private companies will abide by the spirit, intent, and letter of the law.
  
• The "next major hurdle, expected for FY03 year-end filings, will be the auditability of the internal control structure and processes involved in financial reporting. It’s no longer just the numbers you report, but how you got to those numbers… many companies are manually implementing these process controls today. In the longer term, most existing applications lack thorough enforcement of business process, and may be in the place where a new application or IT-supported business process is required to pass muster with auditors and let the CEO and CFO sleep better at night.
  
• Financial reporting is just the beginning. Transactions stored in ERP, CRM, supply chain, and other operational systems must be accurate and easily accessible. AMR recommends "a broad-based review of business practices—especially in decentralized firms." These reviews could "uncover Grand Canyon-sized gaps, which will take IT support to fill up.
  
• "Get ready for real-time disclosure." AMR states that the current interpretation of the SOA wording of “timely and accurate disclosure of material events” is that companies will be expected to "disclose events that affect the business within 48 hours." AMR says that there isn't a firm timeframe for implementation of "real-time disclosure," but it claims that many companies are already looking into IT infrastructure changes that might be required.
  
• According to AMR, "the SEC will continually issue pronouncements on what will be required and when rules will take effect. Because of this, organizations must remain fluid to respond to SOA."
  

Gartner
One of the observations Gartner makes regarding SOA and the IT department is the importance of the "legal discovery of electronic documents." It claims that "those enterprises that don't keep proper records or cannot produce them will pay heavy legal costs and, possibly, financial judgments." Gartner uses this argument to push the importance of "records management" and earmarks it as an area that could see significant growth.

Gartner also predicts that "adoption of records management technology will increase, with 50 percent of all Global 2000 enterprises either adapting existing document management systems or buying stand-alone records management systems by 2005 (0.7 probability)." Other areas that Gartner predicts will see growth as a result of the SOA are business intelligence and corporate performance management.

Aberdeen Group
In October 2002, Aberdeen Group published an article called "Baring the Financials: More Than Current Financial Systems Can Bear?" In this article, Aberdeen declared the importance of "financial analytics software" as a key component of SOA compliance. It claims that "although the July 2002 Sarbanes-Oxley Act does not explicitly mention financial analytics, the spirit of the law will haunt public companies that lack a financial platform that captures, analyzes, and distributes detailed data and interpretations to internal and external decision makers.” It also states that ”enterprises will need to invest in additional tools to get from raw data to full, accurate, and rapid disclosure, no matter how robust their current financial systems may be."

Aberdeen proposes yet another acronym, EAR, to help companies decide when an event needs to be disclosed under the terms of the SOA. It provides the following list to help companies decide when to report:

• Examine each transaction, or series of related transactions, to determine if there is a materially significant event.
  
• Analyze the facts behind a material event to determine the event's potential business and financial consequences on the company.
  
• Respond by rapidly disseminating the news and financial consequences of the material event to the investing public.
  

Aberdeen also describes four of the new tools that will be required for SOA:

• Event stream management
  
• Data enrichment
  
• Predictive forecasting
  
• Real-time reporting
  

Although I don't have the space to go into each of these tools, Aberdeen dedicates a paragraph to each tool and provides more insights and recommendations that should be a help to any company wrestling with SOA compliance. I strongly recommend that you take a few minutes to read the entire Aberdeen article.

To read the full text of these and other articles on Sarbanes-Oxley, visit the Analyst Views Sarbanes-Oxley Focus Section.

TechRepublic originally published this article on 23 June 2003