SOX 404 Forcing Bonds Between Financial, IT Departments

When the full scope of the infamous Section 404 of the Sarbanes-Oxley Act became clear to Kevin Rhodes, he thought it might be a blessing in disguise. Sure, implementing Section 404 would require a formidable investment of time and money for Edgewater Technology, Inc., a $25 million software company in a suburb north of Boston. And as chief financial officer, Rhodes would ultimately be responsible for the project.

Rhodes

Rhodes, however, looked on the bright side: It was an enormous IT project, and he was in charge.

As is the case at many public companies, financial and legal executives are finding themselves running major IT projects. Cendant Chief Compliance Officer Richard Wolf, in a recent live Webcast with Compliance Week, noted that he—a legal executive—was leading the charge on a major infrastructure project dubbed BRIMS, which stands for Business Records and Information Management Services. According ot Wolf, the Cendant project has required considerable investment and coordination between financial, legal and information technology teams.

That storyline is a common one at many companies, where revised federal sentencing guidelines and regulatory requirements have forced closer bond between corporate functional teams. “As for implementing corporate change," notes Rhodes, "many corporate finance departments use Sarbanes-Oxley now as a stick, and it’s a really big one at that.”

A Tale Of Two Realms

Call it the power of convergence, Sarbanes-Oxley style. To comply successfully with Section 404, companies must forge closer ties than ever between their finance and IT departments. Creating that bond can be challenging, but—as Edgewater demonstrates—taking full advantage of that alliance can produce some important benefits.

Hurwitz

“It’s definitely an issue companies are grappling with,” says Judith Hurwitz, principal analyst at the Hurwitz Group. “[The CFO] has a vested interest in making sure the company has the right solution. On the other hand, he might not have the knowledge to know what that is.”

Data storage giant EMC Corp. tackled that problem by pairing up its chief accounting officer with a vice president of IT. The two consult with a steering committee representing all departments, but otherwise oversee EMC’s Section 404 implementation themselves.

To handle the task, EMC divided its IT into two realms: a “general computing” control side, and an “application” control side. The former is handled solely by the IT department, to manage routine data center tasks like network performance. The application side, where much of the controls analysis and documentation happens, is handled by IT personnel specifically assigned to the finance department.

Link

“Our IT organization jumped in feet-first, early on,” says Mark Link, EMC’s chief accounting officer. “We went through a significant amount of education to let people know this is more than just a compliance effort—we expect to see some tangible benefits from the efforts here.”

Trump Hotels & Casinos Inc. in New Jersey also takes the team approach, although at the lower levels. Chief of Compliance Joseph Korba sits with IT staffers as they go through 404 documentations department by department; Korba isn’t familiar with the various accesses and controls in each system, and he knows it. “I basically walk through the systems with them, where they have more knowledge of how the system works,” Korba says.

Lepeak

Stan Lepeak, an analyst at the Meta Group, says this gap is nothing new—the vital priority of Sarbanes-Oxley, however, has brought the problem into sharp relief. “It’s a gap for the vast majority of companies,” Lepeak says. “The IT people don’t know the level of detail the business divisions want.”

Alliances & Conflicts

That could open the door for CFOs to be stronger leaders of business strategy, notes Lepeak. According to his market surveys, CFOs are the primary leaders for Sarbanes-Oxley projects, while two-thirds of companies also have the legal department play a vital role. He does, however, expect that consolidated compliance management will be “commonplace” by 2006, most likely in the role of a chief compliance officer.

But SOX 404 is not the only portion of Sarbanes-Oxley forcing corporate executives to ally with the IT department. Sections 802 and 1102, for example, address records retention. And while the establishment of such policies typically fall under the general counsel’s purview, the IT department almost always handles implementation when it comes to storage of data.

Paknad

And that can create conflicts. According to Deidre Paknad, chief executive of records retention firm PSS Systems,

IT staffers “come from a completely different place” when thinking about records. They prefer to store everything wherever it best fits, she says, while the general counsel only wants to store what the company legally must, wherever it can be quickly accessed.

For example, Paknad has seen IT departments take weeks to stroll through a corporation physically looking for data, when the legal department wants them to punch up data immediately before SEC officials land on them with both feet.

An upgrade to automate the whole system “really brings it all back to the GC’s office,” which is where authority should belong, she says. “Unfortunately, it can cost $10 million to do.”

Departmental Institutionalization

Yet interdepartmental cooperation remains critical for the success of a variety of issues, both strategic and tactical.

For example, one key question for many companies now is whether they want to marshal all their newly enhanced controls into systems that could provide data for valuable strategic decisions, or whether they will cobble together “lots of [Microsoft] Excel spreadsheets,” as Lepeak says, to meet the Sarbanes-Oxley requirements by their deadline.

“How can you institutionalize this coordination, versus treating it like a project?” he asks. “How do you use that knowledge to be smarter?”

In fits and starts, some companies are trying to accomplish that. In addition to Edgewater Technologies’ crackdown on bookkeeping practices, Rhodes worked with his chief technology officer to launch a four-month and “pretty exhaustive” security upgrade to close certain control loopholes, like employees installing their own software patches.

Link at EMC, meanwhile used the Section 404 project to instruct international offices on compliance standards. “I believe in 2005 we’ll see the biggest benefit of this on the international front. Domestically ... there hasn’t been a lot of change that has come from it yet,” he says. “There will be a return on investment.”

Like others, Hurwitz likens Sarbanes-Oxley to the Year 2000 bug from five years ago; it too forced executives to pore through IT systems under the inviolate deadline of Jan. 1, 2000.

“These are the same people who will help guide a company through Sarbanes-Oxley,” says she. “The good CIOs are there to help the team figure all this out.”