Financial Services Firms: Take the Sarbanes-Oxley Test
Daly, Andrew, The RMA Journal
In a world fraught with business risks, technology is often the Achilles' heel of financial services organizations. Since Congress passed the Sarbanes-Oxley Act (SOX) in 2002, the financial services industry has had much at stake. Information technology chiefs in financial services may long for the days when they were "merely" tasked with implementing a new infrastructure or migrating to a new operating system. Those jobs were the norm when it came to lost productivity or even temporary reputation damage.
Then came SOX, and IT risk hit a new threshold. Yet recent reports and discussion among IT thought leaders are encouraging. With an investment of time and talent, it is possible to implement SOX in a way that is more efficient, less costly, and yes--in compliance. In fact, now some are saying proper testing and quality assurance of the underlying IT could pay dividends beyond the compliance process.
Tension and Confusion on the Road to Compliance
Compliance with SOX, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, has created hot tensions among financial services firms that have earned, and must sustain, public trust. While SOX is widely known as legislation aimed at improving corporate accounting and governance reporting standards, technology is playing a central role because software is the key to compliance. If there was any doubt, Congress dictated it:
"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
(Public Company Accounting Oversight Board Auditing Standard 2)
In other words, Congress insisted on a process (section 404) where all controls are reported after rigorous testing. Yet IT controls especially are gaining increased attention for the cost and hours dedicated to getting them right.
SOX compliance is a ball of confusion for accounting and IT departments, and it's going to get worse. Exposure has been found, and repairs are under way. This has created new enterprise resource planning (ERP) financial modules for compliance and has also created openings for data architects.
Kevin Hudson, vice president of product development in IT for Kforce Professional Staffing, said, "IT auditors are in big demand" in an interview with TechTarget, a Web resource for IT managers. Hudson believes more IT hiring is required to bring companies up to compliance. He also foresees increased hiring in IT security, as well as the rewriting of applications.
Because so much of SOX compliance depends on properly governed IT, CIOs--who must report to CFOs and CEOs--are on the hot seat. The SOX legislation is broad in its scope and threatening in its penalties. But it is vague in the guidance it provides on exactly how companies should comply. No wonder it's causing heartburn and nightmares for C-level executives all over the country. Some of those CIO nightmares are fueled by the requirement for tight internal controls over financial reporting in addition to disclosure and annual evaluation of the effectiveness of those controls.
Best Practices to Mitigate Your Risk of Noncompliance
When it comes to IT controls, there are proven steps financial services firms can take to mitigate the risk of noncompliance. In a recent report, the accounting and consulting firm of Deloitte Touche Tohmatsu outlines a "Sustained Compliance Solution Framework." Key areas of the Deloitte framework directly relate to IT controls:
* Effective and efficient processes for evaluating testing, remediating, monitoring, and reporting on controls.
* Integrated financial and internal control processes.
* Technology to enable compliance.
* Clearly articulated roles and responsibilities and assigned accountability.
* Education and training to reinforce the "control environment. …