First, the good news: Most companies have endured and survived their initial foray into Sarbanes-Oxley. And while it often proved a costly and occasionally frenzied experience, it has, many companies say, improved the controls that govern corporate operations. On the other side of the ledger, unfortunately, it appears that year two won’t be the autopilot repeat that companies had hoped for. The first year taught many lessons that have yet to be embedded in most compliance programs, making the second year potentially more labor-intensive than the first.
One of the biggest lessons learned concerns the role that IT plays in supporting financial processes, which caught many companies off-guard. But some best practices are emerging, from both a technology and a management perspective, that can help companies address the compliance burden in year two and beyond without massive expense and perpetual panic.
Create a Formal Group to Oversee Compliance
In the first year, companies spent heavily on all manner of consultants and outside help to clear the Sarbox hurdle. Going forward, companies should establish a multidisciplinary governance council or steering committee to set the scope of compliance and resolve issues quickly. Such a council “is essential to making [compliance] go smoothly in year two,” says John Hagerty, vice president and analyst at AMR Research Inc. in Boston. It puts IT, finance, and other business management on the same page and helps provide badly needed guidance. “IT people overprepared in 2004. They had little or no guidance and felt they did a lot of stuff they didn’t need to do,” says Hagerty. (Many would say the same about auditors, as we reported in the last issue. See “Sarbox Surprises” and “Survey Says,” Summer 2005.)
The council or committee should ideally include the CFO or other high-level finance executive, someone from the internal audit department, the CIO or other IT executive, and a representative from business operations. The group should be designed to make rapid decisions so compliance issues don’t linger for months. Hagerty says AMR recently ran a forum on Sarbox, and the half dozen or so companies that had implemented such a council reported that it was a key to their success in compliance efforts.
A formal Sarbox group helps foster cooperation between disciplines. Mark Lutchen, partner and practice leader for IT effectiveness and former CIO at PricewaterhouseCoopers, says that if CIOs haven’t done so already, they should reach out to finance to obtain the skills they need to implement fundamental management disciplines — such as developing an IT management chart of accounts to collect IT spend and performance information. And, he says, CFOs should demand that CIOs embed those skills in their IT organizations.
At First Commonwealth Financial Corp. in Indiana, Pennsylvania, John M. Heise, vice president and operations audit manager, says that his company’s Sarbanes-Oxley committee aims to foster a sense of accountability for compliance, and that requires a mix of skills. “Finance understands what controls need to be put in place,” he says, “and IT offers advice on how to manage data resources.”