Mention business continuity to CFOs and see how long it takes them to change the subject. Yes, it’s a risk issue, and they’ll readily agree it demands attention. Just not theirs. Typically, business continuity, which includes contingencies for business interruptions ranging from telecom outages to natural disasters to, perhaps, terrorist attacks, is seen as a technology issue. In fact, in a 2005 survey of 1,286 managers claiming responsibility for their employers’ business-continuity plans, the bulk of the respondents were either IT managers, tech staffers, or chief information officers.
That may be changing. Within an Internet chat room devoted to compliance, which is most definitely a CFO concern, there developed a lengthy thread on business continuity. The initiator of the discussion wanted to know if Sarbanes-Oxley requires publicly traded companies to set up disaster-recovery or business-continuity plans. In fact, Sarbox never once mentions “disaster recovery” or “business continuity,” and the Public Company Accounting Oversight Board’s Auditing Standard #2 specifically states that business continuity “is not part of internal control over financial reporting” (see “Straight from the PCAOB” at the end of this article).
Despite that seemingly open-and-shut case, debate does in fact rage on this issue. Some of the conflicting views appear to stem from companies’ reliance on the Treadway Commission’s Committee of Sponsoring Organizations’s (COSO) internal-controls framework, which calls for identifying and managing internal and external risks. Also creating confusion is the silence of the Securities and Exchange Commission, which, aside from requiring financial-services firms to prepare disaster-recovery plans, has not issued any broad guidance on businesses continuity. (The agency itself was criticized by its independent auditor in 2003 for its lax business-continuity plans.)
General uncertainty about a potential intersection between Sarbox and business continuity seems to extend to consultants as well. When CFO contacted three of the Big Four accounting firms (Ernst & Young declined to be interviewed), they offered conflicting responses on the issue, a fact borne out by at least one customer who said in a Web post that his auditor agreed that what a customer is told “depends on who you ask.”
What Part of “Yes and No” Don’t You Understand?
At YRC Worldwide Inc., the Sarbox compliance program does not include any provisions for business continuity, for one seemingly simple reason: “It’s our understanding that there is not a disaster-recovery requirement in Sarbanes-Oxley,” says Don Barger, CFO of the $7 billion trucking company.
YRC’s view echoes the position of PricewaterhouseCoopers, which appears to be cleaving to the letter of the law. “Companies can — and should — make sure they have a good business-continuity plan,” explains Mark Lobel, a partner in PwC’s Advisory Practice. “But it’s not in Sarbox and in the compliance world, because it’s not something you can test.”
Partners at other firms disagree. Steve Ross, national leader of Deloitte & Touche’s business-continuity practice, argues that public companies need solid business continuity plans to fully comply with Sarbox rules on data backup and recovery, as well as records management. Likewise, Big Four rival KPMG is advising clients to treat business continuity as a compliance issue. Greg Bell, a partner in KPMG’s Atlanta-based Advisory Services Practice, predicts that shorter deadlines for financial reporting will cement the link. “The need for business continuity to minimize interruptions becomes more important” as those deadlines are tightened, he says.