• Technology
  • CFO Magazine

Drowning in Data

A flood of corporate data, intensified by Sarbanes-Oxley compliance, threatens to overwhelm business managers.

On Deadline

They’d better hurry. Publicly traded companies have barely seven months to get in line with Section 404 of Sarbanes-Oxley.

The specter of that deadline leaves little time for businesses to dig too deeply into data deficiencies—or to automate data tracking. In fact, Todd Naughton, controller at Vernon Hills, Illinois-based bar-code maker Zebra Technologies, says that because of the June 2004 deadline, Zebra has ruled out deploying software programs for the first round of certifications. “It’s three to six months just to pick a tool and install it,” he claims. “And that’s before anybody starts putting data into it.”

Instead, executives at scores of companies are manually documenting the policies and procedures intended to safeguard the integrity of their financial data. The documenting includes not only assessing where the data is but also deciding who should have access to it. “For me, the problem is not having too much data,” says NCR’s Shanks, “but how do we use that data and make that data available to the right people at the right time.”

NCR maintains an enterprise data warehouse to help with that large task. For many businesses, however, Sarbox compliance remains a very low-tech affair. Zebra simply gathered 10 to 15 employees in a room with an Excel spreadsheet and went about identifying the company’s material risks and the controls to address each risk, says Naughton.

Observers say even low-tech approaches can carry some hazards, however. Former CFO Ressner worries that, for some companies, the documenting process could get out of hand, resulting in data about data. “The over-rotation of this,” he conjectures, “is that you could end up with a manual for everything.”

Ironically, some of this painstaking documenting could come back to haunt companies. According to attorney Birnbach, creating a paper trail about internal-control procedures before identifying what those procedures are may prove to be a big mistake. “It’s not wise to put an open discussion about the assessments of control processes onto paper,” she notes. “It’s discoverable.”

Ironically, some of this painstaking documenting could come back to haunt companies. According to attorney Birnbach, creating a paper trail about internal-control procedures before identifying what those procedures are may prove to be a big mistake. “It’s not wise to put an open discussion about the assessments of control processes onto paper,” she notes. “It’s discoverable.”

Wait ‘Til Next Year

Faced with stiff penalties for lax internal controls, some businesses will no doubt ignore that warning. Instead, they will start saving every bit of unstructured data in the house. “Companies will start saving all E-mail,” predicts Doculabs’s Watson. “Unless you’re confident in documenting policies and data, you’ll have to save it.”

What’s more, identifying a company’s internal controls and key financial processes—a Herculean task—is not a one-off deal. “We’ll have to update any change we make in internal controls, or if we install new software,” concedes Crown’s Thompson. “We’ll have to update anything that has implications for our flowcharts or internal processes.”

Discuss

Your email address will not be published. Required fields are marked *