New regulations for the securities industry may begin in Washington, but they invariably end up on the desks of chief information officers, who have the onerous task of supporting compliance initiatives with technology.
The Sarbanes-Oxley Act, which requires all public companies to certify and document internal financial controls and reporting, is no exception. While it may originally have been thought to involve finance departments only, the demands of SOX have made their way to Wall Street's CIOs.
Section 302 of the act, requiring CEOs and chief financial officers to certify financial results, is already in effect. Now, the industry is grappling with Section 404, which calls for management to assess internal controls and processes for every step in the business that contributes to a financial report. It will be in effect for financial statements of fiscal years ending on or after June 15, 2004.
"Any company that denies the role of IT in this process is not only kidding themselves, but hurting themselves," says Lane Leskela, research director for GartnerG2 Financial Services. Leskela explains that technology can be leveraged in several areas of compliance, including risk assessment, workflow, documentation, monitoring and testing of procedures.
Jim Beams, Financial Insights research director, says that firms are in three camps of technology investment. The first group includes firms that view SOX as an opportunity to holistically upgrade their technology infrastructures. A second group will subscribe to point-to-point solutions that they can "airlift into existing infrastructure." The third group, Beams describes, "is in denial, and believes they can just tweak what they have to comply."
With a wide range of choices available for leveraging technology for SOX compliance, many firms are turning to their public auditing firms or consultants for help. "There hasn't been a lot of specific guidance [from the SEC] in terms of the amount of detail that is required," says Tony Reding, IT director at Principal Financial Group, a Des Moines, Iowa-based investment firm. Principal implemented a third-party vendor system to meet Section 404 requirements. "The package helps us lay out the documentation in a logical fashion," he says, declining to name the vendor.
Principal's solution helps the firm to recognize significant accounts, identify the processes that feed those accounts as well as the risks associated with those processes. Principal will also use the solution to assign owners to accounts, processes, and controls, and to locate and document gaps along the way.
A third-party solution is not always necessary, though, asserts Leskela, especially for many large top-tier firms with a plethora of technology already present. "There are cases where a firm doesn't need to buy anything to get through this because the key issue [with SOX] is around the processes."
While Reding points out that much of the investment for SOX compliance is laid out initially, the real emphasis should be on the maintenance of the processes. "We don't want it to be one of those things that you pull out once a year at the end of the year just before attestation, and then make a mad scramble to get everything up to date," he says.
Leskela makes the point that some regulators have admitted that SOX was a "knee-jerk" response to the rampant corporate scandals, and that its requirements may be excessive.
Whether the investment was excessive or not, Reding concedes that his firm has gained operational efficiencies through its new processes. The primary focus, he adds, is becoming Section 404 compliant before an external auditor examines the firm. If a firm is found not to be compliant, Reding says, "you definitely are going to suffer repercussions reputationally and lose stockholder confidence."