So exactly what is Sarbanes-Oxley Act?

Compliance: Sarbanes-Oxley
Q: What are companies doing for Sarbanes Compliance regarding IT controls - objective for Disaster Recovery and Business Continuity plans?

AMR: The Sarbanes-Oxley Act of 2002 (SOA) has raised the profile of Risk Management within many organizations. Companies are keenly interested in making sure any material risks to the business have appropriate controls in place to mitigate those risks. No one would argue that disaster recovery and business continuity planning would fall into the area of material risk. As companies work with their auditor of record to put together documentation of internal controls and business processes as defined in Section 404 of SOA, many are also including IT-specific controls. Disaster recovery/business continuity is one area that companies are revisiting. After the events of September 11, 2001, disaster recover became job #1 for many firms. Now, those plans, along with associated policies and procedures, are being looked at again to make sure they are up to snuff. At the end of the day, it's important that your company consults with its auditor to understand exactly what they will expect as part of initial SOA work for 2004. But its good business practice to stay on top of this important issue, and IT governance regimens have this at or near the top of every list.

Q: AMR Research has estimated that the Fortune 1000 will spend $2.5B in 2003 getting ready for Sarbanes-Oxley compliance. How will that money be spent?

AMR: In late April, we surveyed more than 60 companies in the Fortune 1000. We asked these firms to disclose how much money had been earmarked for the SOA compliance work in 2003, but we did not request that they break down the spending into different categories. However, we have had a significant number of one-on-one conversations with many firms since that survey was done. Based on these detailed discussions, we estimate that 90% to 95% of the money will be spent on people-related expenses--specifically, internal associates’ time and consulting fees associated with internal audit and risk management advice offered by external third parties. That leaves 5% to 10% for technology, or approximately $125M to $250M. We expect to see the bulk of any technology spending to occur in Q4 once firms have fully planned their approach to SOA compliance. We also expect to survey the broad user community again in early Q4 as budget numbers firm up for 2004.

Q: Does Sarbanes-Oxley affect companies not headquartered in the United States?

AMR: SOA rules apply to any company that lists its stock on a U.S.-based exchange, regardless of where the company’s headquarters are. If any local country rules conflict with any of the regulations stipulated in SOA (for example, the composition and membership of the management board), the local rules take precedence.

Q: How about non-U.S.-based subsidiaries of U.S. firms?

AMR: For a subsidiary of a U.S. firm that trades stock on a U.S.-based exchange, its operations are also governed by SOA mandates as part of the parent company.

Q: Do product development / manufacturing processes apply to SOA?

AMR: Possibly, but not assuredly. The scope of process and control documentation is a management decision. Many companies are taking a key accounts approach to business process and controls documentation. In analyzing those key accounts--such as cash, accounts receivable, or revenue--from the firm’s balance sheet and/or income statement, companies are assessing degrees of potential risk. This determination will result in whether these processes and controls are documents. Other companies are taking a key processes approach, or documenting the key activities they undertake as a business. Either approach is valid, and we expect firms will work closely with their auditors/advisors in this decision.

Q: You mentioned “separation of duties.” Can you talk more about that?

AMR: A well-designed and deployed separation of duties ensures that there is a system of checks and balances within an organization for achievement of work responsibilities while preventing abuse, theft, or fraud of company resources. Organizations are at some business risk from internal security lapses and often lack adequate IT system security processes to manage and mitigate the associated risks. Ask the Director of Internal Audit at any large corporation, and you’ll likely get some pretty interesting stories about abuse, theft, and fraud by former employees. Employees requisitioning, authorizing delivery, and then stealing direct material supplies and an administrative assistant who walked off with almost a $100K through T&E fraud are just two examples that some analysts have experienced first hand.

Q: Enterprise Performance Management (EPM) was mentioned as one of the top three remedies being considered for SOA compliance. Would a broader data warehouse strategy be a viable option?

AMR: A data warehouse is a baseline architectural component for any EPM initiative. Understanding the right business data, improving its quality (if necessary), and combining it with the right content from multiple sources is critical to having a complete picture of company performance. But a data warehouse by itself is just a lot of data. It must also be used in concert with a visualization and analytic tool to derive key metrics that monitor the health of the business in near real time.

Q: What about balanced scorecards, portals, or management dashboards? What’s their role in SOA compliance?

AMR: Getting management and workers the right information to identify and assess risk in the business and then act on mitigating that risk is a key part of Section 409--Real-Time Disclosure remedy. Anything that exposes operational and financial reporting anomalies as they occur is important for SOA compliance.

Q: What do you mean by real time?

AMR: Although there has been no formal declaration by the SEC, many SOA pundits, including the audit firms, have speculated that Section 409 translates to “within 48 hours.”

Q: What is the Section 404 deadline for smaller companies? What constitutes the SEC limit for small companies?

AMR: Firms with a market capitalization of $75M or less fall into the small company category. The enforcement date for SOA Section 404 for this class of company is April 15, 2005.

Q: Are companies resisting full disclosure?

AMR: We have not surveyed companies in this area. Anecdotally, companies are mounting an aggressive response to SOA compliance. No one wants to be the company (or individual) that becomes the test case for the SEC enforcement.

If you are a enterprise business in search of SOA compliant solutions, let CTA Consulting group provide a solid security foundation for your business.