When CIOs began installing ERP systems in the '80s and '90s, they unwittingly took something that used to belong to CFOs: financial controls. The things that accountants used to monitor manually--such as making sure that two signatures from the right people went on every check, or reconciling purchase orders against invoices--all became automated inside ERP systems. The meticulous audit trail that controllers and accountants had established over generations for demonstrating that money was being handled properly (think of black, leather-bound ledgers and long ribbons of adding machine paper) disappeared into those ERP systems without a trace--or at least without being properly documented, and certainly not to the extent now required by the 2002 Sarbanes-Oxley Act, a.k.a. Sarbox.
Today, CFOs want those controls back. If they don't get them, they believe they could go to jail. Section 404 of the Sarbanes-Oxley Act mandates that CFOs have to do more than simply pledge that the company's finances are correct; they have to vouch for the processes used to add up the numbers.
Sane people don't want to go to prison. They can even get a little frantic about it.
That's why CIOs perhaps can forgive their CFOs for getting aggressive when it comes to taking control of Sarbanes-Oxley compliance efforts. What CIOs shouldn't forgive, or take lying down, are their CFOs' attempts to freeze them out of the process.
A recent survey by research company Hackett Group found that just 12 of 22 companies surveyed had IT representation on their Sarbox steering committees. Among 75 public companies that Gartner surveyed last fall, just 63 percent said IT was involved.
Partly, this may be because many companies have been slow in getting their Sarbanes-Oxley efforts up and running. Only 65 percent of Gartner's respondents even had a Sarbox steering committee. Twenty-eight percent had no plans to form one.
But some CIOs see a darker agenda at work--a conspiracy. They fear Sarbox has become a stalking-horse that CFOs are using to assert control over IT and displace the CIO as the company's business process expert. Egging CFOs on, this theory goes, are the Big Four accounting firms, desperate to reassert themselves after the Enron debacle (which turned the Big Five into the Big Four after Arthur Andersen bit the dust) and needing consulting revenue to replace what they lost when most split off their consulting divisions.
"Finance and accounting organizations have been pushed to the background recently as IT and supply chain have been driving where companies are going," says one disgruntled CIO who declined to be identified. "Sarbanes-Oxley is the revenge of the bean counters. It's a wedge for the accounting profession to get control of the business again."
"CIOs are getting left out of Sarbanes-Oxley efforts, and it's a travesty," says Garry Lowenthal, CFO of Viper Motorcycle and chairman of the Finance and Technology Committee of Financial Executives International (FEI), an association of senior financial executives. (Lowenthal is sufficiently concerned that he is helping to set up a joint session between FEI and the Society for Information Management (SIM) at SIM's annual meeting this September to talk about how IT and finance can work together on Sarbox.) Adds Gartner Research Director Rich Mogull, "I'm hearing stories about CFOs not including CIOs in their compliance visions.
"I think that's a big mistake."
The Dark Agenda
Right now, CFOs are setting up compliance committees, often headed by their controllers and staffed by internal auditors and consultants from the Big Four accounting houses, and sending them out in pursuit of any and all business processes and IT systems that could have any impact on the balance sheet. IT systems across the country are glowing eyeshade green as accountants flock around them to figure out how they work and document those buried controls.
For CIOs, this can be a huge distraction and an enormous energy drain.
"We've taken a substantial productivity hit from this," says Brunson White, CIO of utility company Energen. "We didn't do much besides governance work last January. Sarbanes has pulled some of our best resources and altered our plans for other projects."
Sarbox is also expensive. Another utility CIO, Dennis Klinger of Florida Power & Light, says his company has already spent "multiple millions of dollars" on compliance, most of it on labor. And just as companies are starting to loosen their purse strings, much of that money is coming out of IT's hide.
But where there's pain, there's also opportunity.
If CIOs can take Sarbox beyond mere compliance, and automate and streamline business processes and financial controls so that the cost of compliance goes down over time while business performance improves, they could become heroes. But if they just play a tactical role, focusing only on IT-specific controls and leaving the rest to the CFOs and the accountants, that could fix a hard, clear varnish over the view in many executive suites that IT should be forever subservient to finance.
Which, according to many, is just what finance has in mind. As a former corporate vice president of IT, C. Lee Jones, chairman and CEO of Essential Group, a pharmaceutical services company, has had frontline experience on both sides of the IT-finance battleground, and he says that many CFOs would like to see CIOs left out of the Sarbox equation. Why? Because, he says, "it would give CFOs control over one of the largest fixed costs in the company: IT."
It's beginning to look as if Sarbanes-Oxley will be the greatest test yet of CIOs' standing within the enterprise.
The Sarbox Disconnect
Running Sarbanes-Oxley efforts is not an option for most CIOs. Sarbox is about financial processes. And each year when they sign off on the numbers, it's the CFOs' necks on the line (along with the CEOs'). "Controls and processes around financial reporting indicate the money guy should be intimately involved (in Sarbox)," says AMR Vice President of Research John Hagerty. A recent AMR survey found that 72 percent of Sarbanes-Oxley compliance teams were led by finance, and just 4 percent by IT. (The remainder were led by other business functions, plus legal and the board of directors.) But CFOs will not be able to prove compliance without the CIO. In most cases, the CFO's expertise ends where his numbers feed into information systems.
Most CFOs are aware of that, of course. However, they have options about where to go to get help. They could delegate compliance to internal audit (another group lacking a good understanding of IT issues) or hire external consultants. But if CFOs do an end run around IT and keep Sarbox efforts within the domain of the accountants and consultants, they could lose an opportunity to make the business run better. Hackett Group found that 47 percent of companies it recently surveyed still use stand-alone spreadsheets as part of their financial reporting process, meaning that the controls used to trace and audit the processes are essentially manual. Somebody throws numbers into a spreadsheet and passes them to someone else until they wind up in the annual report. Manual financial controls, as any auditor will tell you, are time-consuming, labor-intensive and costly; they're why companies abandoned those black ledgers in the first place.
"If you can automate it, and make it repeatable, you can know the controls," says Marc West, CIO of video game maker Electronic Arts. "If it's manual, it's more difficult to confirm the process and test it."
AMR estimates that of the roughly US$3 billion spent on Sarbanes-Oxley compliance in 2003, about 90 percent was spent on internal staff and consultants. To keep Sarbox from becoming an annual, recurring nightmare, companies need to automate financial controls (documenting them this time) and replace some of the labor-intensive manual detective work with software and hardware. That shift needs a leader. And that leader logically should be the CIO because the CIO will have to maintain and support those automated controls.
But just like Y2K, consultants and vendors are descending upon CEOs and CFOs and selling them magic-bullet software solutions for Sarbanes-Oxley over the heads of CIOs. It's ERP all over again. The financial controls gap inside most ERP systems today is partly the product of the communication gap between those who bought ERP systems (CEOs and CFOs) and those who installed and maintained them (CIOs). ERP projects went sour when business leaders and CIOs could not agree on how best to automate business processes in ways that could be integrated, supported and maintained by IT. Sarbanes-Oxley could easily lead to that same disconnect.
Sarbanes-Oxley means CIOs and CFOs need each other more than ever. Whether they will ever get around to admitting it is another matter. But if someone needs to swallow his or her pride and make the first move, it's the CIO.
The CIO's Dilemma
Today's corporate climate is not, however, conducive to compromise. Consultants and internal auditors are getting in CIOs' faces and demanding tighter controls in IT without deep knowledge of either Sarbanes-Oxley or IT.
"I've been told that I now need to submit every requisition to finance for approval before I can spend my budget," says one angry manufacturing company CIO who declined to be identified. "The CFO has delegated it to the controller, who has hired all these young auditors and consultants who think they're on a mission. They see Sarbanes-Oxley being above and beyond everything else we're doing. It's annoying because there are more important things we should be doing." Even though she is part of the company's Sarbox steering committee, this CIO has given up hope that the project will lead to the kind of process improvement and automation that could provide a long-term benefit to the business. "Everybody will do what they have to do to get through the compliance door, and the funding and overall attention and priority for the other process improvements will go where they always go--to the bottom of the list," she says.
Mostly, CIOs resent Sarbanes-Oxley. IT has been suffering through a funding drought since 2000, and now that corporate revenue is finally bubbling up again, Sarbox has cut to the front of the line. "We haven't been able to get much funded," says Electronic Arts' West. "Now here comes Sarbanes-Oxley and you have to find money in your budget to document processes. It's frustrating."
West is trying to turn that frustration around by using Sarbox as a lever to revamp governance processes across the business and in IT. "I think this will be one of the best things for IT in the long run because it's an opportunity to improve the ways we do things," adds Brad Friedman, vice president of IS for Burlington Coat Factory and the Sarbox point man for Burlington CIO Mike Prince. "You have to brainwash yourself into looking at it like that or you will dread it, because it's not a one-time event."
But Friedman acknowledges that he's having a hard time knowing where to start. Like many IT executives, he is desperately seeking guidance for this brave new world of Sarbox-enabled governance.
"If you read through the control objectives in Sarbanes-Oxley, they're very general," says Friedman. "Trying to burrow down to the detail and understand what will be looked for by the external auditor is very difficult. It's also difficult to draw the line between IT processes, operational processes and financial processes."
The CIO Solution
At utility NStar, CIO Gene Zimon took an early leadership role by suggesting that the company approach Sarbox the same way it did Y2K. Accordingly, NStar created an overall steering committee that meets monthly and includes the top functional executives from around the company. Zimon volunteered his program office director to help coordinate the effort. Working with the finance group and consultants, the project leadership parsed the project into 10 major processes by reverse engineering the balance sheet and income statement preparation process. "We took the numbers and worked backwards to find every system that contributed something to each of them," says Zimon. Each of the 10 processes was treated as a distinct project, each with its own steering committee, a business sponsor, internal audit consultant, and a business and IT lead assigned to do the dirty work of ferreting out the controls, documenting them and resolving any gaps in the process. "The most important thing was defining the areas we wanted to look at, to make it all real and measurable," Zimon says. "Otherwise, it all seems too vague."
At Energen, CIO White is taking the same reverse engineering approach to controls, trying to automate the ones he can. One is change management for Energen's ERP system. Right now, the process for making a change to the system--say a tax rate change or a bug fix--is "arduous and requires many sign-offs," says White. Any changes that can affect financial data will have to be reported under Sarbanes-Oxley, and if, for example, a bug in the ERP software means past financial data was not correct, the company may need to restate earnings. That means change management must be much more carefully documented and monitored than in the past. So White is planning to automate the change request and sign-off processes to speed things up as much as possible. But he's still worried that the new levels of scrutiny--and the coming requirement in Sarbanes-Oxley Section 309 that material changes to financial be reported in real-time--will prevent those changes from happening as fast as some in finance would like. "There isn't a whole lot more time to milk out of the change process," he says. "If it takes a week then that's the way it is. But people are already telling me it's not fast enough."
The Knowledge Gap
Without a good playbook for Sarbanes-Oxley, IT and business executives find themselves dependent for advice upon external auditors and consultants. But according to the CIOs and analysts we spoke to, consultants are also trying to figure out what compliance means. And that's yet another sore point for CIOs.
"I'm not getting any good advice about what I'm supposed to be doing from the consultants or the external auditors," says the anonymous manufacturing CIO. "They have no clue what Sarbox means for IT yet." Adds Gartner's Mogull, "The most common complaint I'm hearing about the auditors is they aren't providing enough clear guidance." When he challenged some of the auditing firms with this, their response was that the rules haven't yet been finalized by the Securities and Exchange Commission. "I said, Well that's fine," recalls Mogull, "but why are you taking people's money then?"
Complicating the situation is the longtime split that has existed between financial auditing and IT auditing inside consulting firms and the Big Four accounting firms. Financial auditors have traditionally focused on controls and overall business governance, while IT auditors have consulted with CIOs on best practices for running IT. And just like the businesses they serve, it's financial auditors, not the IT auditors, who are running Sarbox consulting engagements. This can lead to IT issues being ignored or shoved to the back burner. "They send in financial auditors and IT auditors but they are usually two separate teams that haven't created a (joint) strategy," says Sharon O'Bryan, founder and president of consultancy OAS and a former Big Four IT auditor. This is yet another reason why IT may be left out of strategic planning for Sarbanes-Oxley.
With so much potential for confusion and consequent disaster, all top enterprise executives need to stay in the compliance loop. Even if an internal audit group is charged with leading the day-to-day effort on Sarbanes-Oxley, the steering committee is a place where other, nonfinancial voices can be heard. This will eventually allow internal audit groups to save face when they realize that Sarbox is a much bigger job than they may have originally thought. Energen's White, for example, is part of a seven-member planning group that includes the CEO, CFO, COOs of two subsidiaries, the HR chief and chief counsel. This group doesn't just democratize communication, however. It also demonstrates resolve and commitment from the top. That's crucial in most IT projects, but especially in Sarbanes-Oxley because, as Burlington Coat Factory's Friedman puts it, "There is no value (in Sarbox) as far as the user community is concerned. If you don't have executive pushdown on this one, people are not going to move on it."
The Sarbox Compromise
Most auditors and CFOs we spoke with say that if IT is being left out of Sarbanes-Oxley, it is more a sin of omission, and perhaps ignorance, than a calculated plot. "The extent of IT involvement depends on how intuitive companies have been about technology-enabled controls," says Mark Lindig, a partner with Big Four firm KPMG's IT auditing group. "If there isn't much understanding, then IT might not be there at the beginning. Finance looks at Sarbanes-Oxley and says, 'How can I do this from a numbers focus?' It's like a hub-and-spoke arrangement where finance starts it and brings in other groups as they go."
CFOs are also struggling with how to define other executives' roles in Sarbanes-Oxley. "Who signs on the bottom line?" asks Dennis Cavender, CFO of Essential Group, his voice shaking with emotion. "The CFO and CEO. That's who have to put their names on the line, and that's who it comes back to. I don't see Sarbanes-Oxley as a confrontation between the CFO and CIO; I see it as being a team that has to work closer together, or the processes and internal controls will fall apart."
CIOs could do everyone a favor by defining their role in Sarbanes-Oxley themselves. After companies get over the initial shock of discovering how many manual financial controls they need to document, the CIO eventually will be assigned to automate them to save time and expense in quarterly compliance efforts. "The CIO will become the custodian of controls," says Lindig. "The finance function has to own them because they are the last line of defense before the audit, but as the controls are distributed into the organization, you need to establish custodial and execution responsibilities. That's what Sarbanes-Oxley shines a bright light on. You have to have an accountability model for those controls."
This could be the natural role for CIOs--think access rights to systems, constructing employee portals, and other instances where the CIO already defines and manages automated controls. But it's a short step from there to a much larger role that many CIOs have been reluctant to contemplate: the move from simply owning and maintaining the IT plumbing to becoming accountable for the accuracy and integrity of the data flowing through those pipes--the data controller, as John Lenz, partner at consulting company Tatum Partners, puts it. "Just as we have financial controllers today who assure the accuracy and integrity of numbers, we will have data controllers who assure the accuracy and integrity of data," Lenz suggests.
Some CIOs have already accepted that accountability. Electronic Arts' West signs a certification to his CFO that the data from his financial IT systems is accurate. The CFO and CEO are still ultimately (and legally) accountable if the numbers are wrong, but subcertification puts functional executives' necks on the line internally and in civil lawsuits. Gartner predicts that by next year, 70 percent of publicly traded companies will require their CIOs to do it.
CIOs who say they are currently satisfied with their role in Sarbanes-Oxley have one thing in common: They are defining their role themselves. They are volunteering to help coordinate the effort and offering project management--IT's unique, golden asset--to whomever wants it.
"I got involved and pushed the issue," says NStar's Zimon. "I thought, Better to get involved early than have the business come to me with a list of demands (just before the deadline)." By turning Sarbox into a "project" like Y2K, and volunteering resources to staff it, Zimon got to have more input into the company's governance model. He also gained access to an early warning system that informs him of issues bubbling up. Now he's working on building a joint business and IT group to continue to monitor and support the financial controls after the first round of Sarbox passes.
"I talk to CIOs who say this isn't an issue for them like it is for me," says White.
"I can't help but wonder if they aren't in for a rude awakening."
The Conspiracy By the Numbers
Only 12 of 22 companies surveyed had IT representation on their Sarbox steering committees.
72 percent of Sarbanes-Oxley compliance teams were led by finance.
4 percent were led by IT.
$3 billion was spent on Sarbox compliance in 2003. About 90 percent of that was spent on internal staff and consultants.
Sources: Hackett Group, Gartner Inc., AMR Research Inc.
What Section 404 Says
The official word from the Securities and Exchange Commission on what Sarbanes-Oxley demands
According to the SEC, companies must:
"Include in their annual reports a report of management on the company's internal control over financial reporting."
The control report must include:
"A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting."
"Management's assessment of the effectiveness of the company's internal control over financial reporting."
"A statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting."
"A statement that the registered public accounting firm that audited the company's financial statements...has issued an attestation report on management's assessment of the company's internal control over financial reporting."
The Revenge of the Bean Counters
Wounded by its failure to blow the whistle on accounting shenanigans at companies like Enron and WorldCom in 2001 and 2002, the auditing industry now stands to reap a windfall from the very problem it helped create.The remedy the government devised to prevent future malfeasance in corporate accounting, the Sarbanes-Oxley Act of 2002, will raise the cost of corporate audits an expected 25 percent to 130 percent depending on the size, complexity and degree of decentralization of the company being audited. And the Big Four accounting firms (Deloitte & Touche, KPMG, PricewaterhouseCoopers and Ernst & Young) will garner even greater profits (estimates are all over the map, but they dwarf the auditing fees) from consulting on how to do Sarbox compliance. The catch phrase for this burgeoning line of work is "enterprise risk management." (Translation: Sarbanes-Oxley is only the beginning of your governance problems.)
But your auditor can't build the controls for you. In an effort to end the conflicts of interest that brought down Arthur Andersen when it both consulted with and audited Enron, the Securities and Exchange Commission has scratched a faint line in the sand between auditing and consulting. "Basically, you're not supposed to audit your own work," says Jim DeLoach, managing director at Protiviti, a company that consults on compliance.
But since every major company wants a Big Four stamp of approval on its Sarbox controls to help ensure a clean audit, if a Big Four firm isn't auditing you, it will probably be consulting with you, thereby virtually doubling the amount of business to be had.
Confusion could double too. The firm your company is paying to do the auditing may not approve of the way another firm designed the controls. To avoid that, auditors are allowed to advise their clients during the design process on whether theconsultants are on the right track. But that doesn't guarantee that the auditors and consultants will agree in the end. "You could have disagreement over what should be included in scope under the law and what shouldn't," says Lynn Edelson, U.S. leader for systems and process assurance at PricewaterhouseCoopers.
The SEC, however, isn't going to wait while the various parties sort it out. Everybody needs a Sarbox-compliant audit by the middle of 2005 or CEOs and CFOs could be looking at jail time. "The definition between an A and an F grade isn't clear yet," says a source who asked not to be identified. "We won't know until we have some cases in the court system." Either way, the auditors and consultants will have their meters running.
Auditors say that Sarbanes-Oxley simply legislates that they do what they used to do as a matter of course: honest, thorough audits. Sometime during the go-go '90s, audits became a commodity, with companies shopping the (then) Big Five for the cheapest price. The auditors obliged, turning what used to be a thorough test of a company's financial controls into something less. "It was the relatively lax regulation climate that put so much (downward) pressure on audit fees," says John Parkinson, a former consultant and chief technologist for the North American region of consulting company Capgemini. "No question, companies paid as little as possible to get a 10-K. The accounting firms went along because they had no choice. They're rubbing their hands in glee now because they are doing the job they should have been doing."
And getting paid double for it.
How to Get a Seat at the Sarbox Compliance Table
Make compliance a formal project. If Sarbanes-Oxley is ad hoc, it will likely stay with finance, and the CIO is more likely to be presented with a list of demands for impossible work to be done under impossible deadlines.
Learn to speak CFO. Sarbanes-Oxley mixes IT controls with financial controls. Both functions use a different language to discuss and interpret controls. If you can't speak CFO, find an interpreter.
Volunteer. CIOs who get out in front by volunteering their own time and project management expertise will have a bigger, more important role in the project and going forward.
Meet the auditors. CIOs need to understand financial controls as well as the finance people. Arrange your own meeting with the auditors to learn their issues and to help them understand yours.
Meet the vendors. Head off the Sarbox software snake oil peddlers before they try to sell directly to the CEO or CFO. Then, when they do (and they will), you can offer an informed opinion.
Focus on value. If compliance is viewed as a way to improve the business, Sarbox can be a springboard to more important projects such as role-based portals, for example, or single-instance ERP consolidation.
Automate controls. Many financial controls are still manual. CIOs can add tremendous value by automating them and becoming their custodians.
Get help. Utilities have been laboring under Sarbanes-Oxley-style regulations for years. Reach out to a fellow CIO at a utility to ask for advice.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.