IT departments at many large US companies are racing to document, remediate and test IT-related controls to meet a year-end reporting deadline for Sarbanes-Oxley compliance. The rush is on because many companies failed to grasp the amount of work that would be required and because of miscommunication between IT managers and the finance departments that typically run Sarbanes-Oxley Act compliance projects, according to users and analysts who were interviewed this week.
"What I've seen is a 'Let's drop everything and get this done' approach on dealing with IT controls from the second quarter until now," said John Hagerty, an analyst at AMR Research Inc. in Boston.
Hagerty and several other analysts and consultants said they expect that most companies that need to show Sarb-Ox compliance by year's end will get the bulk of their IT controls documented and tested in time. But some analysts predicted that in annual 10-K reports early next year, as many as 25 percent of the so-called accelerated filers will have to report controls-related exceptions that require additional remediation. Depending on the severity of the problems, companies could be fined by the U.S. Securities and Exchange Commission.
Todd Naughton, vice president and controller at Zebra Technologies Corp., said the Vernon Hills, Ill.-based supplier of printer components "really just started looking" at general IT controls within the past three months.
For the past year, Zebra has focused on documenting, remediating and testing application-level controls throughout the organization, including mapping defined job roles to the system access levels they require, said Richard Jaszka, the company's internal audit manager.
"That said, we're concerned about our ability to meet the Section 404 requirements of Sarbanes-Oxley for the other IT controls," said Jaszka. For example, although Zebra has documented policies for key areas such as change management, systems development and mission-critical computer operations, "it will be a challenge to properly test these controls and address any necessary remedies by year-end," Jaszka said.
He added that regulators haven't specified which IT controls need to be documented and tested.
Stan Lepeak, an analyst at Meta Group Inc., said he wouldn't be surprised if 25 percent of accelerated filers are found to have inadequate controls. He based his estimate on several factors, including discussions with clients, Sarbanes-Oxley readiness surveys conducted with client firms, and concerns expressed by customers who outsource IT that service providers won't be able to document the IT controls in time.
"It really depends on how strict external auditors will be in determining what are material weaknesses or deficiencies in controls and what aren't," said Lepeak.
Herman Miller Inc., a Zeeland, Mich.-based maker of office furniture, decided this past spring to adopt a set of guidelines for evaluating IT controls called Control Objectives for Information and Related Technologies, or Cobit, created by the IT Governance Institute and the Information Systems Audit and Control Association, both of which are based in Rolling Meadows, Ill., said Rich Russell, director of application development.
"We worked with our auditors to determine which of the Cobit processes were in scope for (Section) 404 and then we focused on those," said Russell, whose company has until May 31, 2005, to attest to its IT and financial controls.
Wyndham International Inc. has been working with several consulting firms since last year to document its IT controls, said Mark Hedley, senior vice president and chief technology officer at the Dallas-based hotel chain.
As a result, Wyndham "has very high confidence in our IT key internal controls that will receive the scrutiny of our Sarbanes audit team," he said.
Later Timetable Gives Some Filers More Wiggle Room
Some companies that can wait until 2005 or later to meet the initial Section 404 requirements of the Sarbanes-Oxley Act have already spent months working on IT control assessments and are well positioned to complete their documentation and testing efforts ahead of schedule.
For instance, Science Applications International Corp. in San Diego began evaluating its IT controls in July 2003 and started documenting them last December -- even though the research and engineering company doesn't have to attest to those controls until Jan. 31, 2006, said John R. Hartley, SAIC's director of accounting operations.
While SAIC isn't an accelerated filer, "that doesn't alter the priority, attention or resources that we place on our Sarbanes-Oxley activities," said CIO Cora Carmody. "It has been, and will continue to be, my top priority in IT and the corporation's top priority."
Herman Miller Inc., a maker of office furniture, began evaluating its IT controls in March and expects to finish internal testing by year's end. External auditors will conduct tests in February 2005 to meet the May 31 deadline, said Rich Russell, director of application development.
"At the outset of our compliance efforts, we did not understand the requirements for IT controls -- we were more focused on application controls," he said. Russell and his colleagues discovered that IT is a foundational piece of Herman Miller's controls architecture after a more thorough study of the company's IT control issues.
Even though Portland General Electric Co. doesn't have to meet its Section 404 requirements until December 2005, the utility recently completed its IT control design assessment and is planning to begin testing those controls by the end of this month, said Ross Wescott, chief IT auditor at the Portland, Ore.-based electric utility.
Said Wescott, "It is our goal to practice for a year, so when it comes to reality, we're ready." -- Computerworld (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.