This post is a bit outside the scope of this
class, but it is definitely relevant to the information technology world and
anyone who is currently investing in or plans to invest in the market.
As of yesterday, Sarbanes Oxley 404 compliance went into effect for all public
companies with a market cap over $75M. For those of you not familiar with
Sarb-Ox, in many ways it is a corporation’s worst nightmare and an auditor’s
dream come true. Instead of focusing an
audit solely on numbers and the resulting financial statements, Sarb-Ox forces
companies to pay attention to the systems and the processes that their numbers
are flowing from. You can audit numbers backwards, sideways, and upside down,
but its not going to matter if the processes and systems that generate the
numbers do not have integrity in themselves. As a result, companies must now
pay careful attention to the effectiveness of their internal controls on an
ongoing basis. To provide some perspective, this means that the design and
operating effectiveness of the key controls embedded within hundreds of
business process that could affect financial statement assertions must be
documented and tested. Not only is this
incredibly time consuming, but it is also incredibly costly from a labor and
accounting fee standpoint. According to
this article posted on CFO.com, companies will spend an average of $5.1M on
compliance efforts. Worst of all, this must be completed before every
corporation’s next fiscal year end, and as of now, many are lagging severely
behind in process. Since two additional audit opinions in relation to Sarb-Ox
are to be issued along with the traditional opinion, companies who fail to
comply or correct material control weaknesses in a timely manner could receive
a bad opinion. This in turn could negatively impact the markets if stock prices
begin to fall as a result of weakening confidence in the transparency of
accounting practices.
From an IT standpoint, this is relevant because the audit
of these internal controls is wrapped around computer information systems. All
processes taking place in the data center and pertaining to either logical
access/security, program development, or program changes must be thoroughly
documented and tested. Essentially, this means gaining comfort over everything
IT: disaster recovery
plans, back-up procedures, batch processing, password maintenance, operating
system security parameters, database settings, etc. In addition, companies are also spending large amounts of money on technology to aid them in their compliance efforts. This article gives a decent breakdown of what this entails.
Who ever thought that
misclassifying expenses as capital expenditures and manipulating special purpose
entities could lead to all of this legislation? WorldCom and Enron sure weren’t
betting on it.
Comments