Pulling our SOX up
Pulling our SOX up
Sarbanes-Oxley requires a new standard of record keeping.
On July 30, 2002, US President George Bush signed into law the Sarbanes-Oxley (SOX) Act. The Act obliges organisations to monitor, track and manage the creation and reporting of all financial information required for governmental reporting in order to provide for better risk management and public disclosure.
The legislation does not just affect US companies though. Any Australian company that is an SEC (the US government's Securities and Exchange Commission) registrant as well as Australian subsidiaries of US or European parent companies that are SEC registrants must also comply in full with Sarbanes-Oxley.
Colonial First State Property (CFSP) is a wholly owned subsidiary of the Commonwealth Bank of Australia and manages the Commonwealth Bank's corporate real estate portfolio and listed and unlisted property trusts in both Australia and New Zealand. Peter Roberts, CFSP's chief financial officer (CFO), admits that it is with some relief that he is not the CFO who has to sign off on the bank as a whole under Sarbanes-Oxley. And nor is he too sure at this stage of exactly what the IT and systems implications of the legislation are for him and CFSP, or what the rest of the industry is doing in that respect.
Roberts' sentiments are not atypical, if other organisations in Australia affected by Sarbanes-Oxley that IDM contacted are anything to go by. However, software company Hummingbird and accounting firm BDO believe it's time for Australian companies with business operations in the US to wake up to the requirements of the Sarbanes-Oxley legislation.
According to Alan Weintraub, senior director business solutions, Hummingbird, any company that has interests in the US is going to have to ensure that its IT infrastructure can meet the challenge in additional reporting and strict adherence to meeting deadlines that Sarbanes-Oxley demands.
Addressing an American Chamber of Commerce breakfast briefing in Sydney last year, Hummingbird and BDO jointly declared that businesses had an uphill battle to effectively maintain and manage their records with the onset of increased regulatory scrutiny. The two companies decreed that in order to meet the compliance issues of Sarbanes-Oxley, organisations must establish clear business policies, a comprehensive records management program and appropriate audit trails.
"Sarbanes-Oxley legislation shatters the glass ceiling of company reporting as we have known it to date. While technology alone will not enable a corporation to meet the regulations, it will provide an infrastructure that can be used in conjunction with business processes and education to deliver a new way of working that keeps the CEO and CFO out of jail. Moreover, management and retention of all document and communications are now a must and not a nice to have," Weintraub says.
Australia's own, or at least near, equivalent of Sarbanes-Oxley are the ASX corporate governance principles released in March 2003. Unlike the Sarbanes-Oxley Act, that places mandatory requirements on companies, the ASX guidelines are a disclosure-based framework.
"If you're a listed company it's mandatory that you tell your shareholders what you're doing, and if you don't say anything it's assumed you're doing what's in the guidelines," explains Dean Kingsley, risk management partner, Deloitte.
According to Kingsley, with both Sarbanes-Oxley and the ASX guidelines, if your application systems don't have appropriate controls embedded into them, you will need to retrofit controls into them so that you have checks and balances and erroneous data cannot be entered.
And while the major application packages have such controls built in, many companies may need to reconfigure their systems in order to "switch them on", which for reasons of expediency or priority they may not have done during the original implementation, Kingsley adds.
In addition, he says there is a role for IT in helping the rest of the business build controls and automate the tracking of who owns and is managing risk and whether those controls work or not. However, he finds that IT is often not involved early enough in such projects and the amount of remediation work involved is underestimated.
I think the key issue for both ASX and Sarbanes-Oxley is that generally most IT departments are not part of the project plan or team at the moment, and at some point they'll get an interesting surprise when it lands on them.
A Sarbanes-Oxley project will typically start with the finance function. They will do everything they can within finance and at some point they will work out there's a bit left that they need IT to go and do. Then when IT has a look, they realise there is actually quite a lot of work to do," Kingsley says.
Of the companies in Australia that Sarbanes-Oxley affects, Kingsley believes very few have finished their projects. Being a huge effort, it has also taken their attention away from the ASX guidelines, which for most companies actually come up first, he says. However, Kingsley still thinks that the IT impact of Sarbanes-Oxley will be significantly smaller than that of GST or Y2K and that it is unlikely that either Sarbanes-Oxley or the ASX guidelines will result in organisations throwing out their existing systems and replacing them, as they did with Y2K. The deadlines, at least systems-wise, are also softer than they were for Y2K and GST in that the likelihood of being caught out not being ready on day one is probably lower, he says.