Title: SarbanesOxley Compliance: Get IT Wrong and Go to Jail
1Sarbanes-Oxley ComplianceGet IT Wrong and Go
to Jail
2About Gartner, Inc.
- Gartner, Inc. is the leading provider of research
and analysis on the global IT industry. We help
support enterprises as they drive innovation and
growth through the use of technology. We help
clients make informed technology and business
decisions by providing in-depth analysis and
actionable advice on virtually all aspects of
technology. - Gartner Intelligence offers advice for IT
professionals, technology companies and
technology investors in the form of research
reports, briefings or events. - Gartner Executive Programs offers peer networking
services and membership programs designed
specifically for CIOs and other senior
executives. - Gartner Consulting offers customized engagements
that allow CIOs and other business executives to
apply our knowledge to their specific situation,
with an emphasis on outsourcing and IT
management.
3Free Your Enterprise From the Sarbanes-Oxley Hype
Cycle
Vendor activity peaks
Hype
Sect. 404 Compliance
Sect. 409 Compliance
Hawthorne Effect fades. Compliance burden exceeds
operational and technology support for compliance
Hawthorne Effect kicks in
Sect. 302 Compliance
Reaching Plateau depends on effective investment
in compliance
Sarbanes-Oxley Act
Enron
Depth of Trough depends on rate of investment in
easing compliance burden
Peak of Inflated Expectations
Trough of Disillusionment
Slope of Enlightenment
Plateau of Productivity
Innovation Trigger
Maturity
4Client Issues
- 1. What are the priorities for Sarbanes-Oxley
compliance, and how do they translate into
technology? - 2. What is the role of IT in Sarbanes-Oxley
compliance? - 3. Which vendors, systems integrators and
consultants can help enterprises meet
Sarbanes-Oxley requirements? - 4. What will happen next in the compliance and
regulatory landscape, and how can IT meet those
challenges?
5Sarbanes-Oxley Act
- Overview of the Sarbanes-Oxley Act
- Holds the CEO and CFO personally responsible for
restatements due to misconduct - Imposes new obligations and responsibilities on
audit committees - Requires process control and documentation
- Strengthens penalties for corporate fraud
- Requires rules to address securities analyst
conflict of interest
- Technology Response
- The CIO and CTO will drive risk assessments of
enterprise applications - Systems to monitor compliance with codes of
conduct will be installed - Business process modeling, analysis and
management software installed - Will secure the confidentiality of systems and
data leading to report generation - Records management policies and applications get
increased focus
6Section 302 C-Level Responsibility
Trouble Ahead Sure enough to sign and personally
attest to the accuracy of the annual report?
It will never be simple!
Yes or No?
Trouble Behind Executives must be sure of
processes, controls and information sources
7Strategic Planning Assumption
- Audit firms will capture 50 to 75 of corporate
spending on Sarbanes-Oxley through July 2004
(0.8 probability). - Action Item Decrease reliance on audit firms
over time and build internal expertise of process
controls, accounting and regulatory frameworks.
8404 Process Documentation and Internal Controls
In the Boardroom
We achieved our financial objectives!
Where did THATnumber come from?
In the Engine room
?
?
?
?
?
?
?
?
9Section 409 Real-Time Disclosure
SEC. 409. REAL TIME ISSUER DISCLOSURES. ...(l)
REAL TIME ISSUER DISCLOSURES.Each issuer
reporting under section 13(a) or 15(d) shall
disclose to the public on a rapid and current
basis such additional information concerning
material changes in the financial condition or
operations of the issuer, in plain English, which
may include trend and qualitative information and
graphic presentations, as the Commission
determines, by rule, is necessary or useful for
the protection of investors and in the public
interest.
10Who Is Responsible for What?
What Sign accounts, ensure accuracy and
disclose anomalies Who BOD, CEO, CFO
Section 302 Ultimate responsibility
Section 204 Penultimateresponsibility
What Understand controls, test and attestWho
External auditors and audit committee
What Demonstrate compliance with
accounting standards, identify gaps and
remediateWho Auditors, CIO, chief counsel and
CGO/CCO
Section 103 Standards
What Process control, automation and
documentationWho Controller, internal auditors,
IT managers, process specialists and IT systems
Section 404Report oninternal controls
Section 409Rapid disclosure
What Operations, financial reporting and
complianceWho Records managers, accountants,
controllers, security and IT
11Estimated Costs to Comply Millions
Fortune 1000 firms should allocate at least 2
million for SOX compliance through 2005 (0.8
probability).
12Categories Most Likely to See SOX-Specific
Spending in 2004
Two most likely categories, 178 respondents,
normalized to 100
13Good, Bad and Unsupportable
- Standaloneprocess control documentation
- Excelspreadsheet-based
- Software toservices ratio 5050 or less (6040,
etc.)
- Free softwareif youbuy services!
- Sarbanes-Oxley solution!
- It finds whatyou need inexisting corpusof
documents
- Compatible with IT infrastructure
- Connected to ERP and GL
- Supports process definition
- Document storage included
- Integrated withe-mail
14A Vendor Feeding Frenzy Think Y2K
E-Learning
Security
We have a Sarbanes-Oxley solution!
E-Mail Archiving
Audit Firms
BPM/Business Rule Engine
Enterprise Resource Planning/Financials/HR
Risk Assessment and Mangement
Document and Records Management
Legal Discovery
Sarbanes-Oxley Specialists
Business Intelligence
15Strategic Planning Assumption
- Companies that purchase Sarbanes-Oxley targeted
solutions during 2004 will retire or replace
those systems by YE05 (0.8 probability). - Action Item Limit the amount of data committed
and training time devoted to Sarbanes-Oxley-specif
ic solutions that should be regarded as stopgap
solutions only. Assess what you have before
purchasing additional software, and maximize
flexibility when buying.
16Comparative Control Methodologies
Comparison of Internal Control Concepts
COBIT
COSO
Primary Audience
management, users, information system auditors
management
IC viewed as a
set of processes including policies, procedures,
practices organizational structures
process
effective efficient operations
confidentiality, integrity availability of
information reliable financial reporting
compliance with laws regulations
effective and efficient operations reliable
financial reporting compliance with laws
regulations
IC Objectives
domains planning organization acquisition
implementation delivery support monitoring
components control environment risk-management
control activities information communication
monitoring
Components or Domains
Focus
overall entity
IT
17Toward a Compliance Architecture
Analyze, Automate, Audit Business process
modeling, workflow and planning tools
Store Content
Manage Data
Performance Management
Response and Access
Operational store, data warehouse, metadata and
virtual
Statistical, ad hoc query, online analytical
processing, business intelligence and BAM
Web-based publishing and collaboration tools
IDM, RM and e-mail archiving
Report and Advise Reporting tools, alerts,
scorecards and dashboards
18Strategic Planning Assumption
- Enterprises that choose one-off solutions to each
regulatory challenge that they face will spend 10
times more on compliance projects than their
counterparts that take a proactive approach (0.9
probability). - Action Item Conduct all ongoing process design
and documentation efforts according to the
architectural principles dictated by a CPM
strategy and supporting IT architecture.
19Corporate Governance and Compliance Management
Milestones
When will it all come together?
1965 1985 1990 1998 2000
2002 2004 2006 2008 2010
Acronym Key CFR Code of Federal
Regulations FERC Federal Energy Regulatory
Commission IAS/IFRS International Accounting
Standards/International Financial Reporting
Standards PURPA Public Utility Regulatory
Policy Act
20The Global Compliance Hype Cycle
Compliance requirements evolve at different rates
Key Time to Plateau
Visibility
Less than two years Two to five years Five to 10
years More than 10 years Obsolete before Plateau
As of January 2004
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivity
Innovation Trigger
Peak of Inflated Expectations
Maturity
CAD3 The European Commissions Capital Adequacy
Directive CFR Code of Federal Regulations FAS
Financial Accounting Standards HIPAA Health
Insurance Portability and Accountability Act IAIS
International Association of Insurance
Supervisors
IASB International Accounting Standards
Board IAS/IFRS International Accounting
Standards/International Financial Reporting
Standards RIPA Regulation of Investigatory
Powers Act
21Strategic Planning Assumption
- The complexity, pace and impact of legislation
will continually challenge businesses
capabilities. 70 of Fortune 500 companies will
adopt comprehensive governance or compliance
frameworks by 2006 (0.8 probability). - Action Item To mitigate the regulatory burden,
enterprises must use core technology and process
competencies to fuse compliance and corporate
governance management into operational processes.
22Facing an Evolving Compliance Framework
Risk Classification
Policy and Process Evolution
- Consumers
- Employees
- Trading partners/ subsidiaries
- Shareholders
- Regulators/ enforcers
- Privacy
- Financial reporting
- CRM/PRM/HCM
- Import/export
- Marketing/sales
- Workforcemanagement
- Operations
- Sourcing
- Applicationdevelopment
1
4
- CFO/CCO/ internal audit
- Legal counsel
- Government affairs
2
3
Risk Monitoring
Policy and Process Evaluation
23Compliance Challenges and Best Practices
Six Challenges
Eight Best Practices
- Multiple rule sources FDA, SEC, European Union,
4,000-plus federal regulations - Long duration Life Life-Plus-Seven
- Monitoring responsibilities Son of
Sarbanes-Oxley, Part 11.1 - Multiphase requirements Testing is ongoing
- Noncompliance costs Jail time, fines and brand
devaluation - Skills shortages Have you tried to hire a risk
or compliance officer lately?
- Establish a compliance office or officer
- Involve all stakeholders, including regulators
- Go enterprisewide
- Use a content management approach
- Use workflow to manage events and tasks
- File electronically, if possible
- Define clear communication channels and protocols
- Leverage industry best practices
24Sarbanes-Oxley Why?
Sarbanes
Oxley
Technology
Business
Public Policy
The U.S. Public Company Accounting Reform and
Investor Protection Act
25Recommendations
- Get involved. IT should have a seat on the
compliance committee. - Establish a regulatory weather bureau.
Globalization accelerates the pace of
rule-making. - Envision a flexible strategic compliance
architecture, even if you cannot implement it
immediately. - Sarbanes-Oxley solutions do not exist and may
be dead ends requiring rework. - Even point solutions can be flexible Records and
document management, business process management,
business rule engines and business intelligence
systems are all candidates for inclusion in the
overall architecture. - The ultimate goal is corporate performance
management. - Think of Sarbanes-Oxley as a blessing in disguise.
26The Gartner Compliance Advisory Service
- Provides exclusive Sarbanes-Oxley initiative
support, including comprehensive how-to
methodologies and frameworks, project management
tools, example case studies and targeted
discussions with subject matter experts to
support specific compliance initiatives - Exclusive research agenda targets meeting the
unique needs of the audit or compliance committee
inside publicly traded companies - Enables you to align your IT, finance and
business units and strategize, plan, implement,
manage and measure SOX initiatives successfully