SarbanesOxley Compliance: Get IT Wrong and Go to Jail

1
Sarbanes-Oxley ComplianceGet IT Wrong and Go
to Jail

• French Caldwell

2
About Gartner, Inc.

• Gartner, Inc. is the leading provider of research
  and analysis on the global IT industry. We help
  support enterprises as they drive innovation and
  growth through the use of technology. We help
  clients make informed technology and business
  decisions by providing in-depth analysis and
  actionable advice on virtually all aspects of
  technology.
• Gartner Intelligence offers advice for IT
  professionals, technology companies and
  technology investors in the form of research
  reports, briefings or events.
• Gartner Executive Programs offers peer networking
  services and membership programs designed
  specifically for CIOs and other senior
  executives.
• Gartner Consulting offers customized engagements
  that allow CIOs and other business executives to
  apply our knowledge to their specific situation,
  with an emphasis on outsourcing and IT
  management.

3
Free Your Enterprise From the Sarbanes-Oxley Hype
Cycle
Vendor activity peaks
Hype
Sect. 404 Compliance
Sect. 409 Compliance
Hawthorne Effect fades. Compliance burden exceeds
operational and technology support for compliance
Hawthorne Effect kicks in
Sect. 302 Compliance
Reaching Plateau depends on effective investment
in compliance
Sarbanes-Oxley Act
Enron
Depth of Trough depends on rate of investment in
easing compliance burden
Peak of Inflated Expectations
Trough of Disillusionment
Slope of Enlightenment
Plateau of Productivity
Innovation Trigger
Maturity
4
Client Issues

• 1. What are the priorities for Sarbanes-Oxley
  compliance, and how do they translate into
  technology?
• 2. What is the role of IT in Sarbanes-Oxley
  compliance?
• 3. Which vendors, systems integrators and
  consultants can help enterprises meet
  Sarbanes-Oxley requirements?
• 4. What will happen next in the compliance and
  regulatory landscape, and how can IT meet those
  challenges?

5
Sarbanes-Oxley Act

• Overview of the Sarbanes-Oxley Act
• Holds the CEO and CFO personally responsible for
  restatements due to misconduct
• Imposes new obligations and responsibilities on
  audit committees
• Requires process control and documentation
• Strengthens penalties for corporate fraud
• Requires rules to address securities analyst
  conflict of interest

• Technology Response
• The CIO and CTO will drive risk assessments of
  enterprise applications
• Systems to monitor compliance with codes of
  conduct will be installed
• Business process modeling, analysis and
  management software installed
• Will secure the confidentiality of systems and
  data leading to report generation
• Records management policies and applications get
  increased focus

6
Section 302 C-Level Responsibility
Trouble Ahead Sure enough to sign and personally
attest to the accuracy of the annual report?
It will never be simple!
Yes or No?
Trouble Behind Executives must be sure of
processes, controls and information sources
7
Strategic Planning Assumption

• Audit firms will capture 50 to 75 of corporate
  spending on Sarbanes-Oxley through July 2004
  (0.8 probability).
• Action Item Decrease reliance on audit firms
  over time and build internal expertise of process
  controls, accounting and regulatory frameworks.

8
404 Process Documentation and Internal Controls
In the Boardroom
We achieved our financial objectives!
Where did THATnumber come from?
In the Engine room
?
?
?
?
?
?
?
?
9
Section 409 Real-Time Disclosure
SEC. 409. REAL TIME ISSUER DISCLOSURES. ...(l)
REAL TIME ISSUER DISCLOSURES.Each issuer
reporting under section 13(a) or 15(d) shall
disclose to the public on a rapid and current
basis such additional information concerning
material changes in the financial condition or
operations of the issuer, in plain English, which
may include trend and qualitative information and
graphic presentations, as the Commission
determines, by rule, is necessary or useful for
the protection of investors and in the public
interest.
10
Who Is Responsible for What?
What Sign accounts, ensure accuracy and
disclose anomalies Who BOD, CEO, CFO
Section 302 Ultimate responsibility
Section 204 Penultimateresponsibility
What Understand controls, test and attestWho
External auditors and audit committee
What Demonstrate compliance with
accounting standards, identify gaps and
remediateWho Auditors, CIO, chief counsel and
CGO/CCO
Section 103 Standards
What Process control, automation and
documentationWho Controller, internal auditors,
IT managers, process specialists and IT systems
Section 404Report oninternal controls
Section 409Rapid disclosure
What Operations, financial reporting and
complianceWho Records managers, accountants,
controllers, security and IT
11
Estimated Costs to Comply Millions
Fortune 1000 firms should allocate at least 2
million for SOX compliance through 2005 (0.8
probability).
12
Categories Most Likely to See SOX-Specific
Spending in 2004
Two most likely categories, 178 respondents,
normalized to 100
13
Good, Bad and Unsupportable

• Standaloneprocess control documentation
• Excelspreadsheet-based
• Software toservices ratio 5050 or less (6040,
  etc.)

• Free softwareif youbuy services!
• Sarbanes-Oxley solution!
• It finds whatyou need inexisting corpusof
  documents

• Compatible with IT infrastructure
• Connected to ERP and GL
• Supports process definition
• Document storage included
• Integrated withe-mail

14
A Vendor Feeding Frenzy Think Y2K
E-Learning
Security
We have a Sarbanes-Oxley solution!
E-Mail Archiving
Audit Firms
BPM/Business Rule Engine
Enterprise Resource Planning/Financials/HR
Risk Assessment and Mangement
Document and Records Management
Legal Discovery
Sarbanes-Oxley Specialists
Business Intelligence
15
Strategic Planning Assumption

• Companies that purchase Sarbanes-Oxley targeted
  solutions during 2004 will retire or replace
  those systems by YE05 (0.8 probability).
• Action Item Limit the amount of data committed
  and training time devoted to Sarbanes-Oxley-specif
  ic solutions that should be regarded as stopgap
  solutions only. Assess what you have before
  purchasing additional software, and maximize
  flexibility when buying.

16
Comparative Control Methodologies
Comparison of Internal Control Concepts
COBIT
COSO
Primary Audience
management, users, information system auditors
management
IC viewed as a
set of processes including policies, procedures,
practices organizational structures
process
effective efficient operations
confidentiality, integrity availability of
information reliable financial reporting
compliance with laws regulations
effective and efficient operations reliable
financial reporting compliance with laws
regulations
IC Objectives
domains planning organization acquisition
implementation delivery support monitoring
components control environment risk-management
control activities information communication
monitoring
Components or Domains
Focus
overall entity
IT
17
Toward a Compliance Architecture
Analyze, Automate, Audit Business process
modeling, workflow and planning tools
Store Content
Manage Data
Performance Management
Response and Access
Operational store, data warehouse, metadata and
virtual
Statistical, ad hoc query, online analytical
processing, business intelligence and BAM
Web-based publishing and collaboration tools
IDM, RM and e-mail archiving
Report and Advise Reporting tools, alerts,
scorecards and dashboards
18
Strategic Planning Assumption

• Enterprises that choose one-off solutions to each
  regulatory challenge that they face will spend 10
  times more on compliance projects than their
  counterparts that take a proactive approach (0.9
  probability).
• Action Item Conduct all ongoing process design
  and documentation efforts according to the
  architectural principles dictated by a CPM
  strategy and supporting IT architecture.

19
Corporate Governance and Compliance Management
Milestones
When will it all come together?
1965 1985 1990 1998 2000
2002 2004 2006 2008 2010
Acronym Key CFR Code of Federal
Regulations FERC Federal Energy Regulatory
Commission IAS/IFRS International Accounting
Standards/International Financial Reporting
Standards PURPA Public Utility Regulatory
Policy Act
20
The Global Compliance Hype Cycle
Compliance requirements evolve at different rates
Key Time to Plateau
Visibility
Less than two years Two to five years Five to 10
years More than 10 years Obsolete before Plateau
As of January 2004
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivity
Innovation Trigger
Peak of Inflated Expectations
Maturity
CAD3 The European Commissions Capital Adequacy
Directive CFR Code of Federal Regulations FAS
Financial Accounting Standards HIPAA Health
Insurance Portability and Accountability Act IAIS
International Association of Insurance
Supervisors
IASB International Accounting Standards
Board IAS/IFRS International Accounting
Standards/International Financial Reporting
Standards RIPA Regulation of Investigatory
Powers Act
21
Strategic Planning Assumption

• The complexity, pace and impact of legislation
  will continually challenge businesses
  capabilities. 70 of Fortune 500 companies will
  adopt comprehensive governance or compliance
  frameworks by 2006 (0.8 probability).
• Action Item To mitigate the regulatory burden,
  enterprises must use core technology and process
  competencies to fuse compliance and corporate
  governance management into operational processes.

22
Facing an Evolving Compliance Framework
Risk Classification
Policy and Process Evolution

• Consumers
• Employees
• Trading partners/ subsidiaries
• Shareholders
• Regulators/ enforcers

• Privacy
• Financial reporting
• CRM/PRM/HCM
• Import/export
• Marketing/sales
• Workforcemanagement
• Operations
• Sourcing
• Applicationdevelopment

1
4

• CFO/CCO/ internal audit
• Legal counsel
• Government affairs

2
3
Risk Monitoring
Policy and Process Evaluation
23
Compliance Challenges and Best Practices
Six Challenges
Eight Best Practices

• Multiple rule sources FDA, SEC, European Union,
  4,000-plus federal regulations
• Long duration Life Life-Plus-Seven
• Monitoring responsibilities Son of
  Sarbanes-Oxley, Part 11.1
• Multiphase requirements Testing is ongoing
• Noncompliance costs Jail time, fines and brand
  devaluation
• Skills shortages Have you tried to hire a risk
  or compliance officer lately?

• Establish a compliance office or officer
• Involve all stakeholders, including regulators
• Go enterprisewide
• Use a content management approach
• Use workflow to manage events and tasks
• File electronically, if possible
• Define clear communication channels and protocols
• Leverage industry best practices

24
Sarbanes-Oxley Why?
Sarbanes
Oxley
Technology
Business
Public Policy
The U.S. Public Company Accounting Reform and
Investor Protection Act
25
Recommendations

• Get involved. IT should have a seat on the
  compliance committee.
• Establish a regulatory weather bureau.
  Globalization accelerates the pace of
  rule-making.
• Envision a flexible strategic compliance
  architecture, even if you cannot implement it
  immediately.
• Sarbanes-Oxley solutions do not exist and may
  be dead ends requiring rework.
• Even point solutions can be flexible Records and
  document management, business process management,
  business rule engines and business intelligence
  systems are all candidates for inclusion in the
  overall architecture.
• The ultimate goal is corporate performance
  management.
• Think of Sarbanes-Oxley as a blessing in disguise.

26
The Gartner Compliance Advisory Service

• Provides exclusive Sarbanes-Oxley initiative
  support, including comprehensive how-to
  methodologies and frameworks, project management
  tools, example case studies and targeted
  discussions with subject matter experts to
  support specific compliance initiatives
• Exclusive research agenda targets meeting the
  unique needs of the audit or compliance committee
  inside publicly traded companies
• Enables you to align your IT, finance and
  business units and strategize, plan, implement,
  manage and measure SOX initiatives successfully