Q&A: The Reshaping of the CIO in the Era of SarbOx

Gartner analyst French Caldwell has been covering governance, compliance and risk management since 2002. In a recent conversation with Baseline, he spoke about the regulatory developments affecting information-technology executives. Those include Section 404 of Sarbanes-Oxley, which requires public companies to have certain internal controls in place, and indications that the Securities and Exchange Commission and the Public Company Accounting Oversight Board (PCAOB) will relax some requirements for smaller companies

Baseline: It’s been five years since the Department of Justice said it was investigating Enron. How much has the job of a technology executive changed because of that?

Caldwell: I talked to the CIO of a very large bank recently, and he said that 10 years ago his senior managers spent 10% of their time on compliance issues. Now they spend 30% of their time on compliance issues.

Technology executives in other industries are also spending an increasing amount of time on regulations. There’s a lot more attention around the actual control of the information and data, and what various people can do with the data. That’s the biggest change.

Baseline: Are there industries that aren’t going to be affected?

Caldwell: Not really. Sarbanes-Oxley applies to all [public] companies across all industries. That does leave out nonprofit organizations, privately owned companies and maybe some insurance companies that aren’t publicly traded. But there’s a SOX knock-on effect, where all of those other entities are increasing their standards because of what their auditors and board members are doing with the publicly traded companies they’re involved with.

Baseline: On average, how much have I.T. costs gone up specifically as a result of new compliance requirements?

Caldwell: I.T. people quite often feel like the costs have gone up significantly, that they’re spending anywhere from 10% to 15% on compliance. But a lot of that is perception. When you look into what they’re actually spending, it’s around 5% on I.T. compliance in most industries. Financial services is a whole different animal; it can be 15% to 30% there.

Baseline: In the last few weeks, the SEC and PCAOB have both offered proposals for easing certain aspects of the 404 internal controls. From an I.T. perspective, how much relief is really in the offing, and for whom?

Caldwell: I get calls all the time from clients who are facing some auditor-generated deficiency. They say, “I don’t understand how this really relates to financial reporting. I don’t understand how doing this server log analysis review will have any significant impact on the reliability of the financial statement.”

The PCAOB and SEC have been saying for the last year and a half that auditors should be taking more of a top-down, risk-based approach to compliance. But the audit standard that the auditors are operating under doesn’t allow them to do that. If the PCAOB truly revises that audit standard, it could provide considerable relief to the I.T. folks.

The other thing the SEC did was to push out the date for small-cap firms to comply with Section 404. That provides them some relief.

Baseline: How good would you say the average CIO is now, in 2007, at the compliance part of the job?

Caldwell: Originally, when the CFO was looking for some solution to help with managing all these things around compliance, the CIO wasn’t even involved. Now, I’m starting to get calls from the CIO who’s working with the CFO or with the internal auditors.

They’re getting a lot smarter. But there’s always some new law, some new regulation–it never stops, and it’s not going away. It’s now part of the job and is something that companies have to do well.

Next page: From Software to Certification: Compliance’s New Imperatives