In parts of the business world, the term “Sarbanes-Oxley” has become synonymous with overbearing and counterproductive regulation. But the legislation itself may have improved things for some top information-technology executives.
Five years after the U.S. Department of Justice began investigating Enron, the changed legal environment of which SarbOx is the most visible part has given chief information officers a key compliance role. Computers and software run many of the systems that have helped companies tighten their financial processes and adhere to the Section 404 rule for internal controls.
“This is helping to bring CIOs to the table,” said John Rostern, director of technology risk in the New York office of consulting firm Jefferson Wells. “They’re being invited in.”
Indeed, some CIOs have treated compliance requirements as an excuse for doing strategic reviews of their companies’ systems. Some have consolidated multiple enterprise resource planning deployments into one, according to Ted Frank, president of Axentis, a compliance software company in Warrensville Heights, Ohio. Others have upgraded different parts of their technology infrastructure or added new staff. “Compliance tends to be used as a tool to get budgets and projects kick-started,” Frank says.
To be sure, since its passage in 2002, SarbOx has also produced plenty of headaches for technologists. The need to shore up systems to meet the new standards has meant more hours at the office. And there has been confusion–especially amid conflicting advice from vendors–about exactly what needs to be done.
Section 404 doesn’t discuss information systems; it discusses financial processes–say, the need to separate the payment approval function from the payment creation function. That has left it up to companies to figure out how to use technology to support the new financial practices.
While some chief information officers initially said “Gee whiz, I can throw in two more firewalls and go home to dinner,” others came up with hundreds of new I.T. controls, says consultant Rostern. The right answer, he says, is somewhere in between.
The Justice Department opened its investigation into Enron on Jan. 9, 2002. The wide impact of the case, not just on investors but on Enron’s 21,000 employees, caused SarbOx’s creators to focus it at first on the biggest U.S. companies–those with market capitalizations in excess of $787 million. The legislation’s impact on the technology operations of smaller companies will become more evident as the small-company grace period expires in the next year.
For now, some small-company executives are skeptical. “To be honest, the biggest thing it has done is to create more work,” says David Chivers, CIO of VSE, a government contractor with a market capitalization of less than $100 million. “You’ve got to document stuff every day, and you’ve got to keep that documentation. That’s why they’re giving companies like us more time.”
In the long run, the biggest benefit may be the imperative to learn the language of shareholder value. That’s bound to make CIOs more valuable. As Rostern puts it: “If you can say that an incident is going to cost 2 cents of [earnings per share], that’s an argument a CEO is going to understand.”
Next page: Q&A: The Reshaping of the CIO in the Era of SarbOx
