The Age of Compliance How Sarbanes-Oxley affects IT management The Fall of Enron • • • • Filed for Bankruptcy December 2001 Accounting errors = $600 million Special Purpose Entities (SPE) Andrew Fastow (CFO) The Demise of Andersen • • • • • • Strong beginnings Role change for Accountants Increase in non-auditing services Cover-up WorldCom debacle Not alone on the corrupt auditing front Sarbanes-Oxley Act • Architects: – Senator Paul Sarbanes – Representative Michael Oxley • July 30, 2002 – signed by President Bush PCAOB • Public Company Accounting Oversight Board • All accounting firms must register • 5 member board – 2 CPA’s – 3 non CPA’s • First Chairman – William Webster • Current Chairman – William McDonough PCAOB • • • • Review existing standards Review attestation of internal controls Set new standards Authority to investigate and discipline Auditor Independence • Non-audit services for auditing clients are no longer allowed – Bookkeeping – IS design – Any other consulting services • Rotate partners every 5 years • No ex-audit team executives Internal Audit Committee • • • • Not on the company bank roll Select and compensate auditor Oversee the audit Resolve issues between auditor and company New Requirements for execs. • Statement of appropriateness – Financial statements and disclosures • Section 404 – Internal Control Report Internal Control Report • Management responsible for IC • Assessment of effectiveness of IC • If material weaknesses – Must disclose – Can’t issue internal control report • Compliance dates – November 15, 2004 (> $75 million mkt caps) – April 15, 2003 (< $75 million mkt caps) Disclosures • • • • • Material Adjustments Off-Balance Sheet transactions Company – Executive transactions Financial expert on Audit Committee Code of Ethics White Collar Crime Enhancement • Keep audit papers and email 7 years • Destroying files = felony • Securities Fraud – Statute of Limitations increased – Maximum imprisonment increased to 10 years • “Whistleblower Protection” White Collar Crime Enhancement • • • • Mail/wire fraud increased imprisonment SEC can prevent felons from exec. Positions SEC can stop oversized payments to officers Financial Statement fraud – $5 million – 20 years imprisonment Pre Sarbanes-Oxley • Flexibility • Loosely defined policies • Unsegregated responsibility Initial Reactions [I] doubt if the CIO would even be interested -Patrick Kiernan; senior financial systems analyst Companies that don’t involve the CIO are simply missing the point of the legislation -Tom Patterson; KPMG senior manager Forced Changes • Role of CIO changes • IT departments shift focus Compliance Issues • Infrastructure • Software • Storage • Outsourcing Infrastructure Issues • Network integrity – Increased dependency on open IP network – IP guidelines are in an “embryonic state” • Lack of security Policies Steps in Addressing Infrastructure Issues • Update financial transaction and reporting systems • Document proper maintenance procedures • Develop policies for making adjustments to financial systems Software • Aid in Compliance • Developers include – – – – Oracle Redmond OpenPages Concur Data Storage • Develop written police for retaining and storing data • Maintain records for seven years (recommended) – Three tiered approach Outsourcing Use of service providers doesn’t reduce the responsibility of corporate executives from maintaining effective internal controls -Public Company Accounting Oversight Board Evaluating Controls of Business Parrners • SAS 70 – In-depth examination of internal controls – Service offered by accounting firms • Satisfactory SAS 70 Type II Audit – Likely to meet Sarbanes-Oxley requirements – Mitigates Risk Benefits Comapnaies with well run compliance processes enjoy share-price premiums, competitive advantages, improved moral, and reduced risk -Steven Lindseth; Chairman of Axentis Inc. Costs • Loss of control • Loss of privacy • Project delays Career in a Compliance Driven Era • Expanding opportunities – Systems auditing – Storage experts • Skills That could give you a competitive advantage – – – – Understand control objectives Exhibit professional skepticism Comprehension of basic components of Sarbanes-Oxley Maintain a basic knowledge of accounting terminology and accounting systems