Hello, New CIO, Do You Understand Sarbanes-Oxley?

As a CIO of a financial organization, you have a great deal more to think about beyond just asset management and document management. Your main concerns include keeping your organization’s data safe and navigating the rules of Sarbanes-Oxley (SOX).
SOX is not the new kid on the block; legislation passed it in 2002 in response to notorious accounting scandals at WorldCom, Enron, and other public companies. It was instituted upon the premise that if we could ensure the quality of corporate financial reporting based on secure internal controls, we could enhance the integrity of our records management and financial system. SOX ushered in a number of new requirements for company management and boards as well as for the accounting profession. Among the more noteworthy aspects, per Section 404 of the Act, CEOs, CFOs, and CIOs must personally affirm their responsibility for maintaining an adequate internal control structure and procedures for financial reporting and (per Title III) can be individually liable for shortcomings in the accuracy and completeness of corporate financial reports.

Less well known is just how corporate management and the auditing community design and evaluate internal controls. They rely on the Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization that provides thought leadership and guidance on internal control, enterprise risk management, and fraud deterrence. COSO promulgated the foundational guidelines in its Framework as far back as 1992 and updated its guidelines in May 2013. Generally speaking, the updated guidelines accommodate a business landscape that has changed considerably over the past two decades. Of interest to those who are naturally drawn to this blog is that the new Framework draws special attention to technology assets. The updated guidelines set a deadline — today — for companies to adopt their new Framework for internal controls.
The new Framework is composed of five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. These components embody 17 principles representing the fundamental concepts of internal control. The principle of interest to Finance/Accounting and IT executives is a control activity: “The organization selects and develops general control activities over technology to support the achievement of objectives.”

What does this mean for corporate staff? The new Framework has implications for IT asset management (ITAM), IT service management (ITSM), and data security — a set of disciplines we call technology asset management.
Internal auditors will be obliged to scrutinize their IT and procurement departments much more carefully than ever before. The quality and degree of housekeeping around ITAM will have to escalate dramatically. Organizations will need to know persistently whether software entitlements match actual usage (no small feat). Organizations also will have to know where devices are located so they’re not just asset tagged and forgotten. At a time when it is more likely that companies will record furniture rather than software on their balance sheet, the accounting profession is finally addressing the assets that generate significantly more return — and risk — to shareholders.

A company that has outsourced IT to a third party should be especially interested in the updated COSO Framework. Outsource service providers can give companies the false comfort that the ITAM box is checked, but they often fall short of comprehensive control.

Considering how vulnerable companies have been to security threats and how increasingly public security failures have become, we predict that these new SOX guidelines will be an important catalyst for improvement.

Technology asset management is hard to get right. It is a practice that cannot be executed simply by purchasing software. Instead, a rigorous SOX and governance plan should be created with one’s organization’s needs in mind.

Leave a Comment