A new report says that an overwhelming majority of Sarbanes-Oxley compliance problems filed with the U.S. Securities
and Exchange Commission can be attributed to systems and staff outside of IT. Technology systems and related personnel accounted for only 3% of the problems, and most compliance failures had to do with accounting, finance and staffing issues.
In the Gartner Inc. report, author Carol Rozwell examined 208 companies to learn about the sources of SOX pain. She concluded that many shops are still suffering a lack of automation when it comes to SOX processes -- and it's costing them.
"One of our suggestions is that you have to think about how information technology can support ongoing compliance," Rozwell said. "The more you can use technology to ensure compliance, the less you have to use human beings."
The Gartner report, "Examine Sarbanes-Oxley Section 404 Weaknesses and Use IT as Your Solution," studied the SEC filings from Nov. 15, 2004, to April 30, 2005. Internal audits of those reports found 276 "material weaknesses," which were categorized according to root cause by Gartner. The report categorized the main sources of trouble this way: 43% could be attributed to accounting policies; 17% to financial policies; and 14% to staffing and personnel issues. The remaining issues were the result of deficiencies that varied depending on several factors.
The other problems included property leases with incorrect information on them, unsubstantiated information from subsidiary companies and a lack of standardization.
IT to the rescue
IT may not bear the brunt of the blame, but it can do more to prevent Sarbanes-Oxley compliance problems, experts agree. Jasmine Noel, co-founder of IT trend analyst firm Ptak, Noel & Associates, said change management is one of the areas where IT can smooth the audit process by providing consistent information. When IT was to blame, Rozwell discovered, it was due to poor change management.
Good CIOs know how they can use IT to ease SOX compliance, Rozwell said, but often have trouble making their case to business leaders.
For CIOs, "the first and foremost thing is to get it set in your head that this is not just make-work," Noel said. "[SOX compliance] really can drive a lot of IT efficiencies in the way the staff works. And coming up with creative ways to get people excited about the different ways they can use the tool. Yeah, the tool will get installed for SOX, but once it's there, if you can spread the word about the way that rich information can be used, the business will be better off."