Mark Schmidtberger, a 19-year veteran at Payless ShoeSource Inc., went over to the dark side, as he calls it, and couldn't be happier. Until recently a database manager for Payless, he has carved out a niche at the $2.6 billion discount shoe chain as an IT manager specializing in SOX.
"I am so glad I made this move. I've talked with a lot of external auditors, and they're scrambling. They need more IT folks in the internal audit areas, and they need folks who have experience, not kids out of college with a COBIT manual," Schmidtberger said. His official title is manager, information services and technology audit, and Schmidtberger acts as a liaison between IT and the audit department for the Topeka, Kan.-based discount shoe chain.
Schmidtberger attended a compliance session at last week's Gartner Symposium/ITxpo in Orlando, Fla. A self-described extrovert, with a dual degree in computer science and business administration, and a few years of selling shoes under his belt, he might not be your typical database manager. But he could have been the poster guy for a panel of four IT executives convened by Gartner to pontificate on how successful companies manage compliance.
"SOX is not an event but a process. It is a great opportunity for people in IT to show leadership," said Robert Sehl, CIO of Eaton Corp., a Cleveland industrial manufacturer with revenue of $10 billon. IT experts should take control of the SOX audit, Sehl said, pushing back when the auditors seem
unreasonable, if only to get clear explanations of what constitutes a significant deviation. In addition, IT departments need to share information on the cost of compliance and how much it will cost the company if it does not comply.
While the panel was not in agreement on every issue, waging a lively debate, for example, on the question of how hard SOX auditors will be on companies in Year Two, all four execs made the point that CEOs are looking for guidance.
Gint Dargas, CIO of Richardson Electric Ltd. of Chicago, called SOX the trigger to building a culture of compliance. "It's a massive training program," he said, urging the audience to "get involved."
"You'll get noticed," chimed in Ken Coleman, chairman and CEO of Mountain View, Calif.-based ITM Software. "There are tremendous career opportunities."
Payless' Schmidtberger said his opportunity reared its head last year when the company, which has 4,600 locations, was spending big bucks on external auditors to prepare for its first SOX audit. "I was in a lot of meetings that were just extremely frustrating," he recalled. The by-the-book approach used by external and internal auditors turned up stuff that, in his view, did not pose much risk or had mitigating controls. "You had financial folks talking to financial folks who didn't understand the business," he said. IT was guilty of its own mistakes and misunderstandings, realizing that many of the functions it had identified as controls were really processes. "So we're doing a lot of re-writing of controls," he said. And whittling. The company's roughly 1,300 controls are down to 900 and will go lower. That's a good thing, according to many industry experts whose clients put in too many controls that information auditors didn't need or want.
Far from bad-mouthing Sarbanes-Oxley, Schmidtberger is a believer in the law, applauding its intended purpose and its effect on IT. A product of the mainframe environment, with its emphasis on structured processes and controls, he sees SOX as a vehicle for bringing much-needed discipline to the distributed computing environment. "People complain about the cost of SOX. But in the long run, this is not a project but a methodology of how you implement things. It's a change in mindset that in my view is long overdue," he said.
After the session, Schmidtberger drew a small crowd wanting to know more about his job.
For the record, three panelists said they're finding the auditors easier to deal with, while Coleman expects no leeway from regulators. "Last year SOX was a moving target. This year is for real. They're saying, 'You've had a year, you know the rules, now fix it, and if you don't, we're going to get you.'"