Up to now, smaller public companies -- usually those with just less than $75 million in public equity -- have not been required to comply with Section 404 of the Sarbanes-Oxley Act. That section requires that a public company's management file a report on its assessment of the company's internal control over financial reporting -- including the financial work that passes through IT. It also requires the company's auditors attest to the quality of the company's internal control over financial reporting in the auditor's annual report.
The SEC has given smaller companies and their auditors more time to prepare -- but time is almost up. Companies with fiscal years ending on or after Dec. 15 will have to start complying. IT is an integral part of compliance, especially for processes and systems that touch financial controls and reporting.
If you are an IT manager within a small, public company, you had better begin talking with your CFO about the controls that need to be operating within your shop and what attestations you will be asked to make. The Sarbanes-Oxley Act of 2002 requires that your CEO and CFO sign on the line that they have established and maintain "an adequate internal control structure and procedures for financial reporting," and that those procedures have been effectively implemented. (I'm quoting here from the SEC.) Most large companies look to managers down the line to confirm that any financial reports that are produced by their shop are accurate and truthful. You should be prepared for the same to happen in your company.
You may argue that the IT operation is not responsible for the data and information that goes into the reports its systems generate. But don't try to quote that old IT saw, "Garbage in, garbage out" to the SEC. The SEC expects that IT will have controls and processes in place to identify any financial reporting risks that may exist because of automated systems. For example, if a computer system automatically updates accounts in a general ledger system, management is going to have to report on the risk that updating is not being properly done and that there is little risk that data can be manipulated. And if a computer system generates an exception report, management will have to attest that someone is manually investigating items in that report.
You may argue that the quality of financial systems and the processes that operate them, both automated and manual, are the responsibility of the CFO. But IT shares accountability for a lot of systems and processes.
So begin by asking hard questions about the quality of the financial systems that you run, the security that surrounds them, and who has access to those systems. Also look at how information gets into those systems, who enters the data and what happens to the output, especially if actions are required. But most importantly, begin now to document your processes. Management and your auditors will want to review these so that they can attest to their quality.
You will become familiar with the regulatory jargon of the Sarbanes-Oxley Act and the guidelines that the SEC produces for what's expected. But if you are a practical manager, you may also be thinking that all the legislation Congress can produce will not stop people from misrepresenting or bending the financial truth if they set out to do so.
It's your job to also be alert as information passes through your processes and systems: Are expenses proper, or do they violate a policy of your company, an ethical principle or the law of the land? Is revenue being appropriately booked, or is the sales organization getting ahead of itself in what it is reporting? These are the areas that have gotten most companies in trouble -- so in a practical sense, be sure that your company has the processes and systems in place to expose a wrongful deed.
James Champy is chairman of Perot Systems Corp.'s consulting practice and head of strategy for the company. He is also the author of the best-selling books Reengineering the Corporation, Reengineering Management, The Arc of Ambition and X-Engineering the Corporation.