News Stay informed about the latest enterprise technology news and product updates.

Sarbanes-Oxley advice for smaller public companies

Smaller public companies have had more challenges when it comes to preparing for Sarbanes-Oxley. James Champy offers some tips for those trying to do more with less in achieving compliance.

Up to now, smaller public companies -- usually those with just less than $75 million in public equity -- have not been required to comply with Section 404 of the Sarbanes-Oxley Act. That section requires that a public company's management file a report on its assessment of the company's internal control over financial reporting -- including the financial work that passes through IT. It also requires the company's auditors attest to the quality of the company's internal control over financial reporting in the auditor's annual report.

More on SOX, Champy
Compliance 2.0: Raising the bar 

Sarbanes-Oxley Resource Center
The Securities and Exchange Commission (SEC) itself has recognized the compliance challenges for smaller companies: Smaller companies typically don't have full-time financial controllers; managers in smaller companies have a broad span of control, and this could lead to management override of financial controls; and smaller companies are more dynamic and don't have well-documented processes. Your company may have a lot of work to do to produce a report that makes investors feel confident about your numbers -- even if you are the most honest company.

The SEC has given smaller companies and their auditors more time to prepare -- but time is almost up. Companies with fiscal years ending on or after Dec. 15 will have to start complying. IT is an integral part of compliance, especially for processes and systems that touch financial controls and reporting.

If you are an IT manager within a small, public company, you had better begin talking with your CFO about the controls that need to be operating within your shop and what attestations you will be asked to make. The Sarbanes-Oxley Act of 2002 requires that your CEO and CFO sign on the line that they have established and maintain "an adequate internal control structure and procedures for financial reporting," and that those procedures have been effectively implemented. (I'm quoting here from the SEC.) Most large companies look to managers down the line to confirm that any financial reports that are produced by their shop are accurate and truthful. You should be prepared for the same to happen in your company.

You may argue that the IT operation is not responsible for the data and information that goes into the reports its systems generate. But don't try to quote that old IT saw, "Garbage in, garbage out" to the SEC. The SEC expects that IT will have controls and processes in place to identify any financial reporting risks that may exist because of automated systems. For example, if a computer system automatically updates accounts in a general ledger system, management is going to have to report on the risk that updating is not being properly done and that there is little risk that data can be manipulated. And if a computer system generates an exception report, management will have to attest that someone is manually investigating items in that report.

You may argue that the quality of financial systems and the processes that operate them, both automated and manual, are the responsibility of the CFO. But IT shares accountability for a lot of systems and processes.

So begin by asking hard questions about the quality of the financial systems that you run, the security that surrounds them, and who has access to those systems. Also look at how information gets into those systems, who enters the data and what happens to the output, especially if actions are required. But most importantly, begin now to document your processes. Management and your auditors will want to review these so that they can attest to their quality.

You will become familiar with the regulatory jargon of the Sarbanes-Oxley Act and the guidelines that the SEC produces for what's expected. But if you are a practical manager, you may also be thinking that all the legislation Congress can produce will not stop people from misrepresenting or bending the financial truth if they set out to do so.

It's your job to also be alert as information passes through your processes and systems: Are expenses proper, or do they violate a policy of your company, an ethical principle or the law of the land? Is revenue being appropriately booked, or is the sales organization getting ahead of itself in what it is reporting? These are the areas that have gotten most companies in trouble -- so in a practical sense, be sure that your company has the processes and systems in place to expose a wrongful deed.

James Champy is chairman of Perot Systems Corp.'s consulting practice and head of strategy for the company. He is also the author of the best-selling books Reengineering the Corporation, Reengineering Management, The Arc of Ambition and X-Engineering the Corporation.

Dig Deeper on Risk and compliance strategies and best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.