IT implications of Sarbanes-Oxley: challenge or opportunity?

October 2005

The 2002 Sarbanes-Oxley Act - the US Congress's sweeping reaction to a series of corporate scandals - is having a profound effect. Companies have been placed under the microscope as never before, allowing unparalleled insight into the quality of processes, controls and organisation in modern corporate business. Valuable lessons have been (and are still being) learned that have implications for all companies, whether required to comply or not. These outcomes have not gone unnoticed by the EU, which is planning its own Audit Directive on corporate governance.

The US experience of Sarbanes-Oxley highlights a number of issues, risks and opportunities that are increasingly pressing for UK-based enterprises and application software designers. These issues are relevant not only to the SEC (Securities and Exchange Commission) registrants, but to all companies - partly because many non-SEC registrants are choosing to adopt Sarbanes-Oxley style processes because of the operating benefits they deliver in terms of process controls and management information. Non-US companies with a US listing must now comply with the Act for fiscal years ending after 15 July 2006.

A report has been produced by Business Application Software Developers Association (BASDA), in association with PricewaterhouseCoopers, which outlines some of the implications of Sarbanes-Oxley for CIO's and software developers. Key trends covered in this report include:

• Companies becoming far better informed about the effectiveness of their business processes and controls and are starting to act on this information, taking the task of improving management information beyond mere compliance.
  
• Growing awareness of the complexity of existing controls, whether automated or manual. The IT element of Sarbanes-Oxley compliance programmes has proved contentious and especially challenging.
  
• The interrelation between Sarbanes-Oxley and IT has put the CIO at centre stage as never before. The transparency that this regulation has generated has created an environment for greater accountability and huge pressure to deliver greater ROI on IT spend. The appetite for the centralisation and standardisation of system infrastructures and the automation of processes and controls is growing as a consequence.
  
• Finance directors and chief executive officers are looking to understand how to sustain cost-effective compliance.
  

The problem can be summed up by quoting a common question from customers to application developers: "Is this application Sarbanes-Oxley compliant?" There is no such thing as Sarbanes-Oxley compliant software, only compliant companies. The rules of the game have changed, and both customers and application providers need to adapt accordingly.

Key messages for CIOs and application developers:

At the end of each section of the full report, we list some of the key messages to CIOs and for the sales directors of application software developers.

These will help:

• CIOs to understand the implications of Sarbanes-Oxley for the role of IT in their business, distil the issues and provide a focus for responses.
  
• Application software developers to understand the implications of their customers' increased demand for centralisation and automation.
  

Please contact Antony Ruddenklau on +44 (0) 20 7213 1194 for a full copy of the report.