The Sarbanes-Oxley Act is probably the most pervasive act in accounting policies since the New Deal. Public companies must be compliant with Sarbanes and even many privately held companies are going through the process because it's a good exercise. While the guts of the act are focused on accounting, it bleeds down into the IT areas because IT controls the systems on which all these accounting processes work.
One of the critical aspects about Sarbanes-Oxley is that it has criminal and civil penalties. If my CFO signs a form saying, "I have controls in place that make sure that my financial report is transparent," and then we turn around and have to do a restatement of our financials, he could be thrown in jail, or be sued by our stockholders.
The other key piece to Sarbanes Oxley is auditor independence. Our external auditors will not help us with the process of ensuring our systems are compliant. At Champps, we had to hire another auditing company to help us put together the documentation from the IT perspective.
The new law
Internal control is now the law. As IT professionals, a lot of what we do is already compliant with Sarbanes. We manage systems. We manage security. We make sure that we don't have hackers coming into our systems and changing our financials. But, now that it is the law, it has to be clearly documented what we are doing. Be awareÃƒ.Ã.¬Ã.‚¬external auditors will take IT management documentation very seriously.
Preparing for compliance is a very significant task. If you look back at what you had to do for Y2K, it is similar to that. You not only have to look at your internal systems, but at external systems as well. Current auditor rules require consideration of IT. That came right out of the law. How does IT interact with accounting not only from a systems and interfacing standpoint, but also from the human standpoint? What kind of access do people in the IT department have? What can they do within the systems?
SAS 70 v. ISO 9000
SAS 70 is a very important part of this. Essentially, SAS 70 is a document that you can get from your vendors about their own compliance. In Champps current network architecture we do a lot of outsourcing, including network management. When I asked the company that hosts our Oracle applications, our network providers or our co-location facility, "Do you have a SAS 70?" Most replied, "No, we don't have a SAS 70, but we are ISO 9000 certified. ISO 9000 certification, no matter how stringent it is, from an IT perspective, doesn't cut it with accountants. The accountants don't care even though the rigor involved with getting an ISO 9000 is much more difficult than getting a SAS 70. I don't even do business with a new vendor unless they have a SAS 70.
The other part of that to think about is why would you need a SAS 70. I need to show to my auditors what type of access my financial people have and what types of controls are on top of that access. Can they get into my systems? Can they make significant changes that may affect my financial statements? As an IT guy I know we have security, we have passwords, but from an auditor's perspective, that doesn't wash. My auditor wants to see: What is the change control process? Who has the passwords? Are there segmentation of duties within that organization that makes it so that I can request a change, but not making the changes myself? It's been a really interesting exercise.
Managing the process
From an auditor's perspective control is a process. It is not only about how we maintain control, but it has to be documented to the point where my auditor can understand it. Relevant IT controls include those that are embedded in financial applications, as well as those that are present on IT platforms. At Champps I decided to adopt all the components of COBIT and COSO to make sure that we comply. One of the first things we did for an internal control was we established a clear desk policy. Our clear desk policy means that if you're not at your desk, there shouldn't be any papers on your desk that somebody may be able to take. Before we had a clear desk policy, security was taken very lightly within our organization. It was assumed that we were a security environment.
Every year I'm going to have to attest to the controls. So I changed the way that I do IT. I'm now very stringent on documentation. In a restaurant setting we do a lot of things in crisis mode. I have to push back on my operations guys a little bit. If somebody wants me to change the price of a beer, I can do that in 30 seconds to all my stores. But now what I have to do is determine how it falls in the change control system. If I get a request to make the change. I delegate it to somebody else. The change was made and now I go back and make sure that the change is accurate, and I monitor it from time to time to make sure that change is effective, and I'm documenting all that. The auditors want to see that audit trail.
Document, document and document some more. My CFO likes to call this whole Sarbanes an exercise in documentation. That's exactly what it is. Being involved in Sarbanes was a great opportunity to show the importance of IT to our company. I was able to be part of our compliance committee, so they understand now how important IT is. IT is not just a bunch of guys running servers and making things work, but has a critical role within the organization. IT can tip the scales as far as whether a company is compliant or not. If your CEOs and everybody with a 'C' in their title didn't understand that before you had to go through this process, they definitely will on the other end. You will be a lot more important to them.
Steve Johnson is CIO at Champps Entertainment. This article is based on a presentation at the 2005 MURTEC Conference. For the complete, unedited version of the session, go to www.htmagazine.com.