Sarbanes-Oxley and IT: Beware of Magic Bullet Solutions

In their ongoing efforts to comply with the Sarbanes-Oxley Act of 2002, companies have turned to their Information Technology (IT) departments to help them manage their new financial reporting responsibilities. Many are finding that adjusting to new regulatory realities requires systemwide reconfigurations or even entirely new technology systems. Such projects usually require purchasing new software, redeploying internal resources and engaging outside service providers. Wherever there is major change, of course, there is also the risk of disrupting business processes as new systems are rolled out.

While corporate compliance law may be the initial reason for this exercise, there are other "legal" aspects to consider in this process. Buyers of Sarbanes-Oxley solutions should take care to remember other legal doctrines — including those of contract, warranty and intellectual property — since those other laws will greatly influence the success of the project. Moreover, buyers should be wary of "magic bullet" solutions — those that promise instant and easy compliance. Any wise buyer of Sarbanes-Oxley solutions should follow certain basic principles and practices in his purchase and implementation of new or improved IT systems.

New Obligations, IT Solutions

There are many aspects of Sarbanes-Oxley that are likely to have implications for technology systems. New rules requiring insiders to report transactions in the company's stock through the EDGAR system have prompted some companies to invest in software to bring the EDGAR filing process in-house. Section 802 of the law enforces records retention requirements. Investor relations components of corporate websites are being overhauled. This is just the tip of the iceberg.

One provision that has drawn particular attention in the IT world is Section 404, which requires management to evaluate and assess the integrity of the company's financial reporting systems.

Section 404 does not obligate companies to buy new IT systems. However, it is hard to imagine how the procedures required to comply with Section 404 could be accomplished without sophisticated IT solutions. Executive management must evaluate and assess the company's internal control over financial reporting, which is, as it sounds, a very process-intensive task. Furthermore, management will need to document the process to enable the company's auditors to perform the procedures required to issue an attestation report on management's assessment. Management must also certify that they have disclosed to the company's auditors and audit committee all "significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company's ability to record, process, summarize and report financial information."

The financial reporting systems in every modern company are essentially intertwined with the company's IT systems, which are designed to maintain financial records, process and record transactions, and protect systems from being used without management authority. Thus, by obligating management to make statements concerning the effectiveness of their financial reporting systems, the law essentially obligates managers to report on the effectiveness of the company's technology systems. It is not unfair to suggest that executives can no longer view IT systems as black boxes that eat up and spit out numbers — rather, the executive must understand the IT systems well enough to assess their effectiveness and identify any inadequacies.

To reach that point, managers will demand that their companies undertake internal examinations of their existing systems to determine if they can certify their accuracy and integrity. Companies that cannot validate their current systems are faced with the likelihood of repairing or replacing their financial reporting systems.

Section 404 obligations are coming into play very shortly. Most companies must provide the report on internal control and auditor attestation for fiscal years ending on or after June 15, 2004, while some smaller organizations must comply with reports for fiscal years ending on or after April 15, 2005.

Principles for IT Purchases

Executives should keep a few basic principles in mind when thinking about IT purchases in light of Sarbanes-Oxley.

Avoid Too Much Too Soon. Always keep in mind that Sarbanes-Oxley by itself has no requirement that a company spend large amounts of money on IT replacements. New purchases should only be made when they are required as a result of the ultimate responsibilities — accountability for attestation, quicker reporting, longer record keeping. Jumping into new systems for the sake of jumping will nearly always lead to overly expensive projects that have no clear purpose.

Do Not Look for Magic Bullets. There are vendors who will be anxious to get in on the game of Sarbanes-Oxley-related systems sales, and, as always, there will likely be some vendors who claim more than they could possibly deliver. Remember that Section 404 compliance in particular is ultimately premised on the executive's ability to analyze and report on the accuracy and integrity of the company's systems. Running the best IT system in the world does not make the company compliant, because compliance still depends ultimately on the last link between the systems and the human being. Further, new systems that are designed to report events and complaints up to management are only as good as the information that is fed into them. But few vendors are willing or able to take that information from the very bottom of the chain to the top.

On the Other Hand... Underinvesting in necessary upgrades is just as dangerous as overspending. It will likely be necessary to temporarily put in place short-term solutions — often in the form of additional back-channel reporting and auditing functions — to begin meeting compliance obligations today. Those solutions may be relatively inexpensive compared to a replacement of a whole system, but those types of solutions do not go to the root of the problem, which is more of a systemic process issue than it is any particular set of reports. If the executive believes a new set of reports is needed before Sarbanes-Oxley certifications can be issued, that is more than likely a red flag that the whole financial reporting system is in need of an overhaul. Moreover, the ‘report' solution will always be, at best, something that requires constant tinkering to keep up with newly discovered problems, and is more than likely to be behind the times. It is usually better to avoid a continuing game of catch-up by looking at the big picture.

Avoid the Checklist Mentality. Complicated topics such as Sarbanes-Oxley compliance beg for simplification. Companies know that there are many additional things they should be doing and many outside firms are advertising software products to help companies navigate these new rules and document their compliance. Again, it is important for companies to document their compliance with Sarbanes-Oxley for audit purposes and in the event of any shareholder litigation or regulatory investigation. However, many of the SEC rules specifically direct companies to avoid the "one size fits all" mentality and realize that appropriate procedures and policies need to be carefully tailored for the specific company. Ultimately, few checklists are going to be able to reflect a complicated decision tree that a company must consider, and they are especially poor at reflecting what happens the day after the list was filled out.

Document Everything, and Write It For Real People. Few IT professionals will argue that their profession in general is traditionally tagged with one shortcoming — poor or missing documentation of what they have created and how it works. Under the new rules, executives can no longer rely on generalized "It's OK" messages, but rather will need to review documentation on how the systems work before they can be satisfied that the company's systems meet the new standards of care. That documentation must be written in a way that makes sense to the non-IT professional, but which allows for an intelligent decision by the actual decision maker. When new systems are being created, do not give short shrift to the documentation of what is being done — or the executives may, in the long run, be no better off than they were before the investment was undertaken.

Buy With Purpose, and Control the Buy. This is not a rule limited to Sarbanes-Oxley considerations. There is always a need to invest in IT wisely and not let the process (or the vendor) get too much control over what is ultimately delivered. When undertaking major IT purchases, deliberative processes such as Requests for Proposals and competitive bidding and contracting are essential to success at a reasonable price. As lawyers, we cannot overemphasize the importance of the "details" in any contract, such as the risk-shifting elements that rarely fit into a traditional Return on Investment analysis, but that can come back to haunt a company long after the project-closing dinners have turned cold. While major contract negotiation and deliberation can be expensive — and occasionally frustrating to business people who want results — the investment in time, money and patience will usually save the buyer manyfold in missed cost overruns, failed solutions, poor documentation, and disputes. Attorneys who specialize in IT purchasing may be vital in the process, since their training and experience allows them to recognize and negotiate issues particular to these purchases. Finally, corporate executives — at the very top — need to be "invested" in the process, and make their interest clear to all levels of the corporation that are involved in the process.

Develop with Future Change in Mind. While we may say today that some of the initial panic over IT systems changes arising from Sarbanes-Oxley may be overstated, that does not mean that something will not happen with the law tomorrow. If you are investing in new systems now, protect your investment by demanding that the systems be sufficiently flexible to cover future changes in the law without a need to replace the systems. Buzzwords like "scalable" and "configurable" describe the concept: Do not invest in software that is inflexible and incapable of growth.

Conclusion

Most corporations are going to have some significant IT work to do as a result of Sarbanes-Oxley. Some companies will find that their past implementations of IT resources were done in a way that is easily expanded and modified. Those companies will suffer less pain. Other companies, who might have put off modernization of their IT resources, may need to invest in wholesale replacement of their financial reporting systems. Most, of course, will be between those two extremes. However, by using deliberative purchasing processes aimed at the real purpose of Sarbanes-Oxley – to make financial reporting more reliable and transparent — companies can purchase new IT resources or fix or expand their existing resources in a way that will not only help the company comply with the new laws, but may even help the company do what it really wants to do — grow their business.