Just two years ago, the names Paul Sarbanes and Michael Oxley meant much less to Wall Street than they do now. Today, you'd be hard-pressed to find a chief information officer who didn't feel like the two congressmen have become his or her nosy neighbors.
The most recent Wall Street gossip about the congressmen came last month when the Securities and Exchange Commission announced a delay in the certification deadline to comply with Section 404 of the Sarbanes-Oxley Act (SOX). This segment of the regulation requires that all companies set internal controls over financial reporting.
The postponement, which was issued by the SEC at the end of February, has extended Section 404 compliance deadlines by three to five months, depending on a company's date for filing its annual report. Companies that were originally to file reports on June 15, 2004, will now have until Nov. 15, 2004, while companies scheduled to file on April 15, 2005, now have until July 15, 2005.
Based on deadline-extension requests from five companies, as well as the Public Company Accounting Oversight Board, the SEC said in a statement, "We believe the extension will benefit investors because this will help ensure that appropriate controls are in place for the first reporting process."
While investors are poised to gain relief, few sources on the Street believe the added time will give CIOs a breather in their technology diligence for compliance.
"At the end of the day, it's a non-event," explains John Hegarty, vice president with Boston-based AMR Research. "The majority of firms have decided on the scope and level of effort for compliance, so the impact is minimal."
Hegarty says that because firms typically are required to have documentation in the hands of their auditors three to six months prior to the deadline anyway, most firms have already taken the necessary technology steps to comply with Section 404. "People are very far down the pike on this," he continues. "They might be dotting 'i's and crossing 't's, but there's not a lot of questions now on this."
Though initial ambiguity on the regulation had securities firms scurrying to find technology to ensure compliance, Hegarty says that most firms have made software decisions and are either implementing new solutions or tying together existing technologies.
"A fair number of companies have taken what they use internally, but a large number have made the decision to buy software," Hegarty adds.
Those off-the-shelf solutions range from enterprise-resource-planning software to document-management solutions to behavior-detection technology.
Rick Nunni, chief compliance officer at GunnAllen Financial, a Tampa, Fla.-based broker-dealer, says he turned to vendors that he already had a relationship with for support with Section 404 compliance. "Most big firms already have vendors on board who are expanding their business lineup to include SOX," he explains.
While the added value of a SOX-compliance package comes with a price, Nunni says that many vendors that work well for one type of compliance can often perform a double duty well. "If it can wax names through a database for anti-money laundering, it can also run financial statements back and forth and verify that they are consistent with ones already filed."
Most of these vendors have seen SOX coming and helped firms prepare for it regardless of an extended deadline, Nunni continues. "We've been around the block once or twice and know that it pays off to look ahead a little bit and put the systems into place as early as you can," he says.
Despite a delay intended to help clear up SOX's requirements, Nunni charges that they are still a bit gray. "I still think it's ambiguous, but we're tying to cover all the contingencies that may come about," he explains. "Hopefully, if we've done more than what we're required to do, when the rule is finalized, we're that much ahead of the game."
Internal Controls over Financial Reporting (Section 404)
- Document Controls
- Assess Controls
- Accelerated Reporting
Role of Technology
- Document Controls, including IT Controls: Enterprise Content Management (ECM), Dashboards, Business Process Management (BPM)
- Assess Effectiveness of Controls, including IT Controls, Data Integration