Governance Falls into CIO’s Lap

Although compliance with Sarbanes-Oxley means CEOs are in the hot seat, CIOs will do much of the heavy data lifting.

With all of the business imperative projects that CIOs are currently running with their limited budgets, it may be hard to imagine that a larger, even more strategic project is being thrown their way. On top of everything else that they are doing, CIOs are being charged with helping their CEOs and CFOs comply with the corporate governance regulations in the Sarbanes-Oxley Act.

"The senior executives are very concerned" about the Sarbanes-Oxley Act (which requires CEOs and CFOs to "sign off" on financial statements), "because there is so much data that they will have to monitor to make sure the financial statements are accurate," says a spokeswomen at ACL Services (Vancouver), a provider of business assurance solutions and financial auditing tools. "With one wrong move, the CEO could be on the six o'clock news."

So CIOs shouldn't be surprised when senior management begins to ask for a more detailed account of IT expenditures, as every internal cost will be under the microscope as CFOs work to make sure that financial reports are as accurate as possible.

While complying with the Sarbanes-Oxley regulations seems like a largely financial and business matter, IT can expect to be called upon -- it if hasn't already been -- to collect data from all parts of the company, compile it, disseminate it to the proper parties and even track the data's progress. "The CIO is going to deliver the technology that can pull the information together," says Jim Gahagan, vice president, financial services industry strategy, for PeopleSoft. "The IT organization has to deliver it and the CFO and CEO will be relying on it."

IT Steps UpAlthough senior business executives may wait impatiently for consolidated and accurate financial numbers, they most likely will not understand the underlying technology, points out Daryn Walters, vice president for Handysoft, a provider of workflow solutions designed to help insurance companies comply with Section 302 of the Act (requiring companies to generate up-to-date, accurate reports on internal controls and financial statements to which CEOs and CFOs can attest) and Section 402 (requiring companies to establish internal controls that conform to standards). "The very senior-level financial executives do not care about process improvement," he says. "They care about results, and they will notice when efficiencies are gained in the reporting process," Walters adds.

However, points out Richard de Moll, vice president, financial services consulting, Cap Gemini Ernst & Young, senior business leaders may need some education when it comes to IT and reporting. "I don't think that CEOs and CFOs have a good understanding of what IT can help them do to comply," de Moll says. "CIOs need to do some research into the regulations so they can partner with the CFO and bring technology to solve some of the pains. This is something that financial audit committees will be interested in: "What is the blueprint for the IT systems and the data structure?"

Many companies are taking a wait-and-see approach. However, says CGE&Y's de Moll, waiting until the final regulations are announced to start developing a compliance process may be too late. "Many are complying manually," he says. "But over the next three years, the timeframe for quarterly reporting will shrink. CIOs need to bring an integrated view of financial data, along with internal controls and audits, to the CFOs so data can be verified quickly."