Tuesday, May 13, 2003

Is Sarbanes-Oxley the new Y2K?

The Sarbanes-Oxley Act was passed by Congress in 2002 in response to a number of high profile financial scandals, such as those at Enron and WorldCom. Its goal is intended to make corporate accounting procedures more transparent to investors and regulators. Although the law includes a number of new mandates, there are two sections that have clear implications for corporate information systems. Section 404 (Management Assessment of Internal Controls), with a deadline at the end of 2003, requires management to assess each year the effectiveness of its own internal controls and procedures for financial reporting, and Section 409 (Real Time Disclosure) requires companies to disclose material changes in their financial condition or operations on a rapid and current basis. These two Sections each spell more spending on IT.

First, Section 404, which requires audit of internal controls, will likely lead executives to reexamine and possibly replace operational systems that are not well integrated with financial systems. For example, an A/P system that does not systematically match purchase orders and receivers to vendor invoices prior to payment might be vulnerable to fraud. Or, an invoicing system that is not integrated with shipping might allow a manager to improperly recognize revenue that was not yet earned.

Furthermore, the timeliness requirement of Section 409 seems to call for a much more transparent and integrated financial reporting system than many companies have today. For example, companies that are accustomed to working on a 10 day financial closing period would seem to be at risk for non-compliance with the real-time disclosure requirement, which is currently interpreted as demanding disclosure of material events within 48 hours. The problem is particularly acute for firms with multiple operating units and decentralized systems. Such companies will either need to adopt a common financial reporting system, or integrate multiple systems with a financial reporting layer at the corporate level, and/or implement an enterprise performance management (EPM) solution to provide real-time analytics. In any case, Sarbanes-Oxley spells increased spending for enterprise systems.

In a recent survey of Fortune 1000 companies by AMR, 85% of respondents said that Sarbanes-Oxley will require changes to their IT and application infrastructure. This is reminiscent of the late 1990s, where companies made large investments in new systems to prepare for the Year 2000 (Y2K) date roll-over. If so, Sarbanes-Oxley comes none too soon for vendors of enterprise systems, who have been looking for the next Y2K since, well, Y2K.

A summary of Sarbanes-Oxley is on the AICPA web site.