Sarbanes-Oxley
 
       
SERVICES
COUNSELORS
NEWS
FEEDBACK
SURVEY

SURVEY RESULTS
PAPERS
RESEARCH
 

Congress mandates financial controls and reports

As a reaction to the financial shenanigans of the late 1990s, Congress passed the Sarbanes-Oxley law, H.R.3763, To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.

This law establishes a Public Company Oversight Board; requires that the Auditor be independent; strengthens the Board Audit committee of Public Companies by requiring its members be independent and that they appoint the Auditor; and enhances the financial statements of Public Companies by requiring disclosure of all material correcting adjustments. (Note that the term Public Companies includes every company required to report to the SEC, even though its equity is privately held.)

Each of these will have substantial impact on public companies. However, the fourth of the items above is likely to be the one that will have a major impact on the Information Systems operations of Public Companies. This “Title 4” requires that management assert its responsibility for Internal Controls, that an assessment of the Internal Controls be conducted by the Auditors and reported in the Annual Report.

The following deserves the attention of the CEO, CIO, CFO and other member of senior management:

  • For many Public Companies, investments in information systems represent over half of the capital expenditures. In financial service firms, investment in IT projects can approach 100%.
  • Information Systems projects have a poor history of delivery on-time, in-budget and with planned functionality. Over 75% of major projects are either late, over budget or deficient in functionality.

Extracts of the law that focus specifically on the aspects of the law that require action on information systems:

4) The signing officers—[CEO, CFO or others with these responsibilities]

(A) Are responsible for establishing and maintaining internal controls;

(B) Have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(C) Have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report;

(D) Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

Facts of life:

•  75% of all large IT projects fail in at least one of these ways

•  Late

•  Over budget

•  Lacking planned functionality.

•  Current reporting systems are focused on costs first, schedule second, and functionality almost never.

Few IT organizations have adequate control systems to monitor all three dimensions of Project Management. Virtually no line managers understand the issues associated with sponsorship of major projects, control of scope, testing from concept to delivery and effective participation in major IT projects.

The article below describes the issues and approaches to address and resolve the challenges associated with completing IT projects, on time, in budget and with planned functionality as well as monitoring progress of projects during their development cycle.

Sarbanes – Oxley Compliance Methodology

To comply with Title IV of Sarbanes-Oxley, a firm must be able to state that the internal control processes are adequate and that the activities performed by the firm are in conformance with the law.

Thus, there are two dimensions every public firm must consider, as illustrated in the associated 2-by-2 matrix.

Methodology is one dimension and Activities is the other. Either can be in-control or not.

Methodology includes the definition of the processes used by the firm to plan activities, report performance versus plan, identify issues, and take action to bring out-of-control activities into control.

Activities are instances of the work that flows through the processes. For example: a firm may have a well-defined process for defining the requirements for a new system, estimating the time and cost to develop and implement ing that system, but may not have an equally strong process for estimating the value to be gained and then measuring the actual value gained versus the expectation. Both are methodologies, one adequate, one not.

For a given project, the customer may know what he wants in a new system and have estimated the value to be gained by its implementation, the project manager may develop an excellent plan with just the right number and quality of resources to match the plan, the reporting system may capture the results as they occur and report to all appropriate levels of management – all of which would be evidence of an Activity “In Control”.

Or, the customer may have needs that change more rapidly with shifts in market and competition than the system development process can respond. The Project Manager may be new to the position, untrained in project design, estimating, staffing and reporting. Skills may not match needs. Reporting systems may be adequate, but if employees are not provided with motivation to do complete and timely reporting, the results may not comport with reality.

Individual activities may get “out-of-control” even in organizations with well-designed methodology. Conversely, smaller organizations with IT organizations that are tightly integrated with the business units they support may perform system development activities that are delivered on-time, in-budget and with needed functionality, without a formal methodology. While this may work in small organizations, in a large company it is analogous to walking a high wire strung 200 feet above the street between two office buildings, without a safety net.

Methodology provides the safety net that enables many organizations to employ normal individuals in important roles who are guided to plan, organize, perform and report on the performance of key activities. It is the combination of methodology and performance that enables public companies and their auditors to assure regulators and investors that the internal processes are adequate to comply with Sarbanes-Oxley.

Role of CEO Counselors

CEO Counselors audits your IT Methodology and Activities by performing the following tasks:

Meet with the client and jointly define the scope, range, and depth of the assignment.

    • Scope: how far we carry our analysis from problem identification through recommendations, and the specific roles of our consultants and the client's staff.
    • Range: the functions and organizational units to be included in the study.
    • Depth: the level of detail required to meed the client's needs.

Identify the business processes in place at a client for information technology activities:

    • Review the processes for managing new systems developments, maintaining existing systems, operations, telecommunications, user support, and financial management of IT activities.
    • Review the measures employed to control the processes and the systems used to convert them to useful management information.
    • Analyze the adequacy of the processes, measures, and systems to keep management apprised of the status of IT activities. If appropriate, present a recommendation to management on improvements needed in processes, measures or systems.

Characterize each process as to its degree of control: Use CEO Counselors' Process Control Scorecard to evaluate all IT functions to determine the “in-control” score of each. Some of these will have adequate controls; some will not.

For the in-control activities, define the key indicators to be collected for S-O and included in the consolidated reporting system described below.

For the out-of-control items, specify the data and analyses required for Sarbanes-Oxley compliance.

To illustrate this process, we use the systems development function – often the most out of control – as an example. Other out of control functions are handled in a similar fashion.


5.1 Examine and analyze existing business processes and the information systems supporting them.

Project Management

• i. Project plans – quality, granularity, is the level of detail adequate to support the needs of S-O reporting?

• ii. Do the project plans include specification and tracking of benefits?

• iii. Is there a sound project management methodology in place?

• iv. Is the methodology adequate to the task and the company?

• v. Is it implemented well?

Project management software

• i. Is it adequate to the task and the company?

• ii. Can it be used to track S-O required data?

• iii. Adequate PM software must be able to compare initial estimates of time, cost and functionality with current estimates and with projections of each dimension at expected completion.

• iv. Are outputs available in time to take appropriate management action?

Benefits tracking

• i. Is identification and quantification of benefits a part of the project planning and approval process.

• ii. Is there a process in place to track benefits on a project-by-project basis?

• iii. Is there software in place to support this process?

Financial reporting

• i. Does/can the financial reporting system identify expenditures by project as well as by item of expense?

• ii. Are outputs available in timely fashion?

5.2 Develop a report for management that summarizes the results of the analysis and develops recommendations for actions needed to bring both Methodology and Activities into compliance with the requirements of Sarbanes-Oxley.

If requested, CEO Counselors will develop and implement the changes recommended in our report and as summarized in the following points.

  • Make the changes and additions to business processes and to supporting software as suggested by these analyses
  • Specify, design and install a benefit tracking business process and a supporting information system.
  • Specify, design and install a Consolidated Project Analysis and Reporting System that bring together data from all projects and from all other IT activities.
  • Identify further uses of this system to improve management and productivity of IS in other areas. Possibilities include:
    • Strategic IT planning, because the system can support a convenient way of analyzing the portfolio of IT projects and activities.
    • IT projects cost/benefit analysis, because the system will provide standard definitions and formats for computing and displaying the results of these analyses.

Others that meet specific needs of the client.

CEO CounselorsCopyright © 2003 CEO Counselors