CNET también está disponible en español.

Ir a español

Don't show this again


The CIO time bomb

Obian president John R. Logan says most CIOs still don't know what's expected from them under new Sarbanes-Oxley rules.

CIOs are sitting on a time bomb, and most aren't even aware of it.

Under the Sarbanes-Oxley Act, new mandates went into effect this year that require CIOs to document the adequacy of their corporations' IT internal control systems. Most still mistakenly believe they're doing enough to comply when in fact, it's not nearly enough to pass external audits.

The truth is that when it comes to corporate compliance, more than 80 percent of CIOs are unaware of their actual responsibilities. The problem is the absence of a free flow of communication among CIOs, their corporation's external auditors and the Public Company Accounting Oversight Board, or PCAOB, which is the organization that recommends Sarbanes-Oxley regulations.

The truth is that when it comes to corporate compliance, more than 80 percent of CIOs are unaware of their actual responsibilities.

Sarbanes-Oxley specifically constrains the types of conversations that can be conducted between an external auditor and the corporation's CIO. For example, conflict-of-interest avoidance rules in Sarbanes-Oxley prevent a corporation's external auditor from proactively recommending to the CIO a management process for documenting and assessing the organization's IT controls.

The PCAOB, which knows it has a problem on its hands, won't release IT control assessment guidelines for at least another three months. That's of little help to CIOs working for global corporations with fiscal years that end on Dec. 31.

In the meantime, the IT Governance Institute has released extensive guidelines on how to make sure IT controls comply. There is universal agreement among Sarbanes-Oxley experts that savvy CIOs who have correctly put in place and tested the controls described in this report will pass their external auditors' tests. The bad news is that it's still no picnic to implement.

Meeting these guidelines will require a tremendous amount of effort on the part of IT organizations. And the bulk of that work must be conducted by the corporation's IT professionals, who are not likely to be knowledgeable about Sarbanes-Oxley Section 404 requirements.

But it gets worse. The appalling news is that the internal controls assessment must be completed and signed off on by each U.S. public corporation's external auditor for fiscal year-end filings after Nov. 14, 2004.

For those CIOs whose corporations have a Dec. 31 fiscal year end, this means the assessment must be completed by the end of 2004. And it does not stop there; the assessment process is required to be an ongoing management responsibility. Significant changes in internal controls must be assessed and reported on a quarterly basis, and all internal controls must be reassessed annually.

Finally, this changes how CIOs manage. Under Section 404, CIOs will be required to demonstrate their success in achieving a positive attestation of IT controls assessment from a public auditor as a minimum requirement for holding that position.

Noncompliance, a missed deadline or reporting a material weakness in internal controls will certainly and significantly harm a company's shareholder value and business relationships, as well as executives' careers.

Whether they ever sought the limelight before, CIOs are under the radar no more.