Relief from Sarbanes-Oxley on the way?

For Tom Arnold and the information technology department at StorageTek, complying with the Sarbanes-Oxley Act has been expensive, confusing and never ending.

The absence of clear guidance from government officials or auditing firms about the antifraud law has meant that IT personnel have felt compelled at times to go to extremes, said Arnold, who as corporate controller supervised the data storage company's efforts to abide by one of the law's key provisions, which took effect last year.

For example, the IT department at one point thought it needed to keep track of the previous 10 computer passwords used by StorageTek employees, rather than just the three archived by the company's business software. In addition, some argued the company--which is now being acquired by Sun Microsystems--required an electricity generator at its offices in Colorado so its computer systems would continue to run in the event of a power failure.

Eventually, StorageTek decided it could stick with the three previous passwords and skip the generator in favor of relying on copies of data stored off-site. Even so, the IT department spent more than $1 million and a fair amount of time to comply with the law commonly called "SOX."

It was "quite a bit of work," Arnold said. "Our IT department wanted to hold ourselves to a higher standard than SOX required in some cases."

StorageTek's IT department is among many finding it a challenge to abide by SOX, the corporate disclosure law passed by Congress in the wake of scandals such as the Enron debacle. Shifting interpretations of the law have been a problem, according to analyst John Hagerty at AMR Research.

New guidelines from regulators could make life easier on chief information officers and others minding IT shops. Even so, plenty of attention will be required to keep up with the law in the future, Hagerty argued. "SOX is not a project--it's an ongoing process," he said.

The Sarbanes-Oxley Act is part of a broader array of new regulations--another is the Health Insurance Portability and Accountability Act--that have come to affect corporations in recent years. Congress passed SOX in 2002 in order to "protect investors by improving the accuracy and reliability of corporate disclosures." A key portion of the law is Section 404. Thanks to it, publicly traded companies have to include in their annual reports a review of the company's internal control over financial reporting, and a related auditor's rundown.

An example of a control might be the process a company follows when it makes a change to its accounts-payable software. Testing the change before it is made part of the live, "production" system may be required, along with written approval by a manager.

Big public companies had to comply with Section 404 beginning Nov. 15. Smaller public companies will have to meet section 404's requirements starting in July of next year.

IT departments are touched by this piece of SOX because the computer systems they oversee do such things as manage billing, accounting and financial reporting. In addition, IT operations frequently have sizable budgets and themselves are responsible for a significant chunk of a business' expenses.

But exactly what chief information officers need to do

to meet the letter of the law and related regulations from the U.S. Securities and Exchange Commission has been difficult to discern, AMR's Hagerty said. Interpretations of the rules changed over time, to the frustration of CIOs in 2004, he suggested. "Most IT organizations will tell you (SOX compliance) was disruptive," he said. "Section 404 is the part that caused people the heartburn."

StorageTek's Arnold suggested that the effort to comply with SOX last year was somewhat frenzied for the various parties involved--including regulators and auditors. "Everyone was in such a hurry," he said. "There was a lot of misunderstanding and misinterpretation."

At one point, independent auditors argued that when StorageTek clerks were confirming purchases with a computer keystroke, they should first print out the document that was on their screens. But that would have created a huge amount of paperwork with little SOX-related value, according to Arnold. "We said, 'absolutely not.'" The auditors backed off from the request.

Some IT departments seem to have responded to SOX by documenting a wide range of activities, including apparently trivial ones.

"Has anyone else's company gone off the deep end on (quality assurance) documentation supposedly to be in compliance with SOX?," Walter Robinson, a CNET News.com reader, wrote in response to a recent column.

"We're to the point that it takes about a day to produce the various change documentation for a one-line code change," Robinson wrote. "And the 'QA' department says that we are being told by third-party auditors that we have to be this inefficient in order to be in compliance with SOX. And it's not like these rules are only being applied on systems that maintain the (company's) financial data; it's being applied across the company. Why does SOX care if I widen the description field on the product table allowing them to have a 5-character longer style name for a pair of shoes?"

Consultant Steve DeLaCastro, though, has a different take on how much IT departments have done related to SOX. "I've actually noticed them doing less than they have to," said DeLaCastro, who focuses on outsourcing arrangements for professional services firm Tatum Partners. DeLaCastro argues that some IT shops have not gathered the proper evidence that their controls are in place and effective.

In addition, DeLaCastro suggested, companies using outsourcers may be out of compliance with SOX in part because controls aren't being audited. "They're not thinking about their outsourcing relationship, and what it means" for SOX, DeLaCastro said.

IT spending bonanza
DeLaCastro's group is one of many vendors of technology services or products that have stepped in to help companies comply with SOX. Vendor interest in SOX isn't surprising. AMR estimates that total spending on SOX compliance will rise from the $5.7 billion shelled out

last year to $6.1 billion this year. The portion spent just on technology is expected to grow from 2004's $1.1 billion to $1.7 billion this year, according to AMR.

Hewlett-Packard offers SOX-related services such as "risk-management" consulting that assesses a company's IT controls. Ismail Pishori, director of HP's risk management and compliance practice for clients in the financial services industry, says that although CIOs may complain about SOX, they recognize that the scrutiny of operations helps them become more efficient, as well as better at preventing problems. "Even the most vocal opponents of SOX will admit there is some benefit," he said.

Thanks to new official guidance issued last month, CIOs may have even less to complain about when it comes to SOX. In the wake of feedback about Section 404, the SEC tried to clarify what needs to be tested when it comes to "general IT controls." General IT controls include controls over program development, program changes and access to programs and data.

"While the extent of documentation and testing requires the use of judgment, the (SEC) staff expects management to document and test relevant general IT controls in addition to appropriate application-level controls that are designed to ensure that financial information generated from a company's application systems can reasonably be relied upon," the SEC said last month. "For purposes of the Section 404 assessment, the staff would not expect testing of general IT controls that do not pertain to financial reporting."

In releasing the advice about IT controls, the SEC said compliance with Section 404 during its first year of implementation may have been costlier than needed, "due to excessive, duplicative or misfocused efforts."

StorageTek's Arnold welcomes the recent guidance from the SEC and additional advice from the new agency created by SOX to oversee auditing firms, the Public Company Accounting Oversight Board. The latest guidelines should let company management use greater discretion when it comes to key controls over financial information, Arnold said. He also said President Bush's appointee to take over the reins of the SEC, free market champion Christopher Cox, should help matters.

Still, Arnold said, much will depend on how auditing firms interpret the new directions.

In any event, he has positive feelings overall about SOX. That's partly because StorageTek--and Sun--may benefit by selling products that help companies comply, and partly because the rigors of the law help an IT department find its inefficiencies. There's still another benefit for tech operations, he said. In contrast to recent years of belt-tightening, the SOX era allows chief information officers to regain some clout in how a company runs, said Arnold.

"More than anything, (SOX) gives IT organizations a bigger say."