An astounding 93 percent of chief information officers and other senior information technology executives are unaware of their IT control assessment responsibilities under Sarbanes-Oxley Section 404, according to Obian Inc.
That means that a significant number of companies could fail their 2004 corporate governance audit, according to the software maker, which interviewed 286 CIOs and senior corporate IT executives.
"We've found many executives who think they're sufficiently compliant, but they're not," said John Logan, Obian founder and president. Logan said that many executives incorrectly think that by merely identifying and assessing the risk and control activities of their corporations' financial reporting systems - as they did to meet the deadline for Section 302 compliance - that they'll meet the requirements of Section 404.
"Most corporate IT executives remain in the dark about their full responsibilities, even at this late stage, placing their companies at serious risk for failure," said Logan. "In fact, under the guidelines, if a company's CIO does not understand Sarbanes-Oxley Section 404 requirements, that alone demonstrates a deficiency in the control system."
The deadline for the majority of public companies to comply with Section 404 is Dec. 31, 2004.
"Part of the problem has been the vast confusion regarding exactly what is required," Logan continued. "While guidelines have been published, auditing firms are still interpreting them and building their own suite of even more detailed IT control tests. Companies would be foolish, however, to use this uncertainty as an excuse for inaction."
