by John M. Covaleski
Boston - The Sarbanes-Oxley law’s new standards for financial reporting have set the stage for a surge in information technology implementations that could be comparable to the Year 2000 compliance buying craze of the late 1990s, reports AMR Research.
Eighty-five percent of publicly traded companies in a recent AMR survey said that they plan to change their IT systems to satisfy the law’s tougher standards. The Boston-based technology research firm predicts that the Fortune 1,000 alone will spend $2.5 billion in planning and executing Sarbanes-related IT work.
The compliance-induced spending could lead to even more additional IT investment, AMR says in its “Prioritizing IT Investments for Sarbanes-Oxley Compliance” report.
“Many companies turned the Y2k problem into an opportunity to invest in new strategic systems, like enterprise resource planning,” the report says. “As with Y2k, companies can get the necessary gravity from Sarbanes-Oxley to promote” additional IT investment. Industry watchers generally agree that Y2k compliance resulted in one of the industry’s biggest selling booms ever.
Today’s Sarbanes-Oxley compliance concerns could be an opportunity for technology resellers and consultants to step forward in helping their public company clients assess their overall IT needs, according to AMR’s findings. Its survey found that 39 percent of companies facing Sarbanes-Oxley-mandated IT changes “will evaluate existing features and functions of applications and platforms already in place,” and more than 40 percent are evaluating their enterprise performance initiatives.
AMR identified the following Sarbanes-Oxley sections as IT-based compliance hurdles:
● Section 302 mandates that chief executive and financial officers certify their companies’ financial statements.
● Section 404 requires management to report on the effectiveness of their internal financial controls and for outside auditors to attest to the management reports.
● Section 409 requires companies to report material changes in their financial conditions “on a rapid and current basis.”
Other technology consulting-related provisions of Sarbanes-Oxley that are not identified by AMR include Section 103, which requires companies and their auditors to maintain all audit-related records for at least seven years, and the well-publicized Section 201 independence rule that prohibits auditors from providing IT services to their audit clients.
Comparing Sarbanes-Oxley to Y2k as a propellant for IT sales is a stretch because the law is limited to publicly traded companies, while Y2k affected all businesses - public and private - and non-commercial users of technology, such as nonprofits and governments.
However, there is a threat that Sarbanes-Oxley regulations will ultimately cascade down to other organizations. For example, this year, the General Accounting Office made the law’s audit independence rules applicable to governments, as well as to some nonprofits that receive federal funds.
Meanwhile, Sarbanes-Oxley and the Y2k issue share one similarity that is a potential IT planning factor: In each case, companies had time to prepare. The law is being phased in through 2005, while companies were forewarned about the need for Y2k changes several years in advance.
“The delay in [Sarbanes-Oxley] enforcement is great news for companies to thoroughly evaluate their options,” said AMR vice president John Hagerty. “Companies have the opportunity to use [it] as a justification for long-awaited IT projects that push systemic changes and improvements throughout the organization.”
From 309 to 404
While technology consulting firms have, for more than a year, been positioning to get engagements resulting from Section 309’s prohibition against auditors’ performing IT work, Section 404 work is now emerging as a consulting opportunity.
In essence, Section 404 requires companies’ management to establish adequate internal control procedures or financial reporting and to periodically assess the quality of those controls. It also requires the company’s auditor to attest to the quality of that assessment, but prohibits the auditor from assisting the company in making the assessment.
“Of all the directives set forth in the Sarbanes-Oxley legislation, Section 404 may have created the most questions among publicly held firms and, potentially, generated the most work for corporate accounting and IT departments,” said Everett Gibbs, managing director for Protiviti, a Menlo Park, Calif.-based consulting and risk management firm that concentrates on Sarbanes-Oxley compliance.
In Atlanta, Charlie Jones, a partner in the CPA firm Marshall, Jones & Co., is pulling together some 25 fellow CPAs in an alliance service to assist companies with Section 404. They will focus on helping with the internal controls assessments that the companies’ auditors are prohibited from assisting in. “This is an absolute goldmine opportunity. There is an unbelievable amount of companies that need help with 404,” Jones said.
The deadline for companies to comply with Section 404 ranges from June 2004 to May 2005, depending on each company’s fiscal year-end, according to Jefferson Wells International, a Milwaukee-based internal audit and consulting firm that is also concentrating on Sarbanes-Oxley compliance.
Separately, Big Four firm PricewaterhouseCoopers is part of a group that is hopeful that Sarbanes-Oxley requirements for more up-to-date financial information will drive demand for XBRL, the Internet-based programming code for business report information. PwC is among more than 200 organizations involved in XBRL International, a development effort that was established by the American Institute of CPAs in 1998.
Late last year, PwC issued a research document that praised XBRL’s potential to thwart fraudulent reporting by providing faster access to financial report data and greater transparency.
