A change for the better?

The recent extradition of the NatWest Three businessmen on conspiracy charges relating to the Enron scandal highlighted the need for caution in financial reporting practices.

The transportation of the British financiers coincided with the fourth anniversary of the enactment in the US of Sarbanes-Oxley (SOX), a regulation designed to restore confidence in capital markets after the Enron and WorldCom scandals, through reforms to the accounting, financial reporting and corporate governance landscape.

Four years on and the legislative effects are still being felt, as the NatWest Three will testify. But it is not just suspected corporate fraudsters that need to proceed with care: IT directors, in particular, should take note.

SOX primarily affects public companies with a market capitalisation of $75m (£40.5m) or more that are listed on US exchanges. Although the regulation is focused strictly on financial reporting, it has a direct impact on IT controls.

Andy Morris, a partner in consultant Deloitte & Touche’s technology group, says Section 404 of SOX is the component that directly affects UK technology decision-makers. The section requires an annual assessment of controls over financial reporting processes.

In accordance with SOX, says Morris, UK-based companies will report on their controls for the first time at the end of this financial year, having had four years to get to grips with compliancy.

‘In 2002 people didn’t know much about SOX and what it would require. As better guidance and standards came out during 2003 and 2004, people gained a deeper understanding of what Section 404 would mean for them across all areas, including IT,’ he says.

‘For a lot of companies with December year-ends, this year is the first time they have done the full assessment for real, rather than the dry runs they have carried out previously.’

The main change Morris has seen since SOX’s enactment is an increased understanding of what it means for IT, which has in turn driven a better awareness of the effectiveness of existing controls. This has led to significant improvements.

‘The first change is around security, in particular who can do what in your financial systems, who can authorise and create transactions, set up users – the basics of information security,’ he says.

‘The other is around change management: having a better controlled process by which system changes are developed, tested and implemented.’

Morris says a secondary software market has grown up alongside the requirement to comply with the regulations.

‘There are tools that have come onto the market in the past two to three years that businesses are implementing to support compliance to Section 404,’ he says.

Spending on SOX-related systems stands at $200m (£108.2m) and will peak in 2008 at $376m (£203.4m), according to Forrester Research. The analyst recently found that, although SOX compliance software was initially under-utilised, large companies are now investing to make the regulatory process more sustainable and efficient.

Steven Ashton, director of global IT business management at Dresdner Kleinwort, says SOX has allowed the investment bank to focus on its core competencies. ‘When we examine a new piece of regulation, we look at it differently from other organisations. We consider what we are doing right already, and not how we can fit in with that regulation,’ he says.

Ashton adds that by knowing its own systems, the company learned a simple lesson about compliance.

‘The SOX nightmare has brought us discipline. When we looked at our data centre we realised we were doing a lot of things right but we weren’t documenting it properly,’ he says.

Ashton believes falling in line with regulations can happen as a matter of course with good technology governance.

‘The difference between now and two years ago is that we can answer compliancy questions with confidence – even if compliance is a never-ending requirement,’ he says.

As well as the practical issue of changing business control processes, the culture and business environment has been altered by SOX.

Jonathan Pickworth, regulatory group partner at law firm DLA Piper Rudnick Gray Cary, says companies are operating in a much tougher business environment than five years ago.

He says SOX imposes new duties on directors of public companies, intensifying the disclosure obligations of such organisations.

‘The government takes the view that there is no way of getting large corporations to take their regulatory responsibilities seriously unless it can personalise responsibility on individual directors and senior managers, and can make sure it attributes blame when things go wrong,’ says Pickworth.

He adds that although SOX is a US-derived legislation, the knock-on effect is being felt around the world.

‘We’ve been talking for years about the long arm of the US regulators. You can’t operate in the UK and believe you are operating in isolation without considering the global impact of your business. We have a very one-sided extradition deal with the US,’ says Pickworth.

‘European companies think SOX does not apply to them because they don’t have a US listing. But the question you have to ask yourself if you are a non-US listed company is: when you uncover an integrity problem, what are you going to do about it and how are you going to satisfy your auditors?’

Even if a company does not have a US listing, Pickworth says it must now comply with the Companies (Audit, Investigations and Community Enterprise) Act 2004, which makes it a criminal offence to mislead auditors.

‘The act puts more onus on directors, individual officers or anybody who speaks to a company’s auditors, including tax accountants and lawyers. Everyone has to tread very carefully,’ he says.

‘What we’re seeing is auditors becoming sensitive to integrity issues in corporations and more active in requiring independent inquiries when they see potential problems.’

As well as auditors, Pickworth says the different regulators, such as the tax authority, Financial Services Authority and even the Serious Fraud Office, are targeting individual directors and decision-makers and making them accountable.

‘Each of the regulators has been given increased powers of enforcement and encouraged to use the criminal powers they already have. It does make the environment a little tougher,’ says Pickworth.

A harsher business atmosphere is not the only challenge that SOX presents. Companies are also finding that the cost of compliance is a significant part of their operating expenditure.

But Rachel Hunt, analyst at researcher IDC, says that regulation in fact presents an opportunity for financial institutions to streamline costs.

‘We have seen a lot of banks combining some of the investments they are making in SOX and Basel II, which obviously helps from a risk management and operational risk point of view,’ she says.

IDC analyst Gene Kim, meanwhile, believes the integration of different regulations could be viewed as a benefit of SOX.

‘There is a certain amount of regulatory fatigue in the financial sector, but at the same time industry pressure is pushing the issue of integration,’ he says.

‘All regulations have had the common themes of aggregating data and integrating information, although that is not always the easiest thing to do across a multi-line, multinational financial institution.’

Kim says the integration issue has always existed.

‘Sometimes it takes these regulatory initiatives to create some demand that at least leading, or more visionary, institutions can make use of,’ he says.

Yet the positive and negative effects of SOX compliance continue to fuel the debate over whether the legislation has done more harm than good, says Gartner analyst Jay Hiser.

‘My interpretation of SOX is that it has over-corrected, but when the dust settles we’ll have a higher level of expectation of both governance and transparency than we did before it was enacted,’ he says.

‘The problem on the whole has been poor implementation. SOX has been implemented largely by the auditing community, which has brought in a lot of junior people demanding that corporations do many things that aren’t necessarily relevant.’

Hiser says there is a contradiction between an auditor’s aim of ensuring that its client is compliant and the fact that compliance issues are an endless source of work.

‘We have created a system in which the auditors have both a negative and positive motivation, so it’s no wonder things have spiralled out of control,’ he says.

Forrester analyst Paul Hamerman says SOX is seen by most people as an onerous and expensive requirement. Early compliance efforts, he says, were a hectic learning experience. Now he sees a more mature compliance effort that is helping technology to support and improve the evaluation, automation and monitoring of internal controls.

Ovum analyst Graham Titterington says most large financial institutions know what they need to be SOX-compliant.

‘There has been a lot of education going on since 2002 and it won’t cause any major problems when the deadline comes around,’ he says.

IT directors will hope that everything goes smoothly because, as the case of the NatWest Three shows, the consequences of alleged business malpractice can be extremely grave.

What do you think? Email feedback@computing.co.uk

Further reading:

IT alone cannot ensure compliance