A Marriage of Compliance - the CFO and CIO

The Sarbanes-Oxley Act made corporate governance a global priority but, six years after its introduction, how many companies fully realise the importance of the relationship between their financial information and their IT infrastructure?

The introduction of Sarbanes-Oxley in 2002 put corporate governance firmly in the spotlight. Focused on robust, transparent reporting and auditing of financial information, the legislation laid out clear requirements for business processes, policies, reporting and testing. It was, however, only the latest iteration of a series of domestic and international laws that lay down the framework for transparent and effective corporate governance.

With the vast majority of a corporation's financial information held in IT applications, it is impossible to consider its processes and reporting in isolation from its IT infrastructure. And yet, this is precisely what happens at many businesses. A lack of co-operation between finance and IT departments is endangering compliance efforts and exposing businesses to unnecessary risk.

To put this into perspective, many of the procedures required by Sarbanes-Oxley are acknowledged best practice and includes measures that many shareholders expect to be in place. And yet, in the US, compliance is still causing difficulties. Last year, 1,876 US businesses filed earnings restatements with the Securities and Exchange Commission, compared with 1,296 in 2005 and 650 in 2004 (Glass, Lewis and Co). In 2001, the year before the Sarbanes-Oxley Act became law, there were only 452 restatements.

I would suggest that if those company boards across Europe not covered by SOX's remit were to subject themselves to the gold standard of the Sarbanes Oxley 404, we could expect to see the failure rate reduced by half. Finance and IT departments operate in isolation at too many European corporations rather than taking an integrated approach.

Supporting Compliance with IT

There are a number of principal considerations a CFO faces in gearing a business to meet the regulatory requirements governing its financial information:

• Policy - putting in place the required policies and procedures.
• Checks and balances - establishing control of business workflows, transactions and approvals, setting up rigorous reporting and auditing processes, and ensuring that duties are clearly segregated.
• Security - ensuring that information is protected and that employees have appropriate access rights according to job roles and responsibilities.

Information systems provide the framework to manage all of these requirements. The automation of business processes, transactions and approvals allows for standardised procedures to be rolled out across the business, supporting adherence to policy. The more a business automates this flow of data, the greater the controls are and the less the exposure to irregular transactions. Standardised processes are also extremely valuable in supporting the integration of separate businesses during merger and acquisitions, providing a template across the business.

For checks and balances, reporting tools provide clear audit trails of activity and identify anomalous activity. Where security is concerned, IT provides the insight on how information is managed, stored, secured, retained and accessed within a corporation's systems. A crucial element of this work is managing the system access of database administrators to ensure that they don't have unfettered control and visibility of confidential information. The information systems can carry out testing to ensure that the business's systems and processes meet the required regulatory demands.

CFOs clearly have much to gain from articulating their exact requirements to their counterparts in the IT department and from collaborating closely to addressing these needs. The role of chief information officer (CIO) too comes with its own responsibilities in ensuring these needs are supported.

The CIO's Duties

IT has evolved from being a support function that enhances productivity, to a critical channel where business is conducted and delivered, and without which businesses would fail. In industries like banking, insurance, communications, media and utilities, often the only interaction a customer has with a supplier is conducted via technology. It is thus more important than ever for organisations to ensure that their IT infrastructures are secure, trustworthy, efficient and compliant.

As IT becomes more of a strategic function, there is an increasing need for it to align itself more closely with the business in order to better understand the business's strategic objectives; to be able to prioritise IT investment requests in light of those objectives, and to ensure that IT projects deliver the functionality and value expected of them. This includes IT being able to turn down requests for new projects if not relevant to the organisation's strategic objectives, and to educate the business regarding what is and is not possible to achieve with the given budget, time and resources.

A close working relationship between a CIO and CFO establishes the grounds for fruitful communication on how the IT department can most effectively support the business's strategic needs.

Good for Business

Getting compliance procedures right does more than keep regulatory trouble from the door; it strengthens share prices and improves perception among the investment community and other industry stakeholders. Companies reporting no SOX material weaknesses in 2004 and 2005 saw stock performance increase by 28%, while companies reporting material weaknesses in both years saw stock performance decline by 6% (Lord & Benoit). While an Economist Intelligence Unit report found that good corporate governance (58%) and transparency of corporate dealings (51%) were rated among the three most important aspects of corporate responsibility by executives surveyed. For institutional investors, these figures were even higher.

The flip-side of the debate is the severe damage that can be inflicted on a company's brand and reputation if its compliance procedures are found lacking. It is the duty of the CFO and CIO to ensure the effective cooperation of their departments in not just fulfilling but benefiting from the business's compliance endeavours. To neglect this responsibility is to short-change shareholders.

Article by Brian Gregory is senior director responsible for Financials and Corporate Governance solutions in EMEA. Prior to this role, he was part of the World Wide marketing group with responsibilities for overseeing the campaign activities in Europe, Middle East and Africa. From 1975 to 1986 he worked for Ernst & Young qualifying as a Chartered Accountant in 1978.