Nashville, Tenn.-based Corrections Corp. of America is the largest for-profit prison company in the nation.
It's a nice place to work, but chief information officer (CIO) John Pfeiffer doesn't want to serve time there.
Experts have long warned that CIOs and other executives of public companies risk prison time for violating the Sarbanes-Oxley Act. The gravity of SOX is clear, with nearly 300 firms recently indicating they will miss their annual report filing deadlines, according to the Securities and Exchange Commission. Many of those firms said they were having trouble reviewing and signing off on their financial reporting procedures, a requirement of SOX.
Larry Baye, a principal with Grant Thornton LLP in New York, said more companies are reporting deficiencies than ever before.
But SOX shock in the data center may have worn off some during the past year. Many CIOs like Pfeiffer, who worked hard to get their data centers compliant in 2004, have a better idea of what it takes to be compliant in 2005.
"This year, we expect the same level of burden, but we could budget for it and plan our project load," he said. "If they come up with something new, it won't be anything we're not ready for."
Shawn Wilde, CIO of Trimble Navigation Ltd. in Sunnyvale, Calif., said his company passed the most recent audit with no deficiencies. Now his staff is focused on keeping their controls effective with a minimal amount of labor.
"We need to
Wilde added that it would be helpful to know what to expect from auditors this year. "The challenge now for most CIOs is to meet with auditors and find out what's changing," he said. "We hope we'll get some guidance this year."
Some auditors might have trouble offering guidance because they too have been riding the SOX learning curve. "I've been surprised at how much of accounting is an art subject to interpretation and not a science," said Grant Thornton's Baye.
He's been surprised by the great effort, resources and costs companies have mustered to comply. The challenge this year, he said, is to sustain compliance for the long haul. Streamlining and automating processes and controls will help. "The more it's automated, the less they have to be tested and the less subject they are to manual error," he said.
Also, less is more. "IT directors are recognizing that multiple systems create complexity in procedures."
Baye also believes CIOs need to figure out how to monitor and assess controls routinely. "How do you build it in on a routine basis, and how would anyone know inadequate testing is being done before it goes into a live mode?" he said.
2005: 'A different effort entirely'
SOX may have been a side project for many companies last year, but now the challenge for CIOs is making compliance a standard, embedded part of the entire organization, said Cal Braunstein, executive director of research for consulting firm Robert Frances Group. "That's a different effort entirely."
To accomplish this, Braunstein said he believes that IT execs should not take over the entire compliance effort. "SOX impacts more than IT; everyone must be in the same boat," he said.
He recommends establishing a high-level steering committee, so that when corporate decisions are made, IT is executing what the company has agreed to -- and isn't working independently.
"The bottom line is, you need to head toward what your corporate auditors feel is appropriate," he said. "Corporate auditors and outside auditors don't agree all the time, and if a decision needs to be made when there are differing opinions, I'd go with corporate auditors."
Sandy Hofmann, CIO of software firm Mapics Inc. in Alpharetta, Ga., wasn't worried last year or this year. She had application portfolio management in place before SOX. "So much of SOX is common sense and basic good business practice that we had [already] deployed here," she said. "We needed to ensure it was deployed throughout finance systems."
Her advice to CIOs still sweating SOX? Get outside help. It's too late to build skills inside, she said, so it's best to look to risk management and consulting companies for a helpful framework.
"We had the practices; we just needed them in a format that was easily understood by auditors," she said. "Having someone who can interpret what SOX guidelines translate into IT and other areas of business is helpful."
Darn that SOX!
Still, SOX compliance hasn't been without its headaches. "The toughest thing is taking people away from day-to-day business to spend time on this when there's little obvious direct return to customers or shareholders," Hofmann said.
"Every hour we spend on this is clearly an hour we're not spending on business value creation," concurred Pfeiffer. He said that he and his staff worked many 12-15 hour days because they already had business-critical projects under way they couldn't put on hold for SOX. "We had to slog through," he said. You just have to work harder."
And a little clarity wouldn't hurt.
"We still don't know a lot about SOX," Wilde said. "I really think it's going to take another full year to get the ground rules sorted out."
About the author: Ed Parry has covered the IT industry for TechTarget since 2000. He is a freelance writer in Chattanooga, Tenn., and writes broadcast news for WSB-TV in Atlanta.
This was first published in April 2005