Paring SOX Down to Size: The Impact of Sarbanes-Oxley on IT Governance Cal Braunstein CEO and Executive Director of Research Robert Frances Group

Copyright © 2004 by RFG. All Rights Reserved. Robert Frances Group Robert Frances Group provides consulting and research services to our clients who are senior executives in IT and LOB management as well as in marketing/sales management for companies that provide IT and communications services and products. RFG’s core competency is aligning business with IT. One component of RFG research focuses on analyzing the impact that compliance legislation will have IT infrastructure investments and corporate governance.

Copyright © 2004 by RFG. All Rights Reserved. Agenda What is SOX? What does it require, why and who cares? State of the market Investments and Organization Building a Defensible Compliance Strategy Recommendations “We did not formally build a compliance architecture. It just sort of happened.”

Copyright © 2004 by RFG. All Rights Reserved. The Sarbanes-Oxley Act of 2002 Increasing responsibilities and liabilities for: CEOs, CFOs, Ind. Auditors, Boards/Committees Internal Controls Adequacy Changes Auditors and management Must report & attest to accuracy of financial statements and disclosures

Copyright © 2004 by RFG. All Rights Reserved. The Sarbanes-Oxley Act of 2002 Applies to US public companies, private companies with public debt and accounting firms Does not exempt foreign private firms or non-U.S. public accounting firms Driven by the Enron, Tyco and WorldCom fiascos SOX has sections covering  Reporting – improves disclosure requirements  Roles – strengthens corporate governance  Conduct – expands on accountability  Enforcement – improves oversight  Penalties – broadens sanctions  Relationships – forces auditor independence

Copyright © 2004 by RFG. All Rights Reserved. Why is it a Big Deal for IT? Lack of comprehensive documentation of existing internal controls at most firms No comprehensive evaluation of internal controls by the majority of firms SOX often has to be fit into on-going development activities Limited resources available 1 in 10 companies have made financial restatements in the past five years (U.S. GAO study)

Copyright © 2004 by RFG. All Rights Reserved. What the Fortune 50 are Saying “Our controller’s department has direct responsibility for Sarbanes-Oxley implementation. We have a program team with finance devoted to this today.” “We are still trying to put together a plan of what should be the overall governance of all IT systems. We want to use the structure we have put in place for Sarbanes-Oxley to be used for other compliance initiatives.” “Our success in working through activities the first time has depended on buy in from the CEO and CFO.” “The IT compliance manager and internal audit are joined at the hip and coordinate all activities together.”

Copyright © 2004 by RFG. All Rights Reserved. Big IT Impact Anticipated

Copyright © 2004 by RFG. All Rights Reserved. People, Processes and Systems will be Impacted

Copyright © 2004 by RFG. All Rights Reserved. Which Provisions Apply to IT? 302 – Corporate responsibility for financial reporting Is our financial data accurate? Do we have transaction level detail if required? Do we understand all the processes involved? 404 – Annual mgmt assessment of internal controls How does our control structure operate? Who is accountable? Is it monitored? Is it documented? 409 – Real-time disclosure of material changes 802 – Retention of relevant records for audits/reviews

Copyright © 2004 by RFG. All Rights Reserved. Emerging IT Requirements/Impact Definitely influence, perhaps certify… Anti-fraud techniques – development & operations Change management process Data integrity Disaster recovery practices Electronic records retention policy  “properly recorded and reported” transactions  “reasonable assurance” test Integrity of communications Patch management Process/work flows – internal & partners Security policies and practices  SOX compliance built into overall security architecture

Copyright © 2004 by RFG. All Rights Reserved. Cross-Tab Label 0/0 What is SOX’s impact on IT? Minimal Some impact Big impact Impacts most of development and operations

Copyright © 2004 by RFG. All Rights Reserved. Key 404 Dates and Penalties For public companies with market cap > $75 million June 15, 2004 now November 15, 2004 For all other public companies April 15, 2005 now July 15, 2005 Penalties: CEO/CFO knowingly submits a wrong certification – $1 million and up to 10 years in jail If the wrong certification is submitted “willfully” – up to $5 million and 20 years in jail

Copyright © 2004 by RFG. All Rights Reserved. Spending Levels Most Fortune 100 companies spend less than $3 Million per year on IT compliance initiatives and have 3 to 6 compliance staff across the organization dedicated to compliance consisting of finance and IT personnel. First year costs related to complying with a specific compliance directive may be two or three times higher than follow-on years. Most companies are working compliance into existing budgets as much as possible and as needed. They do not generally know exactly what they are spending.

Copyright © 2004 by RFG. All Rights Reserved. IT implementation costs One time / Initial costs Ongoing / Annual costs Finance/accounting/ Reporting expansion $250,000 - $500,000 $250,000 - $300,000 Process improvements $200,000 - $400,000 $100,000 - $200,000 System enhancements $250,000 - $500,000 $200,000 - $300,000 Consulting services$200,000 - $300,000 $100,000 - $200,000 Total added IT costs$900,000 - $1,700,000 $650,000 - $1,000,000 Source: PricewaterhouseCoopers LLP & RFG

Copyright © 2004 by RFG. All Rights Reserved. Cross-Tab Label 0/0 Should I care? No, not asked to participate No, project belongs to another Yes, but not a big deal “Bet your job” project Job put on the line annually

Copyright © 2004 by RFG. All Rights Reserved. Key Organizational Issues The Sarbanes-Oxley Act of 2002 has brought companies to focus on a more centralized way to address governance and compliance. Centralized authority usually resides in finance or an audit group for assuring overall regulatory compliance. IT compliance is treated as an operational consideration and is usually handled by an IT compliance officer or an IT compliance committee. Companies normally have a compliance committee that consists of members from IT, finance and lines of business (LOBs). The committee facilitates constant and clear communications among the member participant departments.

Copyright © 2004 by RFG. All Rights Reserved. Organizational Structure Internal Audit or Controller has overall responsibility for SOX compliance for all systems and operations Compliance Task Force within Finance Overall Compliance Task Force with Participants from across the org. Audit & IT are members. Director or VP of IT Compliance provides input & Recommends action to IT operating groups Exec Steering Committee IT Steering Committee Applications Programming

Copyright © 2004 by RFG. All Rights Reserved. Which Departments Are Affected?

Copyright © 2004 by RFG. All Rights Reserved. Building a Defensible Compliance Strategy Three Lines of Defense “I made a mistake.” “I bought a mistake.” “Nobody could do it better."

Copyright © 2004 by RFG. All Rights Reserved. “Nobody could do it better.” (so sue us all and shut down our industry) BenefitsRisks Peers are in the best position to develop common best practices. In the event of non- compliance, a penalty to one participant results in a penalty to all. Minimized if sharing partners have similar reputations in one's market. Collaborate & Share: If a group of leading firms collaborates to develop best practices for compliance and fails, it may serve as an informal proof of difficulty or regulatory ambiguity. It would be much more difficult to extract the maximum penalty from each of them than if any one individually came up with the same solution and failed alone.

Copyright © 2004 by RFG. All Rights Reserved Companies not focusing on technology fixes - instead auditing, procedures and reporting. Most not buying new technology to solve, but may upgrade or partially replace to address. Most drive to 90% Split on whether finance understands technology issues involved in SOX compliance, and whether IT understands the business issues 3. 3.IT will be affected by SOX, more so than all other departments except finance. Most viewed SOX compliance more resource intensive than other regulatory compliance projects Confident that 404 requirements will be met Almost 1 in 10 think their job is at risk if the firm is non- compliant and 1 in 4 must certify results personally Successful companies have strong support by CxO management in driving compliance activities across the organization. It was not just the role of the CIO. Key Findings of Recent Research

Copyright © 2004 by RFG. All Rights Reserved. Recommendations Establish an overall cross-functional compliance team and a dedicated sub team managed by a director level person. The team should be supported by C- level executives and include executive from finance, IT, legal, marketing and affected business units. Coordinate IT activities within the scope of an overall security and disaster recovery plan. Have Finance or Audit take final responsibility to ensure compliance with SOX. Marketing should take the lead on customer data usage decisions affecting privacy as well as the Do Not Call Registry. IT is one input to the whole process.

Copyright © 2004 by RFG. All Rights Reserved. Cross-Tab Label 0/0 What must one do to be compliant? Nothing Test and document only Become process oriented + above Build a wall between development and operations + above Beef up security, change management, e-records retention, anti-fraud techniques, and patch management + above Audit outsourcers (devt and ops) and business partners with access + above

Copyright © 2004 by RFG. All Rights Reserved. Questions & Answers Cal Braunstein CEO/Executive Director of Research Robert Frances Group Business Advisors to IT Executives phone: x104 (US Eastern Time) fax:

Copyright © 2004 by RFG. All Rights Reserved. About RFG Business Model Single service model Focus on IT executive issues S.P.O.R.T. Model Hybrid retainer consulting model SPORT Model Strategies, SLAs Processes, Procedures, Policies, Best Practices, and Politics Organizational, Operational Issues Resources, Regulations, ROI/ROV and Requirements Technology, and Ts & Cs Unique Attributes Unique Demand Driven Research In-context vs. trend/futures focus Business reqmts. vs. product focus Primary research vs. packaged Blended Client Base 85% end-users; 15% vendors Risk, Regulatory, and Compliance Research focus since 1998 Architecture, Infrastructure and Operations Expertise Analysts were IT executives