124 • HOSPITALITY UPGRADE • www.hospitalityupgrade.com | Spring 2005

Sarbanes-Oxley Compliance and the Evolving Role of ITCorporate Governance, Measurable Controls and Storage Implications

Though the Sarbanes-Oxley Act is written to address the financial

reporting of public companies, it has had a much farther-reaching effect,

particularly in information technology (IT) departments.

SOX COMPLIANCE: Your IT department has been thrust into a new paradigm.

The Sarbanes-Oxley Act (SOX), named after the two congressmen who drafted this legal bill, was introduced to corporate America in 2002. The bill was created in response to the infamous corporate scandals of Enron, WorldCom and Tyco to name a few and is currently in the process of being im-plemented by public companies in the United States. Due to the excessive behavior and mistrust of the corporate executives within the above entities, a new responsibility has been imposed upon executive management for public companies; that being the absolute accountability and verification of the compa-ny’s financial reporting to the SEC. Though the Sarbanes-Oxley Act is written to address the financial reporting of public companies, it has had a much farther-reaching effect, particularly in information technology (IT) departments.

With the inception of the SOX in 2002, the common perception was that IT would be peripherally affected, primarily needing to show that systems and data are secure. Only recently has the role and contribution of IT to SOX compliance been augmented in keeping with the auditors’ enhanced understanding of how far reaching the act has become.

Because of these changes, IT depart-ments have been thrust into a new paradigm with regards to their daily responsibilities and their integral role in corporate com-pliance within an organization. To meet SOX implementation, IT departments must work closely with executive management. The typical chief executive officer and the chief financial officer often do not know the intricacies of technology and the vast amounts of data that run through the

By Todd N. Throckmorton and Moira Berman

technology infrastructure. Therefore, CIOs, IT directors and managers must now take the necessary steps to help the finance de-partment deal with the imposing challenge of financial data retention and must also implement the controls needed to satisfy SOX from an IT perspective

What is often overlooked with IT implementation of SOX is that it is not just about stating and adhering to policies and procedures, as so many people assume. More importantly, it is about documenting and adhering to the controls that must be implemented to safeguard the integrity of the financial statements. Policies and pro-cedures make up the backbone for any com-pany from a legal and good business practice perspective. However, with regards to SOX, policies and procedures don’t address the controls that need to be in place to ensure that the policy is adhered to, and the risk to the financials is minimized. Controls must be clear and verifiable in order for a com-pany to be viewed as being compliant by a SOX audit. In many cases this has caused a reverse in how policy and procedure is now developed, a backward migration from the

controls standpoint. As an example, we all have procedures in how to back up our daily sales data. What needs addressing is the accountability of who is backing up this data, proof that it is done and completed successfully, and evidence of any action taken if the backup did not complete ef-fectively. Based on the controls needed to ensure backups occur appropriately, the procedures are reengineered and in many situations the IT control drives the proce-dure. These verifiable controls add a layer to the backup procedures and accordingly add to the activities of the person in charge of these tasks.

With no specific direction for IT written in the act itself, organizations such as the The IT Governance Institute and the Information Systems Audit and Control Association have offered guidelines based on interpretation of the act. Using these guidelines and auditors’ expectations, the IT approach covers two main aspects, the general computer controls and the application controls. The general computer controls cover the controls in the operational areas of IT such as controls in the backup process, logical and physical

SPECIAL SECTION S O X C O M P L I A N C E

© 2005 Hospitality Upgrade No reproduction or distribution without written permission.

126 • HOSPITALITY UPGRADE • www.hospitalityupgrade.com | Spring 2005 HOSPITALITY UPGRADE • www.hospitalityupgrade.com | Spring 2005 • 127

security of the network and data, and manage-ment of changes to all aspects of the systems and applications. The application controls refer to controls over the applications that are in scope, in particular the ERP system and related systems interfaces. These controls include authorization over who has access to financial information. The IT leader must ensure that the controls in these areas are identified and documented and must also organize to have them independently tested. In addition, the company needs to ensure that the controls continue to be exercised and evidenced as this is not a one-time event. To further assist in developing control tactics, IT professionals should reference COBIT (Control Objectives for Informa-tion and related Technology) which is published by The IT Governance Institute (www.itgi.org) and Information Systems Audit and Control Association (www.isaca.org).

Why have the controls added to the workload of the IT team? In general, companies find that even though IT has been executing the process adequately in the past, they likely were not per-forming the control associated with the process. Even if the control was being performed, it is unlikely that there is evidence proving that the process occurred. Additionally, SOX compli-ance has resulted in recurring review activities (monthly/quarterly) associated with the controls. The extra steps in procedures and the recurring

reviews with the need to retain the evidence of the controls, can add substantially to an already heavy workload. It is no longer suffi-cient to get verbal approval from the finance department to load a vendor patch onto the accounting system. IT must ensure there is evidence of written approval.

Besides adding substantially to IT’s dai-ly activities, the controls necessary to comply with SOX have also added to the need for IT to store information it formerly discarded once it was reviewed. In addition, finance has the need for additional storage, both for evidence of controls and for data retention as per the act. For data stored digitally, this requirement can place a substantial demand on IT’s storage capacity. IT leaders need to be proactive and expand on data storage before it becomes an issue.

In addition to financial records that have to be kept on file for no less than seven years, there is the question of how to manage e-mail. This is an imposing ques-tion. E-mail is one of the most effective ways to communicate within departments as well as with customers. Financial state-ments, budget spreadsheets and forecasts are expeditiously sent to the employees that need access to this data. The e-mails must be kept secure. However, corporations are

also bombarded with hundreds if not thousands of spam and phishing e-mails as well as employees’ personal e-mails on a daily basis. The question becomes a matter of what to keep, what to dis-card, and how will this effect your infrastructure. More importantly, if spam is discarded prior to archiving, how does the company prove that only spam was discarded? Again, no clear directive is laid out by SOX regarding the issue of e-mail. Therefore, companies should discuss their op-tions with their general counsel, who will help determine the retention policy for e-mail. The IT director can then determine the technology needs to meet future requirements.

The Sarbanes-Oxley Act should be thought of as a tool to enhance IT governance within each organization. This is not a one time event. Compa-nies should monitor the controls throughout the year and make it an ongoing process. Even though the act is only two years into implementation, the effects are already far reaching and will continue to impact IT departments in the years to come.

Todd N. Throckmorton is vice president of HospitalityLawyer.com, a Web site of legal safety and security solutions for the hospitality industry. He can be reached at (512) 266-1260 or todd@hospitalitylawyer.com. Moira Berman is founder of MB Consulting Services providing IS/IT strategy. She can be reached at (619) 867-1689 or moirab@sandiego.com.

SPECIAL SECTION S O X C O M P L I A N C E