By Elizabeth Wasserman
Thousands of large public companies were able to comply with Sarbanes-Oxley requirements in their annual reports recently thanks to the efforts of their information technology teams. But while IT is acknowledged as playing a crucial role in regulatory compliance, CIOs often find themselves without a seat at the table because ownership of the data originated in another department.
The paradox is that CIOs are tasked every day with knowing the information infrastructure underlying the business -- information that is vital for others in the organization in charge of compliance. IT tools can help company officials share and verify crucial data between internal and external auditors, finance managers, and business units before it ends up in financial reports. Such tools can also be deployed to automate what were once manual processes. For these reasons, the CIO is in the best position to improve compliance procedures throughout the organization.
As companies struggled to meet Sarbanes-Oxley deadlines in the last few years, they sometimes failed to realize the value of the CIO. A study released last year by the Hackett Group, an Atlanta-based business advisory firm, found that fewer than half of the CIOs interviewed were involved in the steering committees for Sarbanes-Oxley compliance.
"It was a wake-up call," said Beth Hayes, a research fellow at the Hackett Group. She said that some companies have since determined that IT participation is critical to successful Sarbanes-Oxley compliance and have brought CIOs into the fold -- but not all. The law requires not only that a company's financial reports be accurate, but that proper controls are in place so that the CEO and CFO know if the financials are inaccurate. As the CIO has responsibility for the management, operation, and acquisition of the IT systems that are at the core of a company's operations and financial management, it's only fitting that this official be part of the compliance team.
"It seems obvious that the CIO ought to be represented," said Ann Senn, global leader for CIO advisory services for Deloitte Consulting. "We have done a lot of work with compliance teams, and I can't tell you how often we have found that compliance teams -- a number of which are focused on financial controls -- deal with IT as one of the elements they have to go through and not as a core vocal member of the compliance steering team."
CIO representation is important in part because compliance teams often make decisions about priorities for future process improvements. A compliance team could make decisions that alter the IT operation's priorities, such as maintaining a secure and available information environment; or its ability to meet business goals. As a result, uninformed decisions could end up making compliance with regulatory mandates even more difficult. In other words, CIOs may lose control over the very thing it is their responsibility to maintain: IT.
"If you're not there, you are in a position of taking orders," said Senn. "You take orders and you do the best. But if you're taking orders, you're not making decisions. You're in the position of fulfilling the orders."
To prevent that scenario from occurring, CIOs need a game plan for proving themselves to other executives.
- Be Proactive Understand how IT can help the company meet compliance deadlines in a less painful and time-consuming fashion next time around. Outline your plan in a memo or request to make a presentation to the compliance team.
- Demonstrate IT's Role Establish usage rules and audit trails for every information system feeding financial data into reports. Actions speak louder than words. Impress the CFO and CEO with a track record of running IT as a business and being customer-service oriented.
- Designate an IT Controller Create a new position on your own staff for an IT Controller, the point person on compliance, risk management, vendor management, and security. This person will ensure that IT is not a risk factor in compliance and show other C-level executives that you take compliance seriously, according to the Hackett Group's Hayes.
- Court Your CFO and CEO Your proven track record has earned their respect. You understand the issues. Now it's time to make your case for inclusion at the table to the executives who feel they have the most at stake. Show that you understand the concerns of the CFO and CEO, who face potential criminal penalties and fines if they sign false financial statements. Meet with them personally to outline your plan for how to make compliance easier from this moment forward.
If the CIO isn't a member of the compliance team, Senn said, he or she ought to at least have a "good counselor" who can make sure IT's voice is represented in discussions and report information from the meetings. That counselor can hold any position in the company, but it needs to be someone who can be frank about discussions and who knows something about the IT infrastructure and how technology can help.
Once the CIO wins a place on the compliance team, successful results could go a long way to winning more representation for IT at the executive committee level. And maybe even win the CIO a seat at that table.
Elizabeth Wasserman has written about technology and business for Inc., CIO Insight, and the San Jose Mercury News. She is a freelance writer based in Fairfax, Virginia.