Sarbanes-Oxley compliance efforts are eating up CIO time and budgets. Worse, CIOs are being relegated to a purely tactical role. And that may be the CFO's plan.
When CIOs began installing ERP systems in the 80s and 90s, they unwittingly took something that used to belong to CFOs: financial controls. The things that accountants used to monitor manually - such as making sure that two signatures from the right people went on every cheque, or reconciling purchase orders against invoices - all became automated inside ERP systems. The meticulous audit trail that controllers and accountants had established over generations for demonstrating that money was being handled properly (think of black, leather-bound ledgers and long ribbons of adding machine paper) disappeared into those ERP systems without a trace - or at least without being properly documented, and certainly not to the extent now required by the 2002 Sarbanes-Oxley Act, aka Sarbox.
Today, CFOs want those controls back. If they don't get them, they believe they could go to jail. Section 404 of the Sarbanes-Oxley Act mandates that CFOs have to do more than simply pledge that the company's finances are correct; they have to vouch for the processes used to add up the numbers (see "What Section 404 Says", page 67).
Sane people don't want to go to prison. They can even get a little frantic about it.
That's why CIOs perhaps can forgive their CFOs for getting aggressive when it comes to taking control of Sarbanes-Oxley compliance efforts. What CIOs shouldn't forgive, or take lying down, are their CFOs' attempts to freeze them out of the process.
A recent survey by research company Hackett Group found that just 12 of 22 companies surveyed had IT representation on their Sarbox steering committees. Among 75 public companies that Gartner surveyed at the end of last year, just 63 percent said IT was involved.
Partly, this may be because many companies have been slow in getting their Sarbanes-Oxley efforts up and running. Only 65 percent of Gartner's respondents even had a Sarbox steering committee. Twenty-eight percent had no plans to form one.
But some CIOs see a darker agenda at work - a conspiracy. They fear Sarbox has become a stalking-horse that CFOs are using to assert control over IT and displace the CIO as the company's business process expert. Egging CFOs on, this theory goes, are the Big Four accounting firms, desperate to reassert themselves after the Enron debacle (which turned the Big Five into the Big Four after Arthur Andersen bit the dust) and needing consulting revenue to replace what they lost when most split off their consulting divisions.
"Finance and accounting organizations have been pushed to the background recently as IT and supply chain have been driving where companies are going," says one disgruntled CIO who declined to be identified. "Sarbanes-Oxley is the revenge of the bean counters. It's a wedge for the accounting profession to get control of the business again."
"CIOs are getting left out of Sarbanes-Oxley efforts, and it's a travesty," says Garry Lowenthal, CFO of Viper Motorcycle and chairman of the Finance and Technology Committee of Financial Executives International (FEI), an association of senior financial executives. (Lowenthal is sufficiently concerned that he is helping to set up a joint session between FEI and the Society for Information Management [SIM] at SIM's annual meeting this September to talk about how IT and finance can work together on Sarbox.)
"I'm hearing stories about CFOs not including CIOs in their compliance visions," Gartner research director Rich Mogull says. "I think that's a big mistake."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.