First, Do No Harm:  Commentary from Gwen Thomas
The Irony of Sarbanes-Oxley

The irony of Sarbanes-Oxley is that what the SEC now demands is what good executives have been asking for all along.

Every good leader wants to know what their true numbers are and how their management team knows those numbers are accurate. They need someone to monitor what IT systems and processes touch the data that filters down to financial reports, and they want to be assured that appropriate governance is in place for all those systems and processes.

They want assurances that whoever is charged with maintaining each and every system and process understands the consequences of this work and is giving appropriate focus to it. Even with cut-backs, no executive ever wanted to create accountability gaps. And good executives would always expect their management teams to ensure no gaps were created, if only someone could accurately point out potential gaps.

Good executives have always known that organizations need top-down governance and accountability to ensure the quality of their numbers. They've always needed to know when and why systems and processes change if those changes are going to affect reports or the data in the reports. And to be agile and competitive, they know that their staff must know where to find documentation, control records, and other information needed to maintain and upgrade their systems.

So the real question is: Why did it take an Act of Congress to focus attention on this? The answer is simple to anyone who has worked in both the technology and business sides of a company.

Anyone who has been in the trenches will tell you that almost NO companies can answer all of these basic Who-What-When questions to the level that the SEC and stockholders want. So is Section 404 scary? Yes. But the reason isn't sexy or scandalous. It's a classic Knowledge Management problem that organizations from Homeland Security to plumbing supply stores are grappling with:
How do you reconcile top-down hierarchical management structures with matrixed projects and with data that flows through an entire enterprise?
Solving this problem - For Sarbanes-Oxley issues as well as so many others facing organizations today - requires major adjustments to management strategies. And implementing it requires new tactics. We have to be able to answer with certitude questions such as Who owns the gaps in our processes? and Who's accountable for handoffs?

Luckily, these problems are solvable. We just have to be sure we're addressing the root problems and not just addressing symptoms. __________________________________________

Gwen Thomas has been the Sarbanes-Oxley Practice Lead for CIBER, Inc.,a leading international systems integrato and is currently a principal for Data Governance, Inc. A frequent speaker at industry conferences, she is known for helping IT and Business leaders demystify complex information problems while applying standard, repeatable solutions. Write to her at gwen.thomas@sox-online.com.
Other columns


1