The PCAOB was established by the SEC (pursuant to Sarbox) to oversee the audit of public companies. The PCAOB's mission is to protect investors and secure the public interest in the preparation and publication of informative and accurate audit reports of public securities. The board registers public accounting firms, establishes rules and standards related to audit reports, and conducts investigations and disciplinary proceedings.

Sarbox in a Nutshell click to enlarge

Defining internal controls over financial reporting will be the key to satisfying the requirements of Sarbox. These internal controls are largely in the realm of IT, where business processes meet software algorithms. Adequate controls will include processes designed or supervised by the company's principal executives and financial officers that provide reasonable assurances that financial reporting and preparation of financial statements are in accordance with generally accepted accounting principles. The controls include the policies and procedures to maintain accurate records that reflect the transactions and dispositions of assets; ensure that transactions are properly recorded and reported; and safeguard assets against unauthorized or improper use.

Sound familiar? Sarbox's controls are not unlike those in GLBA and HIPAA to safeguard data against unauthorized and improper use--except the SEC is squarely focused on corporate accountability in financial reporting. And blind faith in an IT financial reporting system will not be a good defense. The rules formally acknowledge corporate responsibility to create and maintain controls to identify and manage the risks that result in inaccurate data or fraudulent reporting.

The risks associated with accurate reporting are not far removed from the risks identified in industries governed by GLBA and HIPAA. IT security risks are nondiscriminatory and apply equally to banks, financial institutions and medical facilities as well as educational organizations, manufacturing and transportation.

Many IT shops look to a risk-assessment framework from the ISO 17799 standard; 17799 treats IT security as a business issue and covers all the familiar topics, such as system operation and maintenance, backup and restore, document handling and data integrity. Beyond that, many of the same solutions that satisfy GLBA and HIPAA--specifically, policy-management packages, log analyzers and change-control procedures--can apply to Sarbox to assert and monitor controls over financial reporting systems.

Many vendors are updating their products or announcing new ones aimed to comply with Sarbox. For example, Oracle and PricewaterhouseCoopers developed Internal Controls Manager, which works with Oracle's

E-business suite. And Plumtree Software, with HandySoft Corp., released Accelerator, which brings business-process software to Plumtree's portal to create and establish internal controls and reporting procedures while maintaining collaboration tools for corporate officers, directors and their auditors. These and other solutions will bring business processes in line with software logic and put them in plain view for investors' review.

Management also needs to assess the reliability of internal controls and disclose any material weakness in their financial reporting. If one or more weaknesses exist, management will not be able to conclude that the company's internal controls are effective, and this will affect the bottom line. Investors will be leery about supporting a public company without effective controls on its internal financial systems. This may require consultants and service organizations that can supply more than IT security solutions. Public companies can look to full-service consultants such as EDS, Greenwich Technology and PricewaterhouseCoopers for technology as well as financial and legal help. Other providers are vying for a growing market to advise and consult enterprises on IT and government regulations. An example is PeopleSoft's bid to acquire J.D. Edwards.

Sarbox will be remembered as the regulation that fights the good fight against corporate fraud and abuse. But for IT, Sarbox means Uncle Sam is demanding corporate accountability in financial reporting systems. If that does not happen, heads may roll. Anyone who falsely certifies that financial conditions and the results of operations are accurate while knowing that they do not reflect financial reality will be fined up to $1 million or imprisoned up to 10 years--or both.

But there is a rhyme to all the government's reasons for Sarbox. Investors will be more confident when reviewing financial reports and more willing to invest. Unfortunately for the public, the reporting requirements do not go into effect for most companies until April 15, 2005.

Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. A former project manager and IT engineer at Syracuse University, he helped develop centrally supported applications and storage systems. Write to him at sdoherty@nwc.com.

Post a comment or question on this story.