Editor’s note: John C. Yates Chairs the Technology Group of the law firm Morris, Manning & Martin, LLP.There is an important new rule that the SEC has recently adopted — and it’s going to have a big impact on businesses in the Southeast and throughout the country.
For many IT departments, this rule will require changes in the way technology is purchased, built, implemented and maintained.
And for tech companies and vendors, you should understand the dynamics of the rule and the ways to address this huge issue confronting CIOs and technology executives in your prospective customer base.
The Sarbanes-Oxley Act requires, in part, that public companies provide an “internal controls report” as a part of various required SEC filings. Congress required the SEC to adopt a rule that specifies the requirements for this report. The SEC recently released this new rule in final form.
Below are some highlights of this new rule, in question and answer form.
1. What does this mean for the IT professional?
Public companies are now required to be more deliberate about how things are done, especially if they potentially impact financial reporting. Companies must have a comprehensive framework for internal controls and document the effectiveness of its internal controls. This means more risk assessment, process analysis, testing, documentation, and other record keeping. You’re likely to be spending more time with your accountants, more time assessing systems and their vulnerabilities, and more time documenting what you do.
2. Is this limited to software systems?
No. While the accuracy and reliability of software is clearly covered by the rule, you’ll miss the point of the rule if you just look at software issues. In addition, issues related to external unauthorized access, internal unauthorized access, error identification, and unauthorized transactions are items to evaluate and address, among other things.
3. What software is impacted by the rule?
Only software that might materially impact financial reporting. Any software system that provides information to an accounting system is a potential candidate. These include any system that provides information to your company’s general ledger, transaction processing systems, systems that monitor inventory, and systems that keep track of assets and their disposition.
4. Do I have to evaluate the accuracy of every piece of functionality in all software across my enterprise? How do I know what must be addressed?
One of the first steps in this process is to evaluate where the greatest risks are. Once this evaluation has been completed, and documented, certain situations will likely be identified for extra caution and examination, such as introducing new systems, adding new products, mergers, adding new personnel, corporate restructurings, etc.
5. Any other impact?
It is hard to predict the full impact of this rule until companies develop experience with it. However, the following processes may need to be examined in light of this rule:
6. What are the consequences of not complying with the rule?
The most immediate potential problem is the need of your company to disclose a “material weakness” in your internal controls to the SEC and the investing public. It is also possible that your accountants will not be able to certify your company’s financials.
7. What other things should an IT professional consider?
The rule reminds companies that they may need to coordinate with the auditors to ensure adequate internal control over financial reporting, but their auditors cannot provide consulting services. The rule requires that the responsibility for developing and implementing internal controls not be outsourced and that management be actively involved in the process.
8. Are there other ways that IT can help?
IT departments frequently have expertise in process, project management, risk assessment and controls that other departments of companies do not. Because the new rule focuses on processes and controls, the skills developed in IT departments may also be helpful in other areas of compliance with the rule.
John C. Yates Chairs the Technology Group of the law firm Morris, Manning & Martin, LLP, which has offices in Atlanta, Charlotte and Washington, D.C. He can be reached at firstname.lastname@example.org and (404) 504-5444.
This column is presented for educational and information purposes and is not intended to constitute legal advice