UK plc dealt Sarbox deadline

UK businesses have been warned they have only months to ensure their IT systems are compliant with US Sarbanes-Oxley legislation.

Just last week Accountancy Age revealed that Sarbanes-Oxley compliance would cost UK businesses more than £120m, forcing many to update their IT systems to comply with the infamous Section 404 of the act – the effective management of internal controls – for their first fiscal year ending on or after 15 July 2005.

‘IT can help in a few areas,’ said Cubillas Ding, senior financial technology analyst at Datamonitor.

‘First, it ensures that any associated processes are correct and transparent. Secondly, that irregularities or errors will be minimised. The third point is to enforce accountability via proper systems or process controls, documenting activity trails and storing appropriate records. And lastly, data management and governance activities within IT departments must be strengthened and adhere to the appropriate standards.’

Analysts expect companies to restructure their financial and ITrelated controls during the first two audit cycles to make the compliance process more efficient.

FDs and compliance officers have been urged to keep IT directors and CIOs aware of the seriousness of meeting compliance deadlines.

‘IT people must be aware of the wider picture – corporate integrity – and make sure they meet the reporting needs under Sarbox,’ said Paul Moxey, head of corporate governance and risk management at ACCA.

‘And the head of IT has a fundamental role, to be aware of what their compliance function is. They need to know what’s going on around the company so they can play a proactive role.

‘IT people often look at the IT aspects of control. But often it’s a cultural issue, so IT must think outside the technological box and encourage change,’ he told Accountancy Age.

A new report on UK industry and data integrity by CyberTrust, entitled ‘Risky Business?’ highlighted the fears of information security experts within UK businesses faced with the rising cost of compliance.

Barclays group data architecture head John Oxton said that Sarbox and Basel II would have a ‘major effect’ on the way the firm approached its data integrity and protection.

Huw Bevan, information security officer at Admiral, said it would be a ‘nightmare’ if Sarbox affected the firm. ‘I’ve seen figures showing that Barclays Bank have put 75-90% of their developers purely on Sarbox.’

Standard Chartered’s head of information security, John Meakin, said that it should be easier for an organisation to comply with Sarbox because it simply required proof of the existence of security controls.

‘With Basel II the real issue is one of maturity, because that decides how much money you have to retain against risk,’ he said.