IT managers told to plan for EU audit directive
The EC's proposed directive on auditing, published last month and set to be tougher than Sarbanes-Oxley, will have serious implications for IT managers, analysts have warned.
Link: Sarbanes-Oxley report
Mike Davis of analyst firm Butler Group said it would be dangerous for IT managers to ignore the European proposal. ‘They should definitely be doing something now. The EU is absolutely serious that we need to get our house in order, in light of [the] Parmelat [scandal],’ he warned.
Under Sarbanes-Oxley, chief executives of US organisations, their UK subsidiaries and firms listed in the US are required to personally sign off financial statements and certify that accounts data is accurate. If irregularities are subsequently uncovered, chief executives can face prison terms of up to 20 years.
Davis said firms that have already implemented systems that comply with the US rules would be in a good position to meet future European regulations. ‘If you haven’t [set up such systems], you’ll be in for a big learning curve. You don’t want your organisation to be made an example of with a prison sentence, as this has to happen to someone.’
Areas that IT managers should assess include server and storage consolidation; email management; archiving policies; and information lifecycle management. ‘You can spend a lot on point solutions to ready systems, but what you really need is an IT architecture for dealing with compliance,’ said Davis.
IT managers who fail to plan ahead may appear unprepared once the EC directive becomes law. ‘In the past the focus of compliance has been on the finance department,’ said John Taylor, managing director at business performance management specialist Cartesis in the UK. ‘But the board will begin asking CIOs what they’re doing to help the firm comply, as this area is so reliant on IT systems.’
Company boards will expect more involvement from their IT departments to establish end-to-end auditing controls, Taylor predicted. ‘They’ll want to know how they can be sure that data entered into an ERP [enterprise resource planning] system sees its way through to the legal reporting requirements,’ he added. ‘Finance can’t do this on their own.’
Even though many UK firms are not legally required to meet Sarbanes-Oxley level auditing quality at present, Oracle’s head of finance and compliance solutions in the UK, Michelle Maden, argued that meeting those standards could generate wider benefits. ‘The Sarbanes-Oxley act incorporates sound aspects of corporate governance,’ she explained.