There won’t be many fingernails left unchewed in the IT departments of UK businesses in 2005. During the year, international financial reporting standards will claim their first scalps, foreign companies listed in the US will have to comply fully with Sarbanes-Oxley, and the EU 8th Directive on Company Law is expected to demand greater oversight and better internal controls in company boardrooms.
The key to managing all the regulation and legislation lies in how companies implement and manage their IT systems. Financial and operational data, if it has been collated properly, should make compliance easy. In the best-prepared companies, finance and IT directors will have already worked together to configure financial systems so when the big red compliance button is pressed the relevant financial and management reports are generated automatically and a big tick will go in the auditor’s and regulator’s notebooks. These companies can then get on with the job of creating wealth for shareholders.
But it is rarely that simple. New financial software systems and bolt-on applications for compliance are costing businesses millions and consuming thousands of hours in preparation. Companies that have dedicated money and manpower to compliance through IT over the past months will survive. Those that haven’t may find their technology lacking and share prices diving downwards.
But who is going to get the blame when these IT compliance systems go wrong? It is almost certain that some will fail spectacularly over the next few months. The Securities and Exchange Commission has been vocal about sending CEOs and CFOs to jail if they fall foul of Sarbanes-Oxley. But what will happen to the IT guys who put the failing systems in?
The sceptical might say that IT directors who don’t carry the can have two options when faced with failure. They can either blame IT consultants hired by the business (consultants are too expensive, like to complicate things to make themselves more money, and IT projects should be handled in-house). Otherwise, failure is the fault of the finance department (systems departments are under too much pressure to make cutbacks and dunderheaded finance people don’t understand IT anyway).
But there may be a third option: blame non-executive directors. Non-execs provide oversight and deal with risk mitigation, so presumably they should be responsible for keeping abreast of the technology risks.
IT directors certainly think so and are unhappy about non-execs’ ability to appreciate IT, judging by the results of a new Ernst & Young report on the audit committee’s role in managing internal controls.
According to 72% of IT department heads, and 42% of heads of internal audit, company audit committees fail to recognise the IT threats facing their organisations. Ernst & Young suggests that audit committees are not educated about IT and so do not put it on the agenda “for fear of appearing technically ignorant”. Yet E&Y didn’t ask any audit committee chairmen for their opinions on the subject.
The door swings both ways. If audit committees are not sufficiently aware of IT risks, then IT directors should make them aware. Likewise, if internal auditors have an issue with internal control and IT risks they should bring it to the attention of management.
IT directors should spend less time moaning in surveys that their department is misunderstood and spend more time educating board members about the opportunities and risks of IT. Compliance issues have given IT directors control of corporate governance and they should use their power for the good of the whole company.
OK, so IT directors haven’t had it easy in the last couple of years: their budgets have been cut, usually by FDs; their departments have been rationalised, centralised and outsourced; and they have been asked to calculate return on investment in areas such as process improvement that are almost impossible to measure financially.
Download our Whitepapers
Nevertheless, the sooner IT directors extricate themselves from the safety of their wire-strewn systems departments and start talking to the rest of the business the better. The subject of communication between IT and finance has been going round and round like a stuck record for years, but in an environment of compliance, where failure isn’t measured in pounds and pence but in jail sentences, it pays to talk. Sadly, IT directors will insist on banging the drum. There is no ‘I’ in team as the management adage goes, but it seems there is an ‘I’ in IT.