Corporate reporting: The next information governance frontier? - IT Compliance Advisor
Home > IT Blogs > IT Compliance Advisor > Corporate reporting: The next information governance frontier?
« How will the Massachusetts Data Protection Law affect IT compliance?
IT budget available for regulatory compliance »
» VIEW ALL POSTS Feb 3 2009   3:12PM GMT

Corporate reporting: The next information governance frontier?



Posted by: Alexander Howard
corporate reporting, SEC, transparency, governance, SOX, e-discovery

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

“[S]unlight remains the best disinfectant for problems in our capital markets.”

- Christopher Cox, former chairman of the Securities and Exchange Commission (SEC), June 2008

Back before the failure of Lehman Brothers, the ouster of John Thain from a combined Bank of America/Merrill Lynch, and before a new president said we were “facing the greatest economic challenge of our lifetime,” the SEC began working on an initiative to improve public company “transparency by making disclosure information more accessible and easier to use.”

This 21st Century Disclosure Initiative published a report in January that proposes, among other things, requiring “tagging” of financial information so it is more interactive and useful, and moving away from a document-centric paradigm. The intent is to modernize the way that investors receive information about the companies in which they invest.

This initiative, which may or may not have legs under a new SEC commissioner, raises some interesting issues for information management and corporate governance.

It will be difficult for the SEC — or anyone else — to “shine some sunlight” onto the financial and governance practices of corporations until the corporations themselves take control of their information.

Most organizations today struggle to understand where all their information resides, what it is, how to get to it, or how long to keep it. Witness the astounding numbers and ugly battles (like the e-discovery dispute centered around the SEC’s delivery of 1.7 million documents involving the SEC) that routinely arise when organizations are asked to dig up digital information — especially email and office documents — in the context of electronic discovery.

The reality for most institutions is that the most valuable information resides in the least managed locations. How many companies still rely largely on spreadsheets and email to comply with the Sarbanes-Oxley Act?

If my practice is any gauge, most of them.

Regardless of what happens with the SEC’s initiative, most politicos seem to agree that we are heading into an era of increased regulation under the Obama administration. I would recommend that organizations try to get ahead of what’s coming by looking at their current information governance practices with an eye to improving internal transparency — before someone steps in to make them do it.

To this end, perhaps it is time to revisit document retention and management practices. Here are some questions to think about:

  • Are your valuable financial records being maintained in appropriate systems, or are there unmanaged copies in poorly controlled network drives and “drop boxes”?
  • What do your email practices look like? Is email retention controlled? Do your employees export email out of the email system into unmanaged locations?
  • How much important financial information (including the records that underpin financial information) resides in unmanaged, unsecured locations?
  • Are you using your backup tapes for archiving purposes? If so, do you understand the potential cost and risk should those tapes need to searched for SEC investigations or litigation?
Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors and government institutions, and is an author, speaker and internationally recognized authority on a broad range of policy, compliance and management issues related to information governance and IT. Blair heads the information governance practice at Forensics Consulting Service LLC, and can be reached at bblair@fcsig.com or (403) 638-9302.
AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

DannyLieberman88  |   Feb 3 2009   6:35PM GMT

Financial reports (Trial balance, P&L, Income statements, 10K, 10Q etc…) must only be produced by computerized financial management systems, not from Excel. A company that bought SAP or Oracle Applications should ask for their money back with penalties if they can’t do this elementary task - that is the must fundamental business requirement in the world - produce reports from the accounting system.

A company that produces all of it’s financial reports directly from it’s ERP/finance/accounting systems will be 95% of the way to complying with corporate governance regulation.

The US and the world need less regulation not more. We need to simplify the way a business runs. SOX 404 is an incredibly simple requirement - “thou shall not fake your financial reports in Excel”. I hear estimates that on the order of 1% of the US GDP of 14 Trillion dollars is spent on compliance service providers. Take the regulation away and you have 100BN dollars to spend on more productive things.

Now with the Obama (and previous Bush) federal bailout programs for the heavily regulated financial services industry - the US is planning to spend up to 10% of the US GDP on regulation.

I don’t get it.

Danny Lieberman
Software Associates


 

Hiskid  |   Feb 17 2009   7:28PM GMT

I work at a Fortune 500 company which adhers to SOX. What a burden the government is placing on companies! I now spend 60% of my time doing documentation of the IT tasks I perform. You think I’m kidding, I thought it was an exaggeration until I had to do it! To call in a firefight to make a data change and document that change usually now takes at least a half an hour, as opposed to the 20 seconds it used to take. This is because you must provide all kinds of information about your data change - why you did it, the ticket# of the user’s request, the color of your underwear on the day you changed, etc.It doesn’t look like it’s going to get any better - government is working to include more and more companies under the SOX umbrella to access company information. And if they hold the purse strings due to a bailout, Big Brother is here!
Be that as it may, my recommendation is that companies do proactive research as to what it would take for them to be SOX complliant, research to see just how much their current system can meet those requirements. Then, I would highly recommend that your company be poised to provide itself a solution to this requirement capable of being implemented on a moment’s notice, so it doesn’t suffer any penalties or encounter any unexpected surprises. And don’t be penny wise and pound foolish. If you have to buy or develop software which expedites documentation, DO IT! You will need to streamline the process as much as possible as you incorporate into your techies’ work loads. If you don’t, you will be sorry you didn’t, as your IT department suddenly experiences the gridlock they have daily in Washington DC. Techies, the most painless way is to build your documentation as you go - when you are on a screen performing a task, take a print screen of it and put it in your document. Hardware people, buy memory-LOTS! I am not happy about all this any more than anyone else (it makes me hurl), but unless and until George Washington shows up again to set this country straight, that is what it is going to take to get the job done.


 
Visit Compliance Management Home |   Compliance Management News  |  Compliance Management White Papers  |  Compliance Management Videos  |  Compliance Management Resources