Management Alert: The Sarbanes-Oxley Act Will Affect Your Enterprise
02 April 2003
Debra Logan, Frank Buytendijk

Document Type:  InSide Gartner
Note Number:  IGG-04022003-02

The manner in which enterprises approach business intelligence, corporate performance management and records management systems will be affected as a result of the Sarbanes-Oxley Act of 2002.

Many executives are eager for insights on what the Sarbanes-Oxley Act of 2002 will really mean for their enterprises. The manner in which enterprises approach business intelligence, corporate performance management and records management systems will be affected as a result of the Sarbanes-Oxley Act.

Questions Abound

Gartner is receiving many questions about the Sarbanes-Oxley Act and its implications for IT in the enterprise. To help enterprises better understand the ramifications, Gartner answers those questions from the business intelligence, corporate performance management and records management perspectives.

Can you summarize the Sarbanes-Oxley Act for an enterprise’s management?

The Sarbanes-Oxley Act was passed in July 2002 and was a direct reaction by the U.S. Congress to address the accounting scandals of late 2001 and early 2002. It has the aim of providing additional oversight of the auditing process, eliminating conflicts of interest and increasing corporate transparency. It also has the specific goal of advancing the standards for corporate governance. The act describes many things in detail, such as the relationship between the enterprise and its auditors, how to deal with “whistle blowers,” fines and jail terms for the deliberate and willful destruction of audit-related data, and specific retention periods and standards for the documentation surrounding an audit. It also makes an auditor responsible for oversight of an enterprise’s internal documentation and accountability processes. Poor corporate recordkeeping by auditors will no longer be tolerated; they will be fined — or in extreme cases, may be jailed.

Is the legislation relevant outside the United States?

Yes. Many European- and Asia/Pacific-headquartered companies are dually listed on two or more stock exchanges. Any company that is listed in the United States must comply with the terms of the act. In addition, many European companies have a U.S.-based parent. The legislation is also being seen as a move to restore trust in corporate entities and thus to restore investor confidence. Complying with Sarbanes-Oxley is regarded as a move to instill a better brand of business ethics. Foreign auditing firms, headquartered outside of the United States but working with U.S.-based companies, must also comply. Although enforcement of some of the sanctions of the act will be difficult, the effect of noncompliance will have an effect on winning business with U.S. customers.

Is there any European legislation on this subject?

Initially, a European Commission spokesman criticized the Sarbanes-Oxley Act as an ill-conceived overreaction to the wave of American corporate scandal. The Europeans had been working on a document, the “Report of the High Level Group of Company Law Experts on a Modern Regulatory Framework for Company Law in Europe,” which covered some of the same ground as Sarbanes-Oxley, but is a policy advisory document only. Currently, no Europewide legislation exists. Despite the valid criticisms of Sarbanes-Oxley in Europe, it is widely expected that European corporate entities will comply with it, because they will not want to compromise their ability to do business in the North American market.

What information systems and corporate practices are most affected by Sarbanes-Oxley?

Business intelligence (BI) — which most enterprises regard as a combined IT and business function — and the whole area of corporate performance management (CPM) are affected. BI is defined as providing enterprises with perspective and insight based on the access to and analysis of quantitative data sources. CPM is an umbrella term that describes all processes, metrics, methodologies and systems (for the most part, BI systems) that are needed to manage the performance of an enterprise

Two points have particular relevance in the BI/CPM context:

• CEOs and CFOs of listed companies are personally responsible and liable for the quality of internal reporting.
• Executive management must now immediately report to their stockholders any issues that they believe will affect the performance of the enterprise.

Those two provisions make effective BI, CPM and record management systems essential. Such immediacy is not possible without well-organized processes and well-implemented information systems.

Can you elaborate on how corporate recordkeeping has been affected by Sarbanes-Oxley?

Sarbanes-Oxley makes specific provisions for the retention of documents surrounding the audit process. Specifically, documents relating to the audit, including working papers, must be retained for seven years. The documents in question must include all records (including electronic) created, sent or received in the course of an audit. That includes working papers that contain conclusions, opinions, analysis or financial data pertaining to an audit or review.

The legislation does not specify what a “working document” might constitute, but Gartner believes that it is best to err on the side of caution. For example, e-mails that are sent and received regarding the audit process will likely be regarded as working documents. A company that takes a position that “conclusions, opinions and analysis” are not exchanged in e-mail will be in a position that is almost impossible to defend to regulators or in court. This is not a call to save all e-mail, but to save it selectively. Companies that routinely delete all e-mail from servers should make sure that those germane to the audit process are captured in some centralized and managed way.

What recommendations do you give to enterprises required to comply with Sarbanes-Oxley?

Cost justification is good and business cases never go amiss, but they are irrelevant. If you need a records management system to comply with Sarbanes-Oxley (and you likely will), you need a records management system. It is the cost of staying in business.

However, most enterprises should take a step further than “just complying.” If the enterprise must comply in any case, why not do it proactively and adopt a culture of information democracy? If you lay a foundation for corporate transparency, you should also roll out critical performance indicators to employees for empowerment, to partners and suppliers to optimize the value chain, and most important, to customers as a loyalty instrument for better service.

If you must keep certain kinds of records for the purposes of Sarbanes-Oxley, don’t stop there. Most enterprises have huge content management problems, uncontrolled explosions of e-mail, and lack of policy and procedure around many document-based processes. Take advantage of this forced opportunity to roll out document and records management software and procedures to gain business efficiency as well, rather than just using it to reduce the risk of noncompliance.

What other trends do you see around increased corporate accountability?

Increasingly, some large enterprises have stopped focusing on financial results alone in their quarterly reports to the investment community and have started sharing more nonfinancial, long-term indicators with stockholders. Long-term indicators and nonfinancial measures are the true indicators of enterprise sustainability.

What methodologies can enterprises employ to measure their qualitative and quantitative performance more proactively?

There are many methodologies, but some of the most interesting and popular ones are activity-based costing, Six Sigma and the European Foundation for Quality Management. The most influential methodology in this area is the balanced scorecard. Long term, measures of the value of intangible assets will likely be much more widely used. They include methods for measuring the output of human capital, the bottom-line contribution of intellectual property, and the rate of creation and accumulation of intellectual capital, such as the outcome of training programs and employee retention measures.

Where should enterprises start with BI, CPM and records management in the context of Sarbanes-Oxley?

• Determine what systems you already have in place to manage the problem. If you are using a document management system, for example, that can serve as a basis for your records management system.
• In the BI and CPM arena, take a “connect the dots” approach. See what you have in place and begin to connect the systems at the level of management reporting to create a picture of your enterprise.
• Use scorecards as the “shop window” to CPM, but focus on the overall planning and control cycle for substantial improvements.
• In 2003 and 2004, it is the managerial processes around BI and CPM that will need the most attention. In the records management arena, 2002 was a planning year, but Gartner expects that early-adopter enterprises will begin their implementations in 2003, with the late adopters still in the planning phase.

Bottom Line

• Executive-level inertia has proved to be one of the biggest hindrances to widespread records management adoption.
• Continuing corporate scandals and the passage of Sarbanes-Oxley has brought the records management issue to the attention of executives at last.
• It specifically makes them responsible for auditing procedures and recordkeeping concerning those auditing procedures.
• Records management issues have reached the boardroom.
• Sarbanes-Oxley is not the only reason to care about records management.
• Lawsuits and the legal discovery process are two others.

–  After a company has been sued, CEOs, CFOs and CIOs react differently to spending money on records management if they don’t have it in place.

–  Before the lawsuit, they see it as a cost without a benefit.

–  Once a lawsuit starts, conducting a document production analysis, including e-mail and backup tape, is very costly — in lawyer’s fees as well as IT and business-unit costs.

• Without records management in place, enterprises tend to keep unnecessary information, which can be a liability.
• Equally bad is not keeping information that should have been kept, because large fines for destruction of evidence may result.

Written by Edward Younker, Research Products

Analytical sources: Debra Logan and Frank Buytendijk, Gartner Research

Return to Top

© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.