Restoring investor confidence in publicly traded companies is the intended result of Sarbanes-Oxley Act of 2002. It applies to companies that have an equity market capitalization of at least $75 million and are subject to the laws of the United States. On March 30, 2004, the Canadian Securities Administrators (CSA) put new regulations into effect that apply to all Canadian publicly listed companies, [see link]  require Chief Executive and Chief Financial Officers to certify the accuracy of the data filed in their periodic statements and financial reports. Furthermore, the CSA, which is a council of 13 provincial and territorial regulators, is also developing separate rules on compliance similar to Sarbanes Oxley section 404.

Transferring Liability

These new North American regulations are as significant to business as, in a religious context,  the publication of the King James Bible was 383 years ago. Until the passing of Acts by the SEC and CSA corporations were the liable entities not individuals. Now actual people are personally responsible, as Canadian regulations decree, "personally sign" commitments and reports -- the United States calls it "attest".  Since these chiefs now have to put their jobs on the line, one observes corporate web postings that include a code of ethics and in Canada, Whistle Blowing activity has begun. One criterion for incoming board members is that they be financially literate. One might think, with good reason, that being technology-literate would also be a requisite too. 

While adherence to American, Canadian, and European chief officers' sign-off requirements does not regulate Information Technology (IT), IT is the basis for the financial processes that the law regulates. And though Chief Officers, Information, Operations, and Technology to name a few are not directly accountable as signatories for the accuracy of the information contained in filings, as executive officers they have direct fiduciary responsibility to act in the best interest of the enterprise and its stakeholders. As such, they must devote attention to implementing necessary policies, practices, and systems to ensure appropriate levels of compliance, transparency, and audit ability. After all, Section 404 requires an attestation to the scope and adequacy of the internal control structure and procedures for financial reporting.  And assessment of the effectiveness of the internal controls and procedures.

And though Chief Officers, Information, Operations, and Technology are accustomed to tweaking their Virtual Private Network, mapping corporate security, or monitoring day- to- day scheduling in the palm of their hand on say a Palm Pilot or a BlackBerry bringing the corporation in line with Section 404 is a monumental task hand.

Playing with Fire 

Section 404 is a scope and adequacy of the internal control structure and procedures for financial reporting assess the effectiveness of such internal controls and procedures. Specifically: 1. Control Environment: gauge integrity concerning segregation of duties. 2. Risk Assessment: benchmark risks. 3. Control Activities: identification of procedures, documentation and gaps. 4. Monitoring: reckon the efforts & instigate deficiency correction. 5. Information and Communication: investigate how information is captured, processed and reported down, across and up the organization.

For more details see "Sarbanes Oxley Primer".

Team ßetaWatch Compliance Process