SOX, compliance and power relationships: Tactics for the CIO

Chief Information Officers (CIOs) around the globe are being drawn into the implementation of Sarbanes Oxley (SOX) compliance. According to the Public Company Accounting Oversight Board (PCAOB) (www.pcaob-us.org) , 15,000 US companies, 1,200 non-US based companies and 1,423 accounting firms spread across 76 countries are affected by SOX. In particular, Section 404 (404), which deals with management’s assessment of internal controls, affects CIOs and information technology (IT) departments (Berghel 2005). With the widespread use of technology, internal controls are either fully automated by being embedded within information systems, or combine automated and manual controls. 404 therefore corrals a wide range of applications such as product accounting, general ledger, asset and inventory management, billing and accounts, receivables and payables, payroll, budgeting and other operational, tracking and reporting systems. These include not only the organization’s main systems, such as ERP systems, but also local databases and personal spreadsheets developed and used on an ad hoc basis. Consequently, compliance and regulatory issues are something that CIOs need to understand, address and certainly not neglect (see inset box).