IT executives who shaft corporate governance responsibilities back to the business unit face the wrath of shareholders and regulatory authorities if obligations under legislation like the US-based Sarbanes-Oxley Act are neglected, according to Morris & Patron principal Chris Morris.
Speaking at AXS-One's Regional User conference, Morris said many IT professionals still failed to grasp the big picture of compliance.
"IT executives are poorly prepared for making their organisation's policies and processes comply with Sarbanes. But the reality is that IT management is deeply involved in keeping compliance on track within the business, [but] CIOs are often operational people with less of a business understanding," Morris said, noting that governance acts eventuated because corporations lacked common-sense approaches to managing financial reporting procedures.
"Compliance to laws like Sarbanes is about implementing a sound records retention policy. Companies must involve business and IT management in the compliance process because they will tackle information content issues as well as issues around business process," Morris said.
Specifically, Sarbanes-Oxley holds CEOs and CFOs responsible for ensuring their organisation documents and retains all critical records in an audit trail with particular reference to information on legal, tax, regulatory and HR dealings that are held within e-mail, telephone discussions and company files.
"You'd have to live inside a cave to not realise the damage to your company's brand, shareholder value and reputation of not having an e-mail retention policy, " Morris said, naming Enron, MCI Worldcom, British American Tobacco and Pan Pharmaceuticals as examples of improper information retention practices.
Morris argued most companies are in for a rude shock when they undertake the task of implementing processes, systems and controls to meet corporate governance requirements, because they underestimate how big a job compliance is. "The length of the process to retain critical information, govern this process and sign off on it is an ongoing lifecycle process."
Companies will try and find a vendor to solve all their IS needs, but there is no one with a magic bullet solution, he warned.
"Don't wait for a vendor with the 'right' strategic technology, but use a short-term solution which can resolve immediate business needs and help you progress to a level of compliance."
Illustrating what he called a "sad state of affairs", only one delegate in a room of 50 at AXS-One's user conference said they were aware of their company's e-mail retention policy.
The applications that businesses need to implement for Sarbanes-Oxley compliance will need to manage risk enterprise-wide, covering frontline customer service, executive management, and records managers and staff in the back office, Morris said.
He recommended that on average, companies spend between $1 million and $2 million on IT projects to meet content retention requirements. Just under half the spend (45.8 per cent) will be on baseline infrastructure (mainframes, mid-range servers, distributed computing, networking and help desk).
He said 20 per cent will be on software licensing, and 10.6 per cent on application maintenance. Some 22 per cent of spend will be discretionary to fund "change" activities around compliance while 30 per cent should be spent on a review of retention requirements before any projects begin, he advised.