What were some of the big control gaps that early Sarbanes-Oxley efforts uncovered?
Wagner: We found in many instances that control documentation was way behind or didn't exist. A second issue was the tone at the top: the communication out of the boardroom and the CEO suite that sets the stage for the organization, including how it deals with ethical standards. We found that there was often very little communication across organizations around the importance of maintaining good controls. In some cases, we found duplication of control activities that created inefficiency. We ran into unnecessary complexity in the extreme. In the IT area, there was duplication of systems. One division of a company had 200 financial accounting systems.
Dittmar: And organizations didn't know what their control programs consisted of. They knew they had them, but as one executive told me, it was "kind of tribal". There was no consistency in how they did it. We also found uncontrolled access to systems and challenges around security and change management.
How have Sarbanes-Oxley compliance efforts yielded dividends at some companies?
Wagner: We look at the documentation of systems and policies. In its absence, it's hard to know what's going on and hard for employees to know what their responsibilities are. At many companies, the documentation -- job descriptions, responsibilities -- wasn't up to date, so it was hard to hold people accountable for specific standards of performance. By getting that up to date, companies were able to execute business activities better, because while documentation serves a purpose in control, its primary purpose is as a written guide for people to follow. Without it, people are ad-libbing.
Dittmar: Documentation requires a company to take a hard look at its end-to-end data, processes and systems. People get in silos and they don't know what happens in the next step. Sarbanes-Oxley forced companies to look at business processes and say, "I wonder why I do that."
You mention a new mindset among boards of directors, particularly audit committees.
Wagner: Previously, they were paying attention, but they were not nearly as involved as they are today. They ask different questions and bring a higher level of expertise than they used to. They ask how things will be resolved. They want to understand all manner of material risk and what remedial actions are going to be undertaken. There's a keener interest in IT activity, which they shied away from in the past.
You write that companies are beginning to leverage Sarbanes-Oxley activities to facilitate other compliance tasks.
Dittmar: Compliance initiatives are silos unto themselves, but people are now realizing that there's some commonality of good compliance programs regardless of domain. CIOs would love to have a comprehensive view of how IT can better support governance, risk management and compliance. There was no one place to go but to the Open Compliance and Ethics Group. That is creating a source for people to get basic information on leading practices to deal with this. Companies are just scratching the surface now about how to bring a more comprehensive approach so compliance becomes a byproduct of what they do.