Touchpaper questions IT readiness for EuroSOX

Asset management company Touchpaper has released a white paper examining the impact on European companies of the EU's version of the Sarbanes-Oxley act.

The Statutory Audit and the Company Reporting Directives are commonly referred to as EuroSOX. These two European directives were issued by the European Union Council of Ministers, and aim to engender more transparency and public confidence in the operations of companies operating within the EU.

The Statutory Audit Directive aims to strengthen the standards and public accountability of the audit profession. The Company Reporting Directive meanwhile aims to enhance confidence in financial statements and annual reports from European companies.

The two EU Directives are required to incorporated into the national laws of EU member states this summer. States are expected to comply with the Statutory Audit Directive by 29 June, and the Company Reporting Directive by 5 September.

"Directives are not directly applicable (i.e. directly binding on individuals and companies etc) but EU member states must implement them into their national law by the stated deadlines," explained the UK department for Business, Enterprise and Regulatory Reform (BERR).

One of the most notable aspects of these Directives is the requirement that any new business created through either merger or acquisition should be able to produce consolidated accounts within a month of joining forces.

Earlier this year, the Information Security Forum (ISF) warned that the introduction of EuroSOX could be chaotic, as each state will have to interpret and translate the collection of directives that make up EuroSOX, leading to subtle divergences of law between different states.

But Touchpaper, which has recently been acquired by Avocent, is encouraging IT directors to view EuroSOX as an opportunity rather than a headache, with IT departments using the Directives to driver better IT governance. Its white paper aims to help companies understand the practical implications of the Directives, particularly from an IT service management perspective.

Touchpaper warns IT directors that while there is no technology-based 'magic bullet' solution for compliance with the Directives, the IT department nevertheless has a vital role to play in improving the general state of corporate governance in Europe.

"IT directors should be informed, so when the financial director asks them, they know a bit about it," said Marina Stedman, director at Touchpaper and the author of the white paper. "There wasn't enough information about EuroSOX, so we wanted to know more, hence the white paper. The paper offers short term actions IT directors can start thinking about."

"European directives are much less onerous than Sarbanes-Oxley," Stedman told Techworld. "They really just highlight best practises. You should be having trained auditors, should understand areas of high risk, fraud prevention etc."

Page Break

And the IT Director shouldn't worry over possible conflict between EuroSOX and the Sarbanes-Oxley Act. UK and European companies only need to worry about the Sarbanes Oxley Act (which is a piece of US legislation) if they operate in the United States. UK and European companies will need to operate under the EuroSOX directives however.

"Good companies will use the European directives to put their houses in order and implement best practises," Stedman added. "We would tell IT directors that they need to understand its basic principles. Understand what processes they have in place, who is accessing corporate information, how it is transmitted etc. If someone asked who has access to this information, would they know?"

"IT also needs to report on it," said Stedman. "For auditing and company reporting purposes, IT needs to record access controls, compliance etc," she said.

That said Stedman does not see technology as the answer, but she believes it can help put processes in place. "Obviously EuroSOX can't stop some things, so that is why we advise people to be wary of people claiming to have the answers in their software applications," she said. Stedman also cautions against EuroSOX specific solutions.

"Due to the complex nature of the Directives, the wide range of activities included, the number of member states involved and the long timetable for implementation, it will not be possible to buy a technology solution that delivers full compliance with all of their requirements. Beware of any vendor that professes to do this," she warns.

As such, Touchpaper believes that the IT Director should view the Directives as an opportunity to extend their influence within the corporate hierarchy by proactively driving governance initiatives and making the case for better automation of record keeping/auditing.

The EuroSOX Directives should be implemented into law by 2010.

According to BERR, "the provisions of the Statutory Audit Directive are implemented into UK law through the Companies Act 2006." There is no word on the Company Reporting Directive, but Steadman feels that the UK "doesn't need a lot of change because we already have most of the laws in place."

"One thing that did surprise us was how little coverage EuroSOX is getting," Stedman concludes. "IT is not paying a lot of attention to it, but IT is responsible ultimately for a lot of the processes."

"We advise IT directors to look at their systems and processes, understand where risks are, and put practise in to place to manage those," she said. "People shouldn't panic. It is not Sarbanes-Oxley and these checks and balances should be something that companies have in place anyway."