High-tech meets high-standards: Sarbanes-Oxley and technology.

• Author: Cytron, Scott H.
• Position: Cover Story

Like a 10-ton gorilla dropped smack dab in the middle of a five-by-five foot monkey cage, the Sarbanes-Oxley Act of 2002 (SOX) is putting the squeeze on the accounting profession. While some argue SOX is a strong effort to bring back the public's trust, practically the same number believe it is just one more attempt by the government to hold dominion over big business.

**********

Although SOX requires public companies to disclose more financial information than in the past, the Act also holds corporate directors and officers more accountable than ever. Through the jurisdiction of the PCAOB (Public Company Accounting Oversight Board--www.pcaobus.erg), SOX requires a company's officers to assess and certify the effectiveness of the internal controls the company uses for financial reporting. However, the assessment and certification cannot be done without other changes in the process and with the tools that make possible proper financial reporting. In turn, this brings questions and solutions on how technology and systems work in tandem.

Even if a non-public company is not mandated to meet SOX requirements, many are stepping up their efforts to address deficiencies in their systems. At the same time, the CPA--accounting professional and financial advisor--also must become more aware of the issues surrounding S0X to continue providing an enhanced, on-point delivery of services.

Proactive Preparation is Key

Meeting the requirements for executive certification of financial statements and internal-control reporting is the greatest challenge associated with SOX compliance, according to respondents in a recent survey of 300 CFOs of publicly held companies conducted by Protiviti, an audit and risk consulting firm. In the same survey, almost 30 percent said the top challenge is aligning audit committee responsibilities with the requirements.

Public companies already are on board with SOX; as of June 15, 2004, companies must comply with Section 404 of the Act, which requires an annual management internal-control report that certifies the procedures used to ensure effective financial reporting. According to the Securities and Exchange Commission (SEC), beginning with a company's fiscal year ending on or after June 15, 2004, a public company must issue four statements that:

1. Attests to managements responsibility for maintaining internal controls.

2. Identifies the framework used to evaluate internal controls.

3. Says the company's auditor attests to management's assessment.

4. Assesses the effectiveness of internal-reporting controls.

While these statements are mandated for public companies, smaller businesses should not avoid addressing the same types of requirements in their own companies, says J. David Ryan III, CPA, vice president of Information Services for Artromick International in Columbus, Ohio. Ryan is a past chair of The Ohio Society of CPAs' Technology Committee and has consulted with the staff at the Society to ensure its systems are efficient and productive.

If a privately held company or non-public business of any size does not have to get its systems in line with SOX's requirements, why make any changes at all?

"You can't stick your head in the sand," he says. "If one of your goals is to grow the company, and you are aligned with SOX, then it makes you more attractive to business partners, customers, and even someone who one day in the future may want to acquire you. It just makes sense."

Ryan has a tactical and strategic role with Artromick, a privately held manufacturer of medication carts and accessories, medication systems, medication furniture, and ancillary carts. He oversees all of the technology and telecom services within the company of 150 employees, and finds ways to use technology from a strategic aspect to improve process and...