Effects of Sarbanes-Oxley Act on IT Management

Effectsof Sarbanes-Oxley Act on IT Management

Effectsof Sarbanes-Oxley Act on IT Management

Sarbanes-OxleyAct is a federal law that was enacted in the United States in 20002to provide new standards for public accounting firms, organizationalmanagement teams, and the public company boards. The creation of newstandards was motivated by the Enron scandal, which resulted from theuse of special purpose entities and market to market accounting(Grill, 2013). The main object of the act was to enhance disclosurein financial statements and ensure that such disclosure is verifiedand certified by responsible authorities. This implies that Sarbanes-Oxley Act gives the management a direct responsibility overdisclosure of financial statements, failure to which penalties areexerted on board members or individual managers. This paper willfocus on the major elements of Sarbanes Oxley Act, itsimplementation, effects on IT management, and its future impacts.

Purposeand the key elements of the Sarbanes-Oxley Act compliance plan

Themain purpose of the Sarbanes-Oxley Act was to create a responsibleenvironment that would allow accurate disclosure of financialstatements (Grill, 2013). This would be achieved through theenforcement of activities that foster honest accounting and creationof Public Company Accounting Oversight Board. Although Sarbanes-OxleyAct has many features geared towards enhancing honest accounting,five of these elements have a direct effect on target organizations,especially on the aspect of IT management. The first elements focuseson rating and assessment of the governance structures of allcompanies, their policies, controls, and procedures to ensure thatthey have complied with disclosure regulations (The Blue Sage Group,2006). Secondly, the act emphasizes on proper planning as well asprocess development of a compliance package that includedocumentation, review of internal controls, facilitation of controlreview, and creation of disclosure committee. Third, the act createsthe need for effective implementation and training of operational andfinancial members of staff who should ensure that their employercompany has fully complied with disclosure regulations. The fourthelement focuses on the methodology and measurement of processes toassess whether companies have complied. Lastly, annual follow-up isan important element that helps in the identification of financialtrends to ensure that there is sufficient disclosure in all financialperiods.

Implementationof Sarbanes-OxleyAct

TheSarbanes-OxleyAct contains different provisions that would be implemented andbecome effective at different times. Section 302 (disclosurecontrols) mandates internal procedures that are designed to ensurethat financial statements are accurately disclosed. Under thissection, external auditors should give an opinion of their assessmentas to whether internal controls sufficiently took account of alldisclosure requirements. This was an additional requirement for priorregulations, which was intended to enhance the accuracy of financialstatements. This requirement on third opinion was moved in 2007 (TheU.S. Securities and Exchange Commission, 2008).

Theprovisions of section 303 of the (improper influence on conduct ofauditors) were implemented in different days from the date ofenactment. The act mandated that the Commission should propose rulespertaining to section 303 within the first 90 days of enactment andgive final rules within the first 270 days of enactment (Jones,2011).

Section401 of the act (disclosure in periodic reports) mandated the SECstudy, which was conducted and reported in June 2005 and an interimguidance that was issued on May 2006 (U.S.Department of Treasury, 2006). The study was intended to enhance the understanding of the extent towhich the instruments were utilized and their capacity to address theinstruments.

Section404 contained provisions that would reduce the cost of compliance,which were pursued in different timelines. For example, initialguidelines issued in 2004 and interpretative provisions provided in2007 enhanced the understanding of the management teams to ensurethat reduce their efforts to comply (SecuritiesExchange Commission, 2007). Thisimplies that, although all provisions of the Sarbanes-OxleyAct became effective on the same date, there were other regulationsthat took time before full implementation and enhance adequatecompliance.

Effectsof the Sarbanes-Oxleyon IT management

Thehigh cost of ensuring full compliance with the Sarbanes-OxleyAct is of the major drawbacks that most of the companies operating inthe United States feared. Many companies have adopted the mostrelevant technology that can help them in automating their internalcontrols and reduce the need for additional human resource to carryout these controls. According to Hoffman(2005) athird of the multinational corporations based in the United Stateshad started making extensive use of extensive information technologywith the objective of streamlining their operations and enhancingcompliance with the act by the year 2005. This extensive applicationof technology was expected to reduce the cost of compliance by about20 to 40 %.In addition, technology (software) reduces the effortneeded for companies to comply with provisions of the act, whichmeans that corporations will require a less member of staff to ensurecompliance.

Althoughit seems to be an immediate solution to the issue of the high cost ofcomplying withSarbanes-Oxley Act, there are five major challenges that might hinderthis goal. First, it is difficult for companies to segregate dutieswithin IT application, set up new accounts and stop the old ones(Worthen,2005). Secondly,extensive application of information technology in accounting andauditing activities denies the management an opportunity to conductoversight and make the necessary changes. This subjects CIOs and theentire management teams to the risk of failure to comply with theSarbanes-Oxley Act. Third, the IT does not provide adequate financialaudit log, which forces the management to set up additional auditlogs to ensure compliance with the act. Fourth, extensive use of ITis intended to automate accounting and audit activities, whichreduces the capacity of the management to detect abnormal operationsin time. Lastly, although many organizations have IT competentmembers of staff systems designed to enhance compliance with Sarbanes-Oxley Act have configurations that are difficult tounderstand (Worthen,2005). Thissuggests that there are emerging challenges as firms rush for IT toreduce the cost of compliance.


Sarbanes-OxleyActwas created to provide a secure environment for investors byenhancing disclosure of financial information. However, the enactmentof this act presented the managed with challenges such as an increasein the cost of compliance. Although many companies perceive thatextensive use of IT will reduce the cost of complying with the act,they should be prepared to address other emerging challenges. Basedon the emerging challenges of the application of IT to enhancecompliance, there are three major questions that IT management hasfailed to answer. These questions include how will the management setup and automate audit logs without the fear of receiving inaccurateresults? How will the CIOs and the management detect abnormaloperations in time in the automated system? How will the managementexercise the role of oversight over the automated system?


Grill,B. (2013). Sarbanes-Oxley for entrepreneurs. GaeblerVentures.Retrieved June 19, 2014, fromhttp://www.gaebler.com/The-Sarbanes-Oxley-Act-An-Introduction.htm

Hoffman,T. (2005, October 17). More companies tap IT for Sarbanes-Oxley.ComputerWorld Incorporation.Retrieved June 19, 2014, fromhttp://www.computerworld.com/s/article/105463/More_Companies_Tap_IT_for_Sarbanes_Oxley?taxonomyId=018

Jones,R. (2011). The Sarbanes-Oxley Act 2002. Cincinnati, OH: University ofCincinnati.

SecuritiesExchange Commission (2007). Commissionguidance regarding management’s report on internal control overfinancial reporting under section 134 or 15 of the securitiesexchange act of 1934. Washington,DC: Securities Exchange Commission.

TheBlue Sage Group (2006). Elements of a Sarbanes-Oxley complianceprogram. TheBlue Sage Group.Retrieved June 19, 2014, fromhttp://thebluesagegroup.com/sarbanes-oxley/sarbanes-oxley_elements.htm

TheU.S. Securities and Exchange Commission (2008, August 28). Finalrule: Management’s report on internal control over financialreporting and certification of disclosure in exchange Act periodicreports. TheU.S. Securities and Exchange Commission.Retrieved June 19, 2014, fromhttp://www.sec.gov/rules/final/33-8238.htm

U.S.Department of Treasury (2006). Interagencystatement on sound practices concerning elevated risk complexstructured finance activities.Washington, DC: U.S. Department of Treasury.

Worthen,B. (2005, July 1). The top five IT control weaknesses. CXOMedia Incorporation.Retrieved June 19, 2014, fromhttp://www.cio.com/article/8097/_The_Top_Five_IT_Control_Weaknesses