Impact of Sarbanes Oxley Legislation on it Organizations

Sarbanes-Oxley legislation's effect on IT Companies

Public Company Accounting Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act) was an attempt by regulators to increase transparency and accountability in business processes and corporate accounting to restore confidence in public markets. (Logan and Mogull, 2003) One optimistic article published in the wake of the 2002 Sarbanes-Oxley legislation stated that "new personal responsibility" for companies' financial accountability could benefit chief executive and financial officers by increasing trust and thus increasing revenue for corporate America in the long-term. (PR Newswire, 2002) But James O'Brien notes in his 2002 textbook on Management Information Systems, that the act was passed in the wake of the Enron scandal, not to help corporate America, but to protect the consumer.

Although spawned by an oil scandal, it affects all companies. The act was not specifically passed to regulate oil, IT or any specific companies in any specific industry. However, technology often defines and executes business processes or parts of business processes more specifically in IT firms. (Logan and Mogull, 2003) Furthermore, in IT companies, "the technology and business process regulated by Sarbanes-Oxley are so entwined that it's impossible to separate them," from the functions the company serves, unlike other industries. (Logan and Mogull, 2003) Thus, the costs incurred by the additional needed protocols to increase accountability may be greater for IT firms.

All of a firm's IT systems must be compliant with Sarbanes-Oxley, even though the only technology category that the law mentions specifically is "electronic communication." (O'Brien, 2002) Electronic financial accounting systems, enterprise resource planning, general ledger and supply chain management systems "will all be subject to the regulation." (Logan and Mogull, 2003) Sarbanes-Oxley also requires that companies keep good records of all financial dealings in an accountable manner, and often companies may have had adequate control over paper records, had inadequate control electronic documents. IT firms are more likely to use virtual records that can be deleted, have less administrative protocols because they are constantly changing and have yet to be standardized in such a volatile industry, and are thus uniquely in danger to fall afoul of the legislation. The innovations characteristic of the industry may fall befoul of the requirement that "installations or modifications to enterprise financial reporting applications are subject to mandatory quarterly reporting under Section 404 of the Sarbanes-Oxley Act, and "failure to report may result in violations." (Zrismick, 2002)