Every day it seems I hear about some new study or panel that claims that U.S. businesses are not doing enough to comply with the new Sarbanes-Oxley legislation, particularly Section 404, which requires risk assessments of financial business processes. This requirement firmly puts the responsibility on IT organizations to ensure that processes and systems are in place to support the legislation.
Specifically, critics claim that finance executives aren't working with their IT counterparts to tackle the requirements, and therefore dire consequences are predicted.
I couldn't disagree more. Not only are my experiences at ABN Amro just the opposite, but I know that many of my IT peers in financial services and other industries are seriously and proactively working to meet compliance regulations and deadlines. Moreover, they're collaborating with their CFOs and business executives to do the job'just as we are.
Some mistakenly think that our company is exempt from meeting the U.S. regulations because our corporate parent, ABN Amro Holding NV, is based in the Netherlands. In fact, any company that operates in the United States and is listed on any U.S. stock exchange, as we are, is required to comply. ABN Amro has over 3,000 branches in more than 60 countries, and total assets of $677.6 billion.
Our primary lines of business are investment and corporate banking, consumer/retail banking and personal client/wealth management.
We are so committed to 404 compliance that we've set up a corporate task force to address the issues. Included on the team are IT, finance, and representatives from our global lines of business. IT has to be involved to address the business process, transaction, and application requirements. We are mainly focused on three areas: financial statements, internal controls, and IT transactions and processes, and geared toward implementing systems/technology that will help us in compliance reporting as well as automation tools that will reduce overhead.
Making compliance a high priority has its costs; we estimate up to 15% annual overhead cost. But we've always operated in a regulated environment. We're also used to audits and to following the Committee of Sponsoring Organizations (COSO) standards and codes of conduct for risk assessment, communications, and ethics. Now we're including internal and external controls in IT and accounting.
We're trying to leverage our compliance investments and hope to recoup them over the next 18 months by using this as an opportunity to improve our business processes and transactions globally. It should help our disaster-recovery efforts, too.
As a key industry'along with utilities, hospitals, and government agencies'described in the Department of Homeland Security Act of 2002, financial-services firms must step up to the plate. I'm sure there are smaller businesses in some less-critical industries that are lagging in their Sarbox-compliance efforts. Some don't have the funds or the expertise. I also have some concerns about who will be the ultimate judge of compliance. Nevertheless, the ramifications of noncompliance are real. The key is to find some benefits to the efforts and forge ahead.
William Santille is VP of IT at ABN Amro in Chicago.
For an alternative viewpoint from Adrian Bowles of the IT Compliance Institute
This article originally appeared in the February 2004 issue of Optimize magazine, an InformationWeek Media Network publication for CIOs.