The U.S. Securities and Exchange Commission (SEC) has failed an internal audit of its financial controls. This will increase congressional scrutiny of other government agencies.
On 26 May 2005, the U.S. General Accounting Office (GAO) announced the results of an audit showing that the SEC "did not maintain effective internal control over financial reporting." The GAO audit, which is available online at www.gao.gov/new.items/d05244.pdf , found "material weaknesses" in the SEC's internal controls, including general IT controls. The GAO announcement closely follows the release of an SEC staff report on the implications of the Sarbanes-Oxley Act ( www.sec.gov/info/accountants/stafficreporting.htm ), which sets standards for financial reporting.
Only 0.3 percent of U.S.-based companies currently report material weaknesses in IT controls through Sarbanes-Oxley, so the fact that the SEC — the body responsible for regulating the U.S. securities industry — has difficulties in this area is highly significant for government CIOs. The recent SEC staff report on Sarbanes-Oxley contains specific information and recommendations on IT controls, including an acknowledgment that COBIT (Control Objectives for Information and Related Technology) is an appropriate standard for IT controls.
Many industry observers will find the temptation to cast stones at the regulators irresistible. But it is important to remember that under the Tax Accountability Act of 2002, only independent federal agencies such as the SEC are required to undergo an independent audit of internal controls. Most federal government organizations fall under Office of Management and Budget (OMB) Circular No. A-123, "Internal Control Systems," which implements the Chief Financial Officers Act and calls for "self-assessment" of internal controls. The SEC audit will raise congressional awareness of weaknesses in the Chief Financial Officers Act.
Recommendations for U.S. government CIOs and chief financial officers: Prepare for more intense scrutiny of internal controls from congressional oversight committees, the GAO and the OMB.
Analytical Sources: French Caldwell, Gartner Research
Recommended Reading and Related Research
"Use a Process Framework for Compliance and Think Long Term" — Companies working to comply with Sarbanes-Oxley requirements or other new mandates should combine risk management and IT process frameworks. By Debra Logan, John Bace and Lane Leskela
"The 2005 Planning Guidance for Compliance" — IT organizations will assume a more prominent role in compliance management, and automation and rationalization of business applications will be needed to reduce compliance costs. By French Caldwell and others
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)