No organization wants its problems announced to the whole world. In IT, when something goes wrong, our inclination is to tell the internal people who need to know while at the same time communicating our plan to resolve the problem. But such discretion is no longer viable. Because of regulations under the Sarbanes-Oxley Act, IT problems are now appearing in 10-Ks, as " material weaknesses." That phrase could indicate that enterprise financial data is inaccurate. Yikes!
The Federal Home Loan Mortgage Corp. (Freddie Mac) encountered this nightmare in its 2011 and 2012 10-Ks. Auditors stated that material weaknesses existed in Freddie Mac's internal financial reporting controls. The 2011 10-K acknowledged the weaknesses, asserting that they resulted from the conservatorship imposed during the financial crisis. The 2012 10-K stated that the 2011 problems were "related to our inability to effectively manage information technology changes and maintain adequate controls over information security monitoring, which resulted from increased levels of employee turnover."
Such public confessions attract unwanted scrutiny from executive management and the board. Their concern is well founded. Freddie Mac's 10-K filings contributed to a free fall of its stock.
Freddie Mac's IT challenges are hardly unique. In its 2012 10-K, it stated, "Our core systems and technical architecture include many legacy systems and applications that lack scalability and flexibility." Later, Freddie Mac added that its accounting systems "lack sufficient flexibility" and went on to explain that "this requires us to rely more extensively on spreadsheets and other end-user computing systems."
If any of this sounds familiar, start addressing the issues now to prevent being cited in a future 10-K. Here are some ways to do that:
• Take audits seriously. Annual audits assess incident management, change management, availability management and other internal IT controls, resulting in a list of "findings." But auditors often fail to assign relative importance to those findings, leaving IT to set priorities. Because fixing audit-related issues generally receives far less emphasis than other projects, the same issues might remain on the list for years. This is a mistake. Change your attitude, and consider the audit an opportunity to determine how well IT functions and supports the enterprise.
• Develop an "insurance" business case. One thing that puts projects that address audit findings on the back burner is that they don't directly affect profits. That makes them unsuitable to a traditional business case structure. You need to make an "insurance" business case, arguing that an investment is warranted because the impact of a potential event is so catastrophic. This approach, commonly used for SOX compliance and business continuity plans, can be used to justify funding necessary to address known IT weaknesses.
Sign up for CIO Asia eNewsletters.