Mention business continuity to CFOs and see how long it takes them to change the subject. Yes, it's a risk issue, and they'll readily agree it demands attention. Just not theirs. Typically, business continuity, which includes contingencies for business interruptions ranging from telecom outages to natural disasters to, perhaps, terrorist attacks, is seen as a technology issue. In fact, in a 2005 survey of 1,286 managers claiming responsibility for their employers' business-continuity plans, the bulk of the respondents were either IT managers, tech staffers, or chief information officers.
That may be changing. Within an Internet chat room devoted to compliance, which is most definitely a CFO concern, there developed a lengthy thread on business continuity. The initiator of the discussion wanted to know if Sarbanes-Oxley requires publicly traded companies to set up disaster-recovery or business-continuity plans. In fact, Sarbox never once mentions "disaster recovery" or "business continuity," and the Public Company Accounting Oversight Board's Auditing Standard #2 specifically states that business continuity "is not part of internal control over financial reporting" (see "Straight from the PCAOB" at the end of this article).
Despite that seemingly open-and-shut case, debate does in fact rage on this issue. Some of the conflicting views appear to stem from companies' reliance on the Treadway Commission's Committee of Sponsoring Organizations's (COSO) internal-controls framework, which calls for identifying and managing internal and external risks. Also creating confusion is the silence of the Securities and Exchange Commission, which, aside from requiring financial-services firms to prepare disaster-recovery plans, has not issued any broad guidance on businesses continuity. (The agency itself was criticized by its independent auditor in 2003 for its lax business-continuity plans.)
General uncertainty about a potential intersection between Sarbox and business continuity seems to extend to consultants as well. When CFO contacted three of the Big Four accounting firms (Ernst & Young declined to be interviewed), they offered conflicting responses on the issue, a fact borne out by at least one customer who said in a Web post that his auditor agreed that what a customer is told "depends on who you ask."
What Part of "Yes and No" Don't You Understand?
At YRC Worldwide Inc., the Sarbox compliance program does not include any provisions for business continuity, for one seemingly simple reason: "It's our understanding that there is not a disaster-recovery requirement in Sarbanes-Oxley," says Don Barger, CFO of the $7 billion trucking company.
YRC's view echoes the position of PricewaterhouseCoopers, which appears to be cleaving to the letter of the law. "Companies can — and should — make sure they have a good business-continuity plan," explains Mark Lobel, a partner in PwC's Advisory Practice. "But it's not in Sarbox and in the compliance world, because it's not something you can test."
Partners at other firms disagree. Steve Ross, national leader of Deloitte & Touche's business-continuity practice, argues that public companies need solid business continuity plans to fully comply with Sarbox rules on data backup and recovery, as well as records management. Likewise, Big Four rival KPMG is advising clients to treat business continuity as a compliance issue. Greg Bell, a partner in KPMG's Atlanta-based Advisory Services Practice, predicts that shorter deadlines for financial reporting will cement the link. "The need for business continuity to minimize interruptions becomes more important" as those deadlines are tightened, he says.
Section 409 of the act, which spells out requirements for speedier disclosure of material events, may ultimately provide the nexus for compliance and continuity. Ross believes that companies will become far more concerned with contingency measures as they shift their focus from Section 404 to 409. Says the Deloitte partner: "There's nothing like having your office building or data center blown up to have a material impact on your business."
How the SEC reacts to such events remains to be seen. In the aftermath of Hurricane Katrina, the Commission extended filing deadlines for Gulf Coast companies. But more ordinary bumps — a network virus, for example — might not receive such sympathetic treatment. "When you're getting ready to send out your 10-Ks, how do you do that if a disaster occurs?" asks Nicholas Benvenuto, managing director at risk-management specialist Protiviti Inc. "The SEC is not going to say, 'It's OK, you've had a disaster.'"
While many executives might be tempted to side with YRC's Barger, who says that "sometimes vendors use Sarbanes-Oxley to try to sell solutions that are really not required by it," more clarity regarding what is required versus what simply constitutes good business practices would help companies set priorities and get a better handle on the amorphous beast known as "compliance."
Elaine Appleton Grant is a writer living in Strafford, New Hampshire.
Straight from the PCAOB
Audit Standard #2 Reads As Follows: "Furthermore, management's plans that could potentially affect financial reporting in future periods are not controls. For example, a company's business continuity or contingency planning has no effect on the company's current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company's business continuity or contingency planning is not part of internal control over financial reporting."
Why Most Meetings Start Late
Many studies have sought to quantify the extent of employees' personal Web use, but few have been as broad as that conducted by software firm Burstek. A study of 10,688 employees in seven industry sectors put hard numbers to employees' habits regarding E-mail, chat rooms, shopping, and recreational reading. The survey includes both companies that have installed Web-filtering software and those that haven't, and lists categories of sites that employees attempted to access, succeeding in some cases but not in others, depending on a given company's policies. Burstek suggests that personal use can be broken down into three broad categories: legal liability (hacking, pornography, gambling, hate speech, and so on), security risks (spyware, file sharing, malicious code), and good ol' productivity loss (E-mail, shopping, and so much more). — Scott Leibs