Canadian IT departments are starting to figure out their compliance strategies in response to new Canadian Securities Commission regulations, the federal privacy law, the U.S. Sarbanes-Oxley Act and other rules binding their enterprises.
Most large companies are affected by at least some of
this legislation. Up to now, many of them have been busy understanding what is required of them and what they need to do to get up to speed, says Tony Masella, partner in finance and performance management at Accenture in Toronto.
“”Now they’re trying to figure out how . . . to bridge those gaps.””
While U.S. companies must comply with Sarbanes-Oxley requirements this year, non-U.S. companies with stocks listed there have until 2005. The newer Canadian Securities Commission regulations will not require publicly traded companies to document their internal controls until either 2005 or 2006, says
Doug Wilkinson, enterprise risk services partner at Deloitte Consulting in Toronto. Details of the Canadian rules will likely be clarified this fall, he says.
Many companies are turning to short-term fixes to comply with the new laws quickly, Masella says. That’s fine for now, but smart businesses will have to figure out the ideal answer in the longer term, he says.
“”They need to figure out how to optimize their organization for this new reality,”” Masella says.
In some cases, complying with new laws and regulations will mean acquiring new technology. For instance, Philadelphia-based Longview Solutions sells Khalix, software that consolidates financial information from assorted enterprise resource planning systems, spreadsheets and other sources to provide a single set of figures for an entire organization.
“”It replaces all the silos of data that large corporations tend to have,”” says Michelle Wettlaufer, vice-president of finance at Longview.
EVault Inc. of Walnut Creek, Calif., has an e-mail archival service, called ProMail, that can help businesses make sure old e-mail messages are readily retrievable should they be needed. George Ho, technology manager at Toronto-based Clarington Funds Inc., says the mutual fund management company is evaluating ProMail as a possible way of complying with securities legislation that requires it to be able to produce e-mail messages.
Clarington Funds has also looked at some software that might help address privacy requirements of the Personal Information Protection and Electronic Documents Act, Ho says, but “”nothing has really piqued our interest.””
Wilkinson says consulting and auditing firms are offering “”point solutions”” to help clients comply with new rules, and a number of software firms are adding features to their products to address the requirements. For instance, Waterloo, Ont.-based document management software vendor Open Text Corp. has “”taken their product a long way to turn it into a compliance product,”” says Wilkinson.
Not all businesses need new software to comply with financial legislation, Masella noted.
“”If they’ve purchased the leading financial applications in the past I would say two or three years, they probably have the software they need,”” he says. However, he added, not all businesses have implemented the features in their existing software that will bring them into line with new legislation, so they may still have work to do.
Whether they are buying software or tweaking existing applications to meet new requirements, businesses may have to ask themselves who pays for the extra technology or work to comply with new laws.
Wilkinson says many organizations have set up compliance project teams reporting to the chief financial officer, and associated expenses therefore fall into the CFO’s budget, though IT plays a role.
Law firm Borden Ladner Gervais is not affected by securities rules, but “”we will have to deal with the impact of the privacy legislation in terms of all of our systems,”” says Joel Alleyne, chief information officer and chief knowledge officer. Alleyne says it is not certain what budget category any associated costs fall into, but the more interesting question is how the legislative requirements affect IT priorities.
Legislative requirements can push at item to the top of the priority list, Alleyne says, which potentially could take attention away from other things.