IT and corporate governance
All businesses today depend on IT and its successful deployment as a key tool
in achieving corporate goals and objectives. Business processes use IT for the
cost-effectiveness and the time saving that it ensures.
For listed companies that mandatorily have to comply with Clause 49 of the Listing
Agreement laid down by SEBI, life can indeed be difficult without IT.
The amendments in Clause 49 span over a number of business sections and involve
groups of executives such as the Management, Board of Directors, Audit Committee
and shareholders. To ensure compliance in all business areas, the CIO needs
to be well informed about Clause 49 and employ an effective IT strategy for
Sunil R Chandiramani, Partner, Ernst & Young,
discusses two key areas of Clause 49legal compliance and risk management.
On a quarterly basis, the CEO or the Chief Compliance Officer
is expected to certify to the SEBI that the company is in compliance with all
the applicable rules, laws and regulations required of a listed organisation.
The areas of compliance that a company may need to certify are numerous and
complex, and involve several employees of the company. Some of the areas of
compliance are Labour Act; Shops and Establishment Act; Health, Safety and Environment
Act; value added tax; excise; sales tax and customs. The list could go on with
variations at a state level, could be in relation to the Explosives Act for
its canteen where LPG cylinders are stored, or the Labour Act, where labour
On a periodic basis, every company listed on the stock exchange is expected
to report to the Audit Committee about the risks facing the company, along with
the risk assessment and the minimisation procedures. For this, the company has
to gather data about the risks it may face from all business areas. This data
needs to be collated, prioritised and presented to the CEO.
Tools for risk management
Companies need surveys that can be easily implemented to assess the risks being
faced. Also required are data collation tools, means of understanding trends
in the market and information about new risks and ventures. Further, companies
need to identify people responsible for a particular risk, know their perceptions
of the risk and compare the same with reality.
All of this can be done efficiently and quickly using technology.
The CIOs role
CIOs, as the IT heads of companies, can play a pivotal role with their knowledge
of technology. They can provide solutions for compliance by advising about collation
and presentation of data, and thus enable the Board to act.
In my experience, CIOs dont usually participate in Board discussions about
compliance issues. This raises some important questions: Are CIOs shying away
from these discussions? Are they unaware of them, or are they being kept out
by the business leaders?
This is a key issue that is facing corporates today.
Steps for the CIO
To ensure that compliance and the ITs role in it are discussed in the
Board, without CIOs being sidelined, they should:
- Get a comprehensive understanding of Clause 49.
- Discuss with the CEO, CFO and Chief Internal Auditor
(CIA), and plan the projects that the company can undertake to support compliance.
- Decide the technology that must be used and how
that can be effectively integrated in other systems and procedures of the
company. This will create a network solution for the purpose, and ensure cost-effectiveness.
The CIAs role
Besides the CIO, the CIA also plays an important role in corporate governance.
In compliance review assessment, he reports to the management and the Audit
Committee. Section 302 of the Sarbanes-Oxley Act requires CEOs and CFOs to certify
in writing and under oath, the accuracy of financial reports and the effectiveness
of disclosure controls and procedures.
Organisations need reliable processes to support these certifications,
and internal auditors play a key role in designing and evaluating these processes.
These practices are emerging to provide CEOs and CFOs with the information necessary
to assure the investing public that financial representations are complete and
The role of IT in compliance
can be summed up as:
- It helps collaborate in a controlled environmentIT
provides a role-based control environment that encourages collaboration
while maintaining discipline and structure. Users can effectively publish,
store, share and find all information relating to corporate governance
in this environment, including minutes of the Board meeting, corporate
policies, risk data, corporate control, SEC filings and other managed
- It promotes standard operating proceduresThis
provides a robust content repository for storing and controlling the
documents that describe organisational charts, policies and standard
- It facilitates effective risk managementRisk
management provides knowledge gathering and notification capabilities
that would ensure that internal and external risks to achievement of
corporate objectives, such as changing economic, regulatory and operating
conditions, are quickly discovered and assessed, and well-informed decisions
are made to mitigate risk.
- It gathers and disseminates relevant informationThis
activity provides numerous ways to identify, capture and communicate
relevant information in a form and timeframe that enables people to
work within their responsibilities.
- It effectively monitors performanceIT
enables you to effectively monitor the quality and performance of its
control systems through ongoing monitoring or single evaluations.
- Mergers & acquisitionsIT enables
you to effectively merge two different entities and their respective
IT architectures. A poorly-handled IT integration between merging companies
can jeopardise the business.
There are two key steps by which a CIO can measure whether an organisation is
compliant with Clause 49:
1. The speed with which information becomes available in the company.
2. The ease with which compliance can be achieved.
Cost of compliance technology
One can look at the cost factor this wayif technology isnt there,
how would one certify on compliance?
For example, the number of man hours taken by a company to manually create reports
and business processes, and then check whether it had achieved compliance, is
much more than the time taken by the same company after it had deployed IT for
the purpose. This is the fact about compliance that is being valued by all stakeholders.
Pitfalls to avoid
There are a few processes typically performed wrong by organisations that try
to be compliant with Clause 49.
- Many dont try to find enough about the automated
IT controls within their financial systems, which can help with compliance.
They look at other financial means instead.
- Some dont use technology for the process of
achieving compliance. Others lack the understanding of what needs to be done
about the compliance processwhat it means, how large it is and so on.
By US standards, this would amount to fraud.
Other focus areas
Compliance and risk management are just two of the most important focus areas
related to Clause 49. Others are related to management, greater independence,
tracking data, and compliance with different procedures and processes. For achieving
compliance smoothly in all these fields, it is impossible for a company not
to use technology to be cost-effective and to gain competitive advantage.
As told to Soutiman Das Gupta and Newly Paul