Compliance
  Governance
  Risk-Management
  Security
Features


< Back

Compliance : Sarbanes Oxley : Technology : Sarbanes Oxley

Technology: Transferring the Burden of Compliance


By Tom Johansmeyer
Tom Johansmeyer
President and CEO
j-Knowledge
The advantages of software on demand extend beyond ease of implementation and operational efficiency. Through the use of the ?on demand? model, compliance in technology environments becomes significantly easier to manage. Software on demand has had a profound impact on small cap operations. Based on the Application Service Provider/Managed Service Provider (ASP/MSP) business model of the dotcom days, companies are now offering software as a service, reducing the costly maintenance and resource challenges involved with maintaining a solution in house. Software can be turned on and off as needed. The vendor owns the complexity of managing the environment, applying upgrades, and handling support.

The traditional notion of software involves purchase, environment and system preparation, implementation, and ongoing management. For software on demand, the model is to subscribe to the solution, train employees, and go live. Instead of having to develop an extensive technology control framework for the entire technology environment, you only have to control business processes. You effectively transfer the burden of compliance from your firm to the vendor who provides software on demand. The outcome is that the small cap purchasing technology is responsible for due diligence on the extent to which the vendor is compliant. Additionally, small companies need to develop controls for business practices that involve the software to which the vendor subscribed. Consequently, Sarbanes-Oxley compliance is easier for companies that subscribe to the software on demand model

Technology compliance can be expensive, but shifting the burden reduces costs. By taking advantage of economies of scale, vendors can develop the controls needed by all their clients. They implicitly sell compliance as a service ? as they do with their software. Service providers can provide compliance with a much lower price tag, making software on demand a viable alternative for small companies with technology needs. This article will demonstrate explicitly the compliance benefits of implementing software on demand and provide a roadmap for finding software on demand vendors that have sufficiently controlled their respective solutions.

Controlling a Traditional Technology Environment
Complying with Section 404 requires the development of controls to for the reduction of fraud risk in your technology environment. Specifically, Section 404 compliance becomes an issue of access. Technology fraud can be prevented by limiting the access of employees and outsiders to technology, including:
  • Data
  • Software applications
  • Servers
  • Database backups
  • Hosting environments
Preventing access, as explained broadly above, is not synonymous with the technology control term ?access control?. ?Access control? entails preventing individuals from reaching data or other technology. Controls must prevent useful access to technology by unauthorized users.

?Access controls? prevent an unauthorized individual from reaching a database, for example. For the purpose of fraud prevention, though, access control is only the first step. If an employee seeking to commit fraudulent activity bypasses traditional access controls, other measures must be taken (i.e. other controls must be implemented) to ensure that the fraudster cannot use the data or system reached illicitly. Examples include encrypting data in databases and programmatically tying all application transactions to specific users. To control access, you either need to keep people from getting to the technology or make the technology useless when they reach it.

Sarbanes-Oxley compliance has led to extensive requirements around environment, system, and project controls for technology activities. Many measures are implemented to monitor, measure, and audit the actions of technology team members to mitigate the risk of fraud. Change control processes restrict access to ?live? systems to ensure that there is an audit trail showing all changes to live systems. Access to live systems is only granted for legitimate business reasons. Help desk tickets are used to track repairs and maintenance to systems across the company. Further, in the information technology world, there are methodologies for everything ? structured approaches to all projects that ensure consistency and auditability. Every type of project has discrete phases that are measurable and manageable. Status reports are the norm, and tracking has become more important than getting work done.

Determining the scope of your Sarbanes-Oxley controls is vital to the successful management of your overall IT workload; it is easy to take on too much. According to Section 404, controls must be developed to prevent fraudulent activity vis-?-vis a company?s financial statements. Instinctively, this includes A/R systems, payroll, enterprise resource planning (ERP), and campaign management software. These systems directly impact your financial statements. Other systems are more subtle, and they require controls as well. Examples include ad management systems, web analytics, and network management. Each of these systems has a financial impact, though it is not immediate. In order to determine whether a system needs Section 404 controls, simply ask yourself, ?What?s the impact of . . . ??

What happens if I lose network access to my order management system? Will I lose orders?
Will modifications to an asset management system lead to inaccurate financial statements?
What happens if a sales agent misrepresents activity in the lead management system?

Once you have identified the systems that need controls, you need to protect the components of these systems. Each technology system consists of multiple moving parts. Each of these moving parts has weaknesses that must be protected from fraud. In a typical, modern technology system, there are three pieces that require controls:
  • Web server ?creates the web pages that individuals use to enter and view data
  • Application server ? manages all the underpinnings of the software, to ensure that the program runs consistently and properly
  • Database management server ? stores and facilitates the management of data
Fraud can be affected through any of these component systems. Web servers are often used by hackers to gain access to networks. Application servers are also gateways to networks, and they can also be used to manipulate user and access information. Accessing a database server provides the fraudster with customer and company financial information.

To effectively control information technology, three types of controls are needed: environment, software development, and database. You must implement controls for managing the technology environment (data centers, servers, and networks), building and maintaining software, and protecting databases. Environment management controls include using test scripts for consistently validating solutions in the environment, cycles for updating live systems, code reviews, and change control processes. Software development controls include the use of standards for writing code, naming variables, interacting with the database, and ensuring the ability to communicate with other software systems used by the company. Database controls include limiting the use of system users, relying on stored procedures, and requiring rigorous testing before introducing changes into a live environment. And this is just a sampling. There are many, many more.

Clearly, the compliance burden for technology can become overwhelming. Even if you manage scope effectively, there is still a lot of work to do, and it is easy for technology compliance costs to spiral out of control. When technology is either a core competency or prominent business driver, controls are even more important ? and can become more expensive. An effective technology strategy can reduce the cost of compliance significantly. Specifically, software on demand provides an opportunity to use cutting edge technology in your company for a low cost while managing compliance effectively.

Using Software on Demand to Reduce the Cost of Compliance
?Software on demand? is a natural extension of the ASP/MSP business model that became popular during the dotcom era. Instead of selling shrink-wrapped software, vendors have begun to offer software as a service via the internet. This approach reduces the costly maintenance and resource challenges involved with traditional, locally installed enterprise software. Instead of being stuck with one-size-fits-all software, the on demand model enables small companies to consume only the software that they need. The vendor owns the complexity of managing the environment, applying upgrades, and handling support.

For small companies, there are profound advantages to using software on demand instead of the traditional locally installed software model. Software on demand is easy to implement. Instead of managing a project with business and technology components, only the former is required. Implementation time is reduced, and small companies can recognize ROI advantages much more quickly. Less consulting time is needed, as well, given the ease with which you can introduce software on demand into your environment. In addition to the advantages of a less expensive, rapid implementation, small companies only need to pay for what they plan to use. Subscription models (as opposed to software purchase) are much more flexible, and small companies do not need to pay for extensive solutions that will go unused.

Software on demand vendors address a variety of needs across the software industry. Not limited to secondary processes (like technical support) as they once were, small companies now can engage software on demand vendors for a variety of business needs ? including mission-critical functions that five years ago would never have been outsourced. Examples include:
  • NetSuite ? provides full enterprise resource planning (including financial systems) and customer relationship management to small and large companies with varying operating environment complexity
  • SalesForce.com ? offers full customer relationship management software services, preventing the need for expensive, complex systems like Siebel
  • 24/7 Real Media ? enables online advertising through web analytics and statistics, ad serving, and psychographics ? managed by the small company only through a web browser
  • eRoom ? facilitates online collaboration, version management, and document storage, which is especially useful for remote teams
Software on demand can help with all aspects of small company operations. Through this model, the company only needs to manage business processes that use the software. Maintenance of infrastructure, applying upgrades, and other technology challenges are the responsibility of the vendor. Consequently, compliance becomes significantly easier. Controls must be developed for the business processes that use the software, but not for the software itself.

Technology controls, in order to be sufficient for Section 404 compliance, necessarily entail controlling the information technology environment, software development, and database management. You need to develop business process controls to limit employee behavior ? regarding technology ? in the business environment. These are not technology controls, but they affect the use of technology. Software on demand allows you to reduce your compliance load to the development of business process controls only; the vendor addresses the compliance needs of the technology environment. This enables small companies to transfer the burden of compliance heavily to the technology vendor. Your role regarding technology controls becomes finding a SOX-compliant vendor and conducting due diligence.

Compliance Models for Software on Demand
When using the software on demand model, the first step in preparing for Section 404 compliance is screening vendors; this is how you shift the burden of compliance from your firm to your vendors. You need to engage software vendors who have demonstrated that they are Sarbanes-Oxley compliant. Through interviews and documents, you can conduct the necessary due diligence to ascertain whether or not the vendor will help you comply with Sarbanes-Oxley. Due diligence tools available to you are the vendor?s annual report, the results of a technology audit, and a disaster/recovery plan.

The easiest ? and most effective ? approach to vendor due diligence for Sarbanes-Oxley compliance involves the use of the COSO framework. The five components of the COSO framework are:
  • Control environment ? the overall corporate culture and the company?s attitude toward rules and controls
  • Fraud risk assessment ? determination your company?s fraud risk exposures
  • Control activities ? specific measures taken to limit employee behavior regarding specific business processes
  • Information and communication ? learning from controls and disseminating information through the control environment
  • Monitoring ? the ongoing examination and analysis of the control environment for determining its existing effectiveness and opportunities for improvement
These five categories represent the tools you need to examine a software vendor?s operations to determine the extent to which they comply with Sarbanes-Oxley. Essentially, you can use Sarbanes-Oxley and COSO as part of the vendor selection criterion.

Implementing software on demand consists of three basic steps: (1) business process design, (2) employee training, (3) introducing the solution into your active business environment, i.e. going ?live?. Implementing a traditional software solution usually consists of requirements definition, business process and technology design, development, testing, and go live. Software on demand reduces the implementation cycle significantly, which correspondingly reduces the compliance requirements.

Business Process Design
The first step in introducing software on demand into your business environment is to determine how to use the software most effectively to facilitate operational improvements. Business process design involves defining how your employees will use the software solution. Flow charts and use cases (step-by-step descriptions of proposed business processes) represent the tools of the trade, empowering the small company to understand fully the impact of the new software on the business environment. The outcome of this phase of project work is a map of the business processes to be improved through the use of software on demand ? as well as specific details pertaining to these improvements.

During the business process design phase, you design both the way you will conduct business and how you will control employee activities. When developing your business processes, the most effective way to develop controls is to include them in the processes. Consider order-to-cash processes for a catalog company:
  1. Customer completes order form
  2. Customer includes check
  3. Customer mails order
  4. Checks and order forms are validated then separated
  5. Order is processed through fulfillment channels
  6. Check is sent to lockbox
  7. Payment is processed
  8. Order and payment are reconciled
This process includes controls throughout. Step 4 ensures that the check is appropriate to the order, and Step 8 involves another validation step. Additionally, your business process design phase should include a fraud risk assessment. For the processes you develop, you should consider how fraud could be committed. This process allows you to consolidate your compliance and business process work to reduce the total effort.

Employee Training
What does training entail? It requires much more than you realize. As the typical employee, whose job will entail using a new software system, you think that you are being trained on how to use the new product. From the prospective of the person implementing the new software, on the other hand, the effort is much different. Employees will have to learn more than just the software. They need to learn how to use the software within your new operating environment. Training should include the use of the software as your new business processes require. Use of the software is incidental ? how to use it in your business environment is critical.

By way of learning how to use the new software within the context of your business, employees implicitly receive training on how to comply with your new control environment. Quite simply, training determines the ability of employees to comply with your controls ? as well as the ability of your company to comply with Sarbanes-Oxley. Through training specific to your organization?s needs, employees learn the boundaries on their activities simply through the course of learning how to do their jobs. Standards are made explicit, and employees learn the exact nature of their new roles. Better training means better control results and more accurate compliance.

Go Live
The final step in implementing software on demand is to use it in your operational environment ? i.e. to go live. At this point, you know how you are going to use the software, and your employees have been trained in both software use and the specific business processes that characterize your organization. This is when the new controls take effect. Employees use the new software and implicitly comply with the standards that you have created and trained. Further, documented controls consequently are introduced into the business environment, facilitating compliance. Once you have gone live, internal audit and compliance teams monitor the new control environment to ensure that controls remain relevant and effective.

Cost Advantages
Through the use of software on demand, the scope of what you have to control is reduced significantly ? potentially by over 80%. Since the software vendor owns the responsibility for developing and managing all technology controls, what remains for you is to control business processes and employee activity. The controls implementation effort for traditional software requires an effort distributed across technology and business:
  • Environment ? 30%
  • Database server ? 20%
  • Application server ? 5%
  • Web server ? 10%
  • Network ? 20%
  • Business processes ? 15%
Through the use of software on demand, your controls development burden ostensibly declines by 85%. More realistically, the decline is closer to 80%, because some resources must be allotted for due diligence activities.

In addition to cost reduction, the use of software on demand reduces other information technology risks. Database administrators, network engineers, and system administrators are all focused on keeping mission-critical systems up and running; taking them away from their jobs introduces risk into the technology environment. With software on demand, these resources can focus on activities not related to controls ? and instead related to their core competencies, such as:

? Keeping existing in-house applications working

? Growth initiatives

? Fixing other, non-compliance problems Essentially, you only have to focus on how you do business ? which is always worth the time and effort.

Finding SOX-Compliant Vendors
In order to transfer the burden of compliance from your company to your vendors, it is imperative that you select software providers whose solutions are compliant with Sarbanes-Oxley. Software on demand enables all the efficiencies and benefits described above, including rapid implementation, fast compliance, and reduced compliance expenditures. Further, software on demand can provide an immediate advantage to your business. For a software on demand vendor to be most effective in your environment, though, Sarbanes-Oxley compliance has to be included in the selection criteria.

Many companies use a measured, consistent process to the selection of software and services. By comparing vendors to each other using standard metrics and qualitative information, you will be able to invest from a position of knowledge and authority. While there are a variety of software selection methodologies, common themes include the definition of business requirements that the solution must fulfill, determining technology requirements (in this case, on demand), the strength and management of the vendors, and of course the specific measures taken by vendors to comply with Sarbanes-Oxley.

Conducting due diligence requires more than just asking if a vendor has addressed Sarbanes-Oxley compliance. Likely, just asking will yield a ?yes? answer. Given that there are shades of gray on which a vendor can rely, you need a specific course of action when conducting due diligence. Not only do you need proof, you need to know which proof to request. The following documents and actions should help you through the due diligence process.
  • Annual Report ? report from the independent auditor
  • IT Audit Findings ? from an independent auditor
  • Disaster/Recovery Plan
  • Visit/tour their hosting facilities
  • Understand upgrade and change control processes
  • Find out who has access to the environment
  • Find out who has access to your data
  • Ask if there have been any instances of fraud ? request documentation
Essentially, you are conducting a controls audit. You may not need to be as thorough as an auditor, but you are auditing the control environment of the vendor?s solution. Primarily, you need to ensure that a formal, independent audit has been conducted by a reliable third party (such as a registered accounting firm, per Sarbanes-Oxley). Always settle for nothing less than proof of the integrity of the vendors? control environments!

Case Study: Controlling Web Analytics Reporting
What is ?web analytics?? ?Web analytics? represents the information technology discipline that tracks and facilitates the examination of traffic on websites. Common traffic statistics include page views, unique visitors, and visits measured over hours, days, weeks, months, and years. Think of it as online circulation. Web analytics statistics are useful in determining what content to publish and how to structure your website. Especially for web publishers, the information yielded by web analytics systems can help generate additional revenue through content structure and placement improvements and understanding reader preferences. These analytical activities, in themselves, do not pose a compliance problem.

A compliance problem does emerge from the use of web analytics statistics, though. One example is advertising. Most websites that accept advertising have a rate card; the rate card reflects advertising rates based on website traffic. Additionally, web analytics statistics represent online circulation, as mentioned above. Since circulation numbers for publishing companies are auditable, there is another compliance concern. Through these problems, Sarbanes-Oxley becomes an issue for web analytics systems.

?On demand? web analytics systems are becoming increasingly popular. Accessed over the web by employees, these systems are hosted by the software vendor. Companies who engage the web analytics services of an on demand vendor can change the number of websites monitored and seat licenses based on the specific needs of their respective businesses. To track pages, the webmasters (or other appointed technology team members) put a few lines of code on their web pages, and users view statistics through a website provided by the service provider.

The use of an on demand web analytics solution enables your company to transfer a large portion of your compliance burden. As discussed earlier, business process controls constitute only approximately 15% of the complete technology controls development effort. The remaining 85% results from technology needs, such as securing the data server, network configuration, and database restrictions. Since your burden only involves business process (and due diligence during vendor selection), you have reduced the burden by 80% when using an on demand model.

Compliance Cost Breakdown for Web Analytics1
  • Environment ? 80 resource/hours
  • Database server ? 55 resource/hours
  • Application server ? 10 resource/hours
  • Web server ? 20 resource/hours
  • Network ? 55 resource/hours
  • Business processes ? 30 resource/hours
  • Total ? 250 resource/hours
At a cost per resource per hour of $100 for information technology resources (includes all compensation and employee-related overhead), the total cost of controlling an in-house web analytics solution is $25,000 ? generally 50% of the cost2 of the software itself! Using the ?on demand? model, the cost of compliance declines by approximately 80%, to $5,000. The $5,000 cost reflects the cost of developing compliant business processes and conducting vendor due diligence. Your $20,000 represents only the savings from compliance. There are other IT and operational benefits to using software on demand as well.

Clearly, software on demand accelerates the software compliance process while reducing compliance costs. By reducing resource needs for implementation ? as well as the number of ?moving parts? (infrastructure, software developers, network engineers, and database administrators) ? the on demand model also serves as a risk mitigation step. Internal resource needs can focus on their core jobs to reduce risk from internal systems, and a new potential source of risk is outsourced. Monitoring is easier as well, reducing ongoing compliance costs.

Conclusion
The risk of fraud in your technology environment is quite pronounced. In fact, it can be easier to commit IT fraud than to commit fraud in most other business units in your company. As a result of the ease with which fraud can be committed, the cost of compliance is extremely high. Small caps do have a way to overcome this problem, though. The use of software on demand allows companies to shift the burden of compliance while reducing overall IT costs as part of the process. Software on demand is already a highly appropriate model for small companies that would rather invest in growth than information technology. Taking this approach to technology can also ease the Section 404 compliance burden.

Software on demand reduces the compliance burden on your staff by over 80%, allowing you to shift the burden of compliance to your software vendors. All ?technology? controls become the responsibility of the service provider; your company retains ownership of business process controls development vis-?-vis the software being implemented. For the cost of some due diligence and business process controls development, software on demand yields significant compliance savings while meeting the specific needs of small publicly traded companies.

As your company engages software on demand vendors, there is specific action that you can take immediately. Any company can find a vendor and back into business and compliance models. To take advantage of the operational and compliance efficiencies of software on demand, your company must be prepared. To prepare for Sarbanes-Oxley compliance vis-?-vis software on demand, your company can:
  • Develop or engage somebody to develop a selection methodology; this will give you a roadmap for selecting SOX-compliant vendors
  • Build a SOX checklist for rapid analysis of vendors? solutions
  • Develop a punchlist of documents that you normally need from vendors
  • Make somebody in your IT department the ?software on demand? expert
 By cultivating Sarbanes-Oxley and software on demand expertise in your company, your company will be equipped to make informed, rapid decisions that will grow your business and facilitate compliance. Software on demand makes Sarbanes-Oxley compliance much easier for small companies ? as long as you prepare properly.

1 All resource requirements were ascertained by the author during the implementation of a web analytics solution for an online publisher.
2 This cost is based on a web analytics solution based on 30 million page views per month.



Tom Johansmeyer
President and CEO
j-Knowledge
 Tom Johansmeyer is President and CEO of j-knowledge.



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY