|
|
 |
Roundtable
< Back
What is the single most challenging Sarbanes-Oxley issue today?
|
Patrick Harr
CEO
Preventsys
|
The most challenging thing about SOX compliance is the ability of an organization to align legal liabilities and IT security initiatives together with key business goals.Without this alliance, achieving SOX compliance can be a difficult and frustrating process, not to mention expensive.
To be SOX compliant is ultimately a challenging business decision based upon the following factors: costs to be compliant, level of targeted compliance, and the risks of non-compliance. IT security is there to provide the baseline of current compliance as well as possible costs for remediation efforts. How quickly and to what degree of success an organization achieves SOX Compliance is the result of how much process and planning an organization places on aligning their people and resources against legal liabilities and business goals.
Contrary to popular opinion, there is no silver bullet solution to meet SOX compliance. Its analogous to exercise. Its not easy, but if you work at it on a regular basis, it will be successful. To be compliant with SOX requires time, technology, processes, people, and most importantly.money. No matter which combination of the previous group you choose, it will take money to be compliant with SOX. Industry figures indicate it costs as much as $1million dollars for large corporations. Unfortunately, too much time and money are wasted due to the lack of processes and technology. Instead of automating the manual tasks of data aggregation and correlation, people toil for hours to produce the same results, often with a considerable amount of error that can lead to inaccurate conclusions. If companies spent a little money up front to automate some of the repetitive, manual tasks, it would save a lot of money over time and would create a repeatable process for demonstrating compliance moving forward.
Companies may indicate they are SOX compliant because they had a dozen external auditors work for a week to verify all systems are protected, but as soon as those auditors leave the building those systems can be vulnerable due to any one of a hundred different causes. Manual audits by internal or external auditors using spot assessments may help with regulatory compliance, repeated and cost-effective auditing against policies on a regular basis cant be done successfully with todays manual approach. In addition, manual reporting is difficult, time-consuming, prone to error, and expensive..just ask any CFO. The results of manual reports, even by the same company, are usually inconsistent and out of date within a week of completion. Your network, computing systems, applications, and databases change daily, hourly, and some even by the minute. Building a process that continuously measures your financial systems to be compliant with just Sarbanes-Oxley Section 404 is critical. Section 404 primarily mandates that management of public companies verify that established and maintained internal controls, monitoring, and reporting capabilities for all financial reporting systems exist.
The secret to finding an appropriate compliance solution is based on the following factors: 1) identifying the current point-products that are gathering data from your systems, 2) understanding the security policies that are already in place, and 3), locating a solution that would allow you to best capitalize on your existing investments to meet your organizations specific SOX compliance requirements. Many Fortune 500 and Global 1000 have implemented systems that do all of the above and more. These systems frequently pay for themselves by avoiding just one or two of the $100,000 pre-audits that many companies hire external auditors for every quarter.
As the Chief Executive Officer, Patrick ensures Preventsys remains as the leader in proactive risk management. Previously, Patrick held several key executive roles with successful start-ups and Global 1000 Companies in the enterprise security software and storage networking spaces. His success realigning product strategy with customer requirements and market demand has enabled him to drive revenue and establish innovative products as number one in their respective markets.
Before joining Preventsys, Patrick served as an Entrepreneur-In-Residence at Enterprise Partners, the largest venture capitalist firm in Southern California. Prior to Enterprise, Patrick led McDATA's $300+M SAN director and switching business while serving as Vice President of Core Enterprise Products. He joined McDATA from Sanera Systems, where he drove the company's marketing and business development efforts. Harr has held executive level positions at CacheFlow (now BlueCoat Systems), running worldwide marketing, and Novell, directing the company�s Internet caching and network security products. |
|
|
|
