Compliance
  Governance
  Risk-Management
  Security
 Roundtable
< Back

What is the single most challenging Sarbanes-Oxley issue today?



Kate Mitchell
CEO
CopperEye
Sarbanes-Oxley requires a companys CEO and CFO to sign off on the veracity of the companys financial reports. Since it is not practical for the CEO and CFO to personally create the reports, their ability to vouch for the results is instead derived from the confidence they have in the automated processes used in their creation. From this perspective, manual processes that entail re-keying data and spreadsheet manipulation are fraught with risk from unintentional errors, and leave opportunities for the intentional manipulation of the results.

As a consequence, a high level of automation in business reporting has a very strong appeal since replacing manual business reporting processes with automated ones takes a lot of uncertainty and labor out of the equation. If the system and processes are deemed secure and reliable, then it is the chief executive who can attest to the integrity of these reports with a much greater degree of confidence.

However, automated business processes alone do not miraculously result in reliable, confidence-inspiring financial reports. For this to be achieved, the business processes themselves must be audited, periodically re-inspected, and provide a means to quickly investigate and confirm specific results. This means capturing and retaining not only the most detailed data underlying the reports, but also data from each intermediate process step through the business processes to ensure the integrity of the data and resulting conclusions.

This automation results in a very, very large amount ? terabytes worth ? of business event data. Most of this data, upon which compliance absolutely depends, will never be accessed, yet must be stored for a very long time and must remain completely available at a moments notice during an audit. In many ways, this automation is akin to the Sorcerers Apprentice in Disneys Fantasia: the brooms the Apprentice animated in order to perform his cleaning chores went about their task with juggernaut-like indifference until, eventually, they were beyond control.

The daunting challenge is that many corporations are woefully unprepared from a technology perspective to store and retain business event data. (In fact, recent research from Forrester indicates that up to 90% of large enterprises have no data retention strategies beyond simple database backups.)

As a consequence, many companies will have to resort to brute force to meet their Sarbanes-Oxley data retention needs, taking the form of an increasingly large pile of cash to pay for storing large volumes of data within their production information systems. Even with the sensitivities around the high cost of compliance, companies will find themselves spending millions of extra dollars on the retention and occasional access to Sarbanes-Oxley data.

The truth is that corporations have been consulting the same information technology spell book for the past two decades. For example, businesses have been trained that expensive server hardware and relational database management systems (RDBMS) are the only solution for any data management task.

The RDBMS has a well-deserved reputation as the engine behind data-driven business, allowing multiple users to access and change vast amounts of corporate information that is always in flux. Handling this ever changing (or so-called dynamic data) is where the RDBMS becomes important to companies.

However, using an RDBMS as the sole technology for managing Sarbanes-Oxley data applies too many features to the compliance task, since the main point of compliance data is that it doesnt change ? its static, as opposed to dynamic. Its like the Apprentice conjuring his army of cleaning implements, only to dust the bookshelf or the coffee table.

Not only do RDBMS licensing costs climb quickly to seven figures depending on how much data it is managing, but the hardware requirements alone can easily add more than a million dollars. While it might be easy for very large-cap companies to simply spend their way out of this problem, its pretty difficult to rationalize not saving that amount of money.

Part of the answer lies in the emerging concept of Information Lifecycle Management (ILM). In the simplest terms, ILM looks at the nature of data and how that data is managed and stored from the time of its creation to that of its obsolescence and ultimate deletion. In typical ILM practice, data is considered less valuable the older it gets. This often means that, when the data reaches a certain age, it is shuffled off of the expensive hardware and RDBMS and into a cheaper mass storage medium, like an automated tape library.

ILM is a great way to manage the infrastructure costs of compliance, but even this creates a problem for CIOs and CFOs. In the case of Sarbanes-Oxley the compliance data doesnt lose value over time ? and time is the first-order variable that drives ILM. Tape libraries sacrifice accessibility for low cost, certainly, but an audit means that vast amounts of information must be searched and analyzed quickly on demand.

So, any solution targeted at managing this large amount of business event information and maintaining its accessibility must address the following criteria:

• Large stored data volume ? Are the compliance records reaching thousands or even millions of gigabytes per year?

• Quick availability ? Does the data, even years old, exist somewhere that doesnt require hours or days to retrieve?

• Fast query response ? If the compliance officer runs a search on the data after it is retrieved, do the results come up within minutes? Seconds?

Typically, tackling any two of these issues is a relatively affordable undertaking. However, addressing all three could result in spiraling software and hardware costs, to say nothing of the staff required to manage it all. In a compliance database of 16 terabytes, this could cost $1.4 million in hardware alone.

The answer lies in any technology or method that meets all three of these criteria and can do so within the seven-figure cost range. The RDBMS will never be fully replaced, nor should it. ILM, which is offered as a possible answer to maximizing compliance infrastructure investments in RDBMSes and other technologies, is not without its problems as it is currently envisioned, especially with regard to Sarbanes-Oxley.

Companies need to address their automated business event data separately and strategically if they are ever to surmount the financial and operational burdens of Sarbanes-Oxley. Adapting ILM principles to regulatory realities is an important, critical step.

.


About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY