What is the single most challenging Sarbanes-Oxley issue today?
The unwritten requirement that IT and the CEO/CFO must work together in unprecedented ways where there is little guidance and much confusion surrounding potential areas of overlap. The lack of specifics in the Law contributes to the difficulties in coordinating a consolidated and consistent attack strategy for achieving Sarbanes-Oxley compliance.
The most challenging aspect of implementing Sarbanes-Oxley today is ultimately the process change that will prove the most rewarding in delivering true transparency to shareholders. Sarbanes-Oxley requires IT (whether it's the CIO or another title) and the CEO/ CFO to work together in unprecedented ways. Traditionally, it has not been clear how these two groups should be working together and where the overlap truly exists. Sarbanes-Oxley is broad in its scope and threatening in its penalties. But it is vague in the guidance it provides on exactly how companies should comply. While Sarbanes-Oxley does not specifically regulate technology, clearly IT is the backbone of many of the financial processes regulated by the new laws. Few sections of Sarbanes-Oxley directly reference the role of the CIO, but CIOs must understand and shape the requirements to reduce the costs and day-to-day resources involved in achieving compliance.
So the question becomes "how to make this marriage of convenience more harmonious?" Technology is certainly a bridge, and a helpful tool ??? but not a complete solution. Technology helps in documenting to regulators that an organization is no 'Enron', yet the human factors involved in deliberately setting out to perpetrate fraud can never be discounted. Even the most secure business processes have been vulnerable to those wanting to commit fraud. Now with Sarbanes-Oxley, the CIO must better manage and control access to critical IT systems. The key is setting up a layered security system whereby the CIO maintains separate access to systems that create or manage financial information from other systems; and carefully audits who accesses what data and when. Users should have access only to data that is necessary to meet the requirements of their job function; and only systems administrators should maintain the underlying database. In addition to the security controls that alert and notify IT staff when policies are violated, the IT group also requires an overall IT reporting and management system that provides critical users with a bird's eye view of their IT systems, including the servers hosting critical processes and applications. In this way, IT professionals can document they are utilizing best practices to proactively assure business continuity and reduce the downtime associated with outages and security threats.
Under Sarbanes-Oxley, it is no longer excusable to point to technology as a scapegoat for inaccurate data. As an example, Section 404 of the Act requires that "internal control structures and processes involved in financial reporting be clearly documented, followed and continually audited". What this means is that corporations must not only report accurate financial data, but must also clearly show how those financial numbers were compiled. This can include accounting software, email correspondence, as well as transactions recorded in enterprise-resource planning, supply chain and customer relationship management systems. CIOs now need to guard against tampering or lapses that could introduce errors in any of these applications.
According to Section 302, the CEO and CFO are still liable, "whether information is willfully and maliciously submitted as accurate when it is not"; whether a typo on an order entry screen or a server outage caused errors in the data. Thus, the reliability and continuous operation of servers, their applications, and databases are imperative. IT must assure the C-level suite that they can deliver 24x7 access to critical financial data, as well as rock-hard reliability from systems that don't fail. Deploying more hardware is one solution. Throwing bodies at the problem is another. Because the products and labor involved in delivering on such an ambitious goal can be costly, CIOs need to put a premium on automated tools and performance management solutions that are more cost-effective. They should seek automated tools that can alleviate existing staffers from focusing on the "plumbing" by automatically alerting and notifying on thresholds that fit the unique requirements of each organization. Tools that combine security and network management can be especially valuable in helping CIOs and their staff better distinguish between legitimate ??? often cyclical increases in activity ??? and security intrusions. Some of the questions that form the beginnings of dialogue between IT and the CEO:
• What is my current level of business availability on a day-to-day basis, and at month-end? What levels are needed under Sarbanes-Oxley? (A starting point is needed to manage and predict anticipated capacity requirements)
• What type of access and security controls do I currently have in place?
• Do I know in real-time if a security breach occurs?
• What aspects of IT and security management can I automate?
• Can I afford to re-allocate staff in Finance and IT to do "extra work?"
• Can we implement the required changes fast enough?
Many IT managers are embracing Sarbanes-Oxley as the opportunity to finally mandate running IT as a business. Integrating IT into the highest levels of the company not only provides strategic advantage, but significantly reduces the costs of day-to-day compliance. Used correctly, information systems can help bridge the gap between technology and business. They can detect, automate and track down discrepancies, potential service issues, and even specific culprits, before harsh penalties are incurred that could destroy company credibility and reputation, and ultimately shareholder value.
Dan Phillips is Chairman and Chief Executive Officer of SilverBack Technologies. He has been instrumental in shaping and executing on SilverBack's compliance offerings especially with respect to Sarbanes-Oxley. With the assistance of his executive team, Phillips has helped many organizations reduce the costs of achieving corporate compliance with other emerging regulations such as HIPAA and GLBA, while minimizing the effect on operations and overall infrastructure management.
Phillips comes to SilverBack after six productive years at Concord Communications, most recently in the roles of executive vice president and chief operating officer. He started at Concord as vice president of worldwide sales and eventually assumed management of the technical services division. During Phillips' tenure at Concord, the company's revenues rose from $3.5 million to almost $100 million, and the employee base increased tenfold.
Prior to Concord, Phillips held various international, domestic, and OEM sales-management positions -- including vice president of worldwide sales and technical services at Epoch Systems, a network-storage-management software company. Phillips also worked at Applix, a Unix-based office-automation software designer, where he developed both domestic and international sales operations and strategies. He also gathered sales expertise earlier in his career at NCR, Raytheon Data Systems, and Exxon Office Systems.
Phillips holds a B.A. degree in political science from Roger Williams College.