[ISN] SOX Compliance Is Worth the Effort
InfoSec News
isn at c4i.org
Tue Jan 31 01:44:06 EST 2006
http://www.ecommercetimes.com/story/bNW52zISyRlBmd/SOX-Compliance-Is-Worth-the-Effort.xhtml
By Joe Malec
E-Commerce Times
01/30/06
SOX compliance has helped to make ethics training more common within
the corporate environment. According to a 2005 survey by the Ethics
Resource Center, 69 percent of employees reported that ethics training
in their organizations was up, as compared to 14 percent who said so
in the same survey conducted in 2003.
When the Sarbanes-Oxley Act (SOX) was originally passed in 2002, many
companies were less than enthusiastic about it. Concerns about the
additional accountability and the internal changes that would need to
take place weighed heavily on the minds of many company executives.
These concerns turned out to be well founded. Some companies struggled
to make the deadlines, and others missed them completely. Reasons
included the high cost and enormous effort involved. In some cases,
department directives were even changed to focus on meeting
compliance.
For example, an information security survey released by Ernst & Young
in November found that over the 12 months prior, the main driving
force for information security in 61 percent of firms surveyed was
compliance rather than worms and viruses. However, as we approach year
three, some companies have started to warm up to SOX as they begin to
realize the advantages of implementing the required controls in their
environment.
Changes in Attitude
The change in attitude toward SOX compliance comes as evidence of
several benefits have surfaced. The typical IT department, in
particular, has been greatly affected by the new regulations.
Specifically, Section 404 mandates that the affected companies
establish and maintain adequate controls over financial information.
The goal is to improve data integrity and mitigate the chance of
issuing incorrect or fraudulent financial reports. As a result,
protection of the financial data has fallen primarily into the hands
of IT staff.
Gartner Group recently reported that IT budgets in most major firms
are expected to see an increase of between 10 and 15 percent this
year. This is up from a 5 percent expected increase a year ago. Much
of the spending is likely to be focused on streamlining the effort
involved in compliance. This includes system controls, auditing,
process flow monitoring and automation, which has become prominent in
meeting compliance.
A survey by CFO Research Services, Versa Systems and
PricewaterhouseCoopers released in August found that automating the
compliance and control environment was a priority for 76 percent of
companies.
With the influx of dollars expected for their departments, IT managers
can also use the opportunity to justify other projects that can
potentially tie into compliance as well, such as e-mail archiving and
storage management.
Improving Operations
The net effect of investing in compliance on the bottom line cannot be
ignored either. Upgrading reporting systems can improve testing, risk
management and operational performance, as well as allow for better
financial oversight in the environment. These improvements can lead to
better forecasting and more efficient data retrieval by consolidating
data from different sources for reporting purposes.
One illustration of the benefits of this is that almost half of the
respondents in the CFO Research Services survey indicated that SOX
efforts are helping to more effectively manage corporate risk.
Analyzing current processes and seeing what can be automated or
eliminated altogether will help to reduce waste and allow a company to
run more efficiently and save money. This could help an organization
to be more competitive as well.
However, this is nothing new. Some financial companies reported
discovering newfound efficiencies that led to significant cost
reductions over Basel II compliance as well.
SOX compliance has helped make corporate ethics training more common
within the corporate environment. According to a 2005 survey by the
Ethics Resource Center, 69 percent of employees reported that ethics
training in their organizations was up, as compared to 14 percent who
said so in the same survey conducted in 2003.
Some companies have even hired ethics officers to help monitor and
advise on good business practices, educate employees on ethical
matters, and develop and implement a code of ethics for the company.
This is important because employees and stockholders need to see that
top management is sincere about developing and supporting an ethical
culture within the organization. With fraud and abuse costing U.S.
companies over US$600 billion annually, this is as important as ever.
Bridging Gaps
Improving data integrity and corporate responsibility can lead to
other positive results, including new partnerships within the
organization. Finance and IT departments historically have had little
to do with each other. Since IT plays an important role in securing
financial information, representatives from both areas have been able
to work together on compliance and build relationships with the audit
and legal departments. Part of this is due to necessity.
For controls to be effectively developed, documented and implemented,
the different departments involved need to have a thorough
understanding of the company's financial reporting structure. This
education can help lead to better collaboration on future projects and
initiatives.
Granted, the cost of implementing these regulations will run into the
billions of dollars. Some companies may feel that they are being
punished for the sins of a few bad apples, but the affected companies
will have stronger controls in place as a result of the effort.
Furthermore, whether it's reexamining a department whose importance in
the organization has been previously overlooked or streamlining
business processes and improving stockholder confidence, the rewards
for meeting SOX compliance will continue to materialize as time goes
on.
-=-
Joe Malec is a security analyst for Enterprise Rent-A-Car,
specializing in compliance and application security. He is the
president of the St. Louis chapter of the Information Systems Audit
and Control Association and serves on the ISSA International Ethics
Committee.
More information about the ISN
mailing list