SOX Compliance Dos and Don’ts for CIOs
February 26, 2008 12:00 PM

It is important to remember that any compliance effort requires the cooperation of people, and people are imperfect.

By: Andrew Gelina

The issues of controlling processes, securing financial data, auditing, and managing document lifecycle, retention, and destruction have become top priorities for CIOs striving for Sarbanes-Oxley compliance. With most offices heavily relying on electronic documents and data, it is essential for companies to have a strategy for managing compliance as it relates to Section 404 of the Act. Here are some simple, but often overlooked do’s and don’ts for CIO’s who are faced with the challenge:
 
DO
Start with good governance within the IT department
Start with the IT department and look at what controls exist and which ones should exist. Implement governance in your own back yard first, pretending you are a separate “company within the company.”. Note the challenges you face, like system and process adoption, peoples’ resistance to change, and technical hurdles. Dealing with these issues diplomatically and with deliberate strategy will help when you have to manage by influence in other areas of the company that don’t report to you.

Tackle financials next
Begin your next step working with providing auditing and controls on financial systems. Get the CFO and his reports on board, and let them know a SOX-compliant protocol for processes and procedures is coming in advance and won’t disrupt their ability to conduct business, but rather help to improve systems.  Progress outward to the (often ad-hoc) systems that feed the financial systems, such as spreadsheets and reports and leverage tools like Microsoft SharePoint Server, which can automate the controls over access to these documents, version control, workflow, document lifecycle, and archiving.

Build consensus
To ensure system adoption and use, work across departments to collaboratively define the goals and rules of the compliance process, as well as the processes and procedures to be followed. If people don’t have a say in the creation of the rules, they are less likely to follow them. Taking a “top-down, bottom-up” approach will help get people on board.  If you skip either the management or rank-and- file people in a department, you risk being subverted. All should be made aware of the ramifications for not adhering to the new protocols.

Fight fire with fire
Leverage technology to help solve the compliance issue. Technology created the problem of managing electronic documents, and many good tools exist (some you may already own) to help manage compliance.  SharePoint is one such tool well-suited to the tasks of document management mentioned above, and to many other collaborative business tasks. By specifying security settings, storage policies, auditing policies, and expiration actions for business records in accordance with compliance regulations, you can help ensure your sensitive business information can be controlled and managed effectively.  Leveraging the right technologies can reduce litigation risk for your organization. Tight integration of Office SharePoint Server 2007 with common desktop applications means that policy settings are rendered onto client applications in the Microsoft Office system, making it simpler for employees to be aware of and comply with regulatory requirements.

Surface the data
Make sure your solution provides dashboards for accounting and operational data.  It should be easy to monitor ratios, keep an eye on actual versus forecast data, and flag any out-of-control metrics early.  If people don’t feel like they can have a handle on the process on a day-to-day basis, and see and feel how things are changing, they probably don’t have control. A well-developed dashboard that allows someone to easily see in red and green arrows how various metrics are holding up at the company makes things easier to manage. It also helps people visualize large, complex amounts of data in an easy way.  Our brains like to make complex things simple in order to deal with them, and this process helps immensely.

Show me the proof
Make sure your solution is auditable. If you can’t report on it, prove it, and guarantee your data integrity – in real time or historically - your compliance effort effectively did not happen. Periodically pretend you are an auditor and look at your compliance initiative. Try to poke holes in it. If you don’t feel objective enough to do this, do a trial audit with a consultant before you conduct a real audit.  Have department heads do the same after ensuring the Finance department has shared the aspects of their business that are subject to most compliance scrutiny.

Keep it simple
Define workflows that help enforce rules, but stick to what you need. Avoid over-engineering.  When using extensible tools, there is a temptation to extend them quite a bit. Couple this with some relatively complex workflow and you can end up engineering a Cadillac when you need an Aveo (and some slight changes to your process). You may decide that automating 90% of the process, as well as changing the process just a bit, is easier than building 100% of the current process.

Re-use
Leverage your existing authentication systems (Active Directory, LDAP, etc.) for your compliance system. You are going to need to prove that only authenticated people accessed the system, so don’t write another separate authentication system (and force people to manage another password). It has become MUCH easier to integrate Active Directory into applications to achieve Single Sign On, so don’t re-invent the wheel. This applies to both web-based and Windows client systems. 

Find someone who’s done it before
Engage experts to help with your project; that is people with experience in Sarbanes Oxley compliance, and people with experience in the technologies you will use to comply. Leverage their experience and perspective derived from working with several different compliance implementations. It’s hard to get it all right on your own the first time out. Outside perspective, coupled with the lessons learned (from both successes and mistakes in prior implementations), make consultants valuable in this process.

Get organized
SOX is not a one time problem like Y2K.  So it makes sense to organize your reporting, controls and monitoring into a regular business as usual activity.  Using a compliance calendar, schedule your monitoring and reporting activities.  That way when the year rolls around you have the evidence you need to report to the board.

DON’T
Drop a bomb
Do not try to roll a big, comprehensive solution out to everyone at once. Plan to iterate; pick a small group of users and prototype the tools and processes.  Learn from your first implementation, improve, and roll out to a wider audience. Repeat this process, learning from the previous implementation. Each successive department rollout will go more smoothly, and you carry less risk per implementation. Rolling out to everyone at once may at first look less expensive, but will often take longer and cost more to get everyone up and running.

Automate before analyzing
Do not automate every current manual process without rethinking it first. Virtually any paper process can be replicated in digital form, but consider ways to streamline and install automated controls in the process as part of the exercise. Delivering a compliance implementation is a good thing that allows the company to avoid problems, but if you can save money at the same time everyone is happier and the savings go right to the bottom line. Finding enough opportunities for optimization helps offset the cost of the compliance implementation!

Forget about document images
Don’t forget about faxes, signed copies of documents, and digital signatures, which are all first-rate factors too. You’ll at least have to capture/manage signature pages, which may be managed through a scan-to-PDF or fax-to-email gateway. You may have every revision of the Word doc for drafting a contract, but the executed version is what counts. Store them in the same repository.  Consider embedding watermarking or version IDs in the headers/footers of documents to tie signed images back to electronic draft originals. Seeing that the last checked-in version of the contract was 1.15, and the signed version has “Version 1.15” in its header, will help speed up your audits.

Shoehorn
Don’t force the fit. Find the right tool for the job - one that manages document versioning, retention, legal holds, and compliance with auditing/reporting.  Don’t try to adapt a tool or set of tools that are not meant for it.  Many times, CIOs will spend tens of thousands in human labor to try to get something done with cheap tools, instead of spending a little on the right tools. You don’t see contractors building houses with tools from the Dollar Store. Professionals realize that good tools save them time, are safer, and achieve the same outcome for compliance efforts.

Rely on disaster recovery
Don’t rely on your disaster recovery data backup strategy (tape, etc) for compliance. While you may run backups and need to follow procedures during backups as part of your compliance strategy, you cannot say that implementing disaster recovery covers your compliance needs too.  Don’t count on DR for archival purposes, or for “freezing” or “snapshotting” data for compliance efforts. Use a separate store for these. On the flip side, if you have a disaster and have to cut over to your backup site, you need to follow your compliance procedures there as well. You don’t get to skip compliance because you are in DR mode.

Rush to completion
Don’t sacrifice diligence and governance in the name of “getting it done.” This applies to both implementing your initial compliance process as well as maintaining compliance while managing other projects at your company. If you set extremely aggressive deadlines for each piece of your implementation, you are likely to cut corners and have re-work. It’s better to figure out inefficiencies and areas of risk early and bite the budget bullet to ensure you have enough resources to complete the project in a realistic timeframe.  Once your compliance program is implemented, you will find out how well you institutionalized its use. People will be pressed by deadlines on their projects and you will quickly see whether the processes put in place are still followed when time is short. If things are well-designed, the overhead will be minimal. If people start to blame missed deadlines on the compliance overhead of their process, you will have to work with them to help minimize the time it takes and/or get this time factored into their project estimates.

CONCLUSION
The Dos and Don’ts outlined above do not comprise an exhaustive catalog of everything you need to remember or avoid during a compliance effort, but they provide some good guidelines for those facing the challenge. Many people (especially from a technical or financial background) will tend to focus on tool selection, technical implementation, and shooting for a mythical “perfect, problem-free implementation” the first time. It is important to remember that any compliance effort requires the cooperation of people, and people are imperfect, and require coaxing and coaching. The better you account for handling the soft areas of compliance adoption, as well as the hard technical details, the smoother your implementation will be.

This article was taken from: http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=2108

SOX’s outside reach a model for foreign markets

By: Samuel Loewenberg
Feb 26, 2008 06:10 AM EST 
 
 When the Sarbanes-Oxley Act became law a half-dozen years ago, foreign companies threw a fit. Now, it’s increasingly a model, in principle at least, for corporate reforms around the world.

“You see markets as different as India and the European Commission taking a very close look at Sarbanes-Oxley,” said Anne Simpson, executive director of the International Corporate Governance Network, a group that advocates for greater shareholder rights on behalf of investors in 40 countries.

Indeed, some of the very aspects of Sarbanes-Oxley that have been the most criticized are also the most widely copied.

Principles such as holding corporate boards accountable and instituting internal auditing of accounting practices have proved popular in other countries, said Simpson, who has testified before the Senate Banking, Housing and Urban Affairs Committee.

“Sarbanes-Oxley put into law what was previously just good advice,” she said.

Publicly, many foreign company executives and public officials have continued to slam Sarbanes-Oxley.

But, at the same time, many countries have been beset by their own financial scandals, prompting regulators to begin implementing corporate governance reforms of their own.

Governments in Europe, Asia and Africa have embarked on projects to develop their own systems that will be responsible to shareholders.

Ironically, it’s the issue that sparked the most griping — Sarbanes-Oxley’s extra-territorial reach — that was at the forefront of the current trend toward increased international harmonization.

Last spring, German Chancellor Angela Merkel met with President Bush to discuss ways to smooth out regulatory disputes between Europe and the United States.

For many business groups, the push for international harmonization is being seen as a way to reduce regulation. The Transatlantic Policy Network, an organization of U.S. and EU politicians, executives and academics, has been working on a “road map” to create a transatlantic market by 2015.

“The aim of this road map and framework would be to remove barriers to trade and investment across the Atlantic and to reduce regulatory compliance costs,” according to the group’s agenda. The network’s chairman is Sen. Bob Bennett (R-Utah), who has said that too much regulation hurts American competitiveness.

In the United States, “Sarbanes-Oxley almost became shorthand for the larger challenges facing our capital markets,” said David Hirschmann, senior vice president of the U.S. Chamber of Commerce. The anti-fraud law, he said, added to a system of regulation and litigation that businesses find burdensome.

“Foreign companies were telling us, ‘Why would I want to list in the United States?’” Hirschmann said.

At the root of foreign company concern is the application abroad of U.S. corporate governance standards. For starters, the structure of U.S. corporations, with its emphasis on boards of directors, regulations and litigation, is quite different from those in other countries.      

So foreign companies listed in the United States were furious to discover that a corporate governance law designed to apply to American companies was going to apply to them, as well. 

“The U.S. establishment went slightly psychotic” in its attempt to deal with the accounting scandals, wrote the British entrepreneur Luke Johnson in the Financial Times. “The cure has been much worse than the disease.”

“The true cost of this folly to business is incalculable — not just in higher fees but also in its chilling effect on enterprise and experimentation,” said Johnson, who runs the private equity firm Risk Capital Partners.

Grumblings about the legislation continue to echo in the European press and among government officials and business leaders. Detractors say that since the new rules, the United States has fallen from its position as the most desirable place to list a company.

While there has been a decline in new public offerings as a percentage of the worldwide total, this is a longtime trend that precedes Sarbanes-Oxley, financial experts say. And it has more to do with the worldwide proliferation of stock exchanges than with any fault in the U.S. regulatory system, say financial experts.
 
To Read More Click Here

1) Lottery Scams Are Latest Spam Fad
According to Microsoft (http://www.microsoft.com), 50% of spam emails are currently lottery scams (usually inviting the victim to claim their "winnings" or similar). Surprisingly, their poll also revealed that 16% of recipients actually opened them, indicating an almost complete lack of security awareness.

2) University Fined For Security Breach
The University of California has agreed to pay the U.S. DoE a $2.8 million fine as a result of a security breach at its Los Alamos National Laboratory. The fine stems from an incident in which a subcontractor’s employee stole classified documents and stored others on a USB drive in 2006.

3) Anti-botnet Charges
The FBI has announced that it has charged eight men with using internet ‘botnets’ to perform fraud and to launch other malicious attacks. The men are alleged to have profited by lifting sensitive credentials off their victims’ computers, releasing DDoS attacks and leasing ‘zombie computers’ to other parties.

4) Vista Security Fixes
Microsoft has released a detailed list of more than 300 security patches within the upcoming initial service pack (SP1) for its Windows Vista operating system. The complete list of SP1 service pack items is posted on Microsoft’s website

5) Security Gap
Gap, the clothing retail outlet, have admitted that the unencrypted Social Security numbers of 800,000 job applicants was stolen from a third-party vendor. The vendor contacted law enforcement authorities about the breach.

6) Software Piracy Settlement
6 US based companies have recently settle claims with the Business Software Alliance (http://www.bsa.org) over use of unlicensed software following self audits. The total settlement was for almost $700k.