"If youre in IT management, you really need to look at the ramifications because failure to comply with some mandates under the Sarbanes-Oxley Act could land your executives in trouble," said Oli Thordarson, president of Alvaka Networks and a panel member. "You need to make sure you have compliance in place to deliver the goods."
The eSeminar, part of Ziff Davis Medias Virtual Tradeshow series, homed in on technology strategies to help IT professionals make sense of compliance requirements. The panel also focused on strategies companies can use to move from pilot to program status, particularly as they move past the April 15 deadline—public companies with a market capitalization of $75 million or more are mandated to comply with Section 404 of the Sarbanes-Oxley Act by next month.
One big issue for companies looking to implement solutions is that SOX, as the act is commonly referred to, is often vague and open to interpretation.
"There have been many things written about the value of the act, but it is what it is, and its here to stay," said Rahul Gautam, senior manager with Deloitte Consultings Strategy & Operations Practice.
Alvaka Networks Thordarson suggests a number of concrete steps IT can take to meet compliance mandates. "If you dont have monitoring software and policies in place for [mission-critical] systems, I strongly recommend you put them in place," he said. "Or youre going to be letting down your company."
Thordarson said that IT should not count on a backup log coming from their systems for signs of trouble, but rather they should "dig in deeper, check log files, look at a job site, job timing, and keep a record—a long history of things going on there," he said. "If something doesnt look right, thats a good indication that something is going on."
Thordarson also said a solid e-mail policy should be implemented. "There are a whole new set of rules you have to live by in IT; if youre in the financial community, youd better be saving all e-mails," he said. He also suggests a patch management program, with firewalls used as a second line of defense.
Finally, Thordarson suggests IT have good security methodologies in place, along with good performance monitoring "just to make sure its all working."
Over the past year since SOX was enacted, there have been a number of issues companies have grappled with, according to Deloittes Gautam. First and foremost, the requirements are new; even the external auditors dont fully understand the requirements.
"Companies need to adapt and communicate with auditors," said Gautam. "People are just getting their bearings."
Secondly, companies have grappled with getting accurate and reliable financial information in place that is accessible at any time.
In order to better move from a pilot focus in the first year to an ongoing program focus, Gautam suggests a number of strategies—the first is to clearly define roles and responsibilities for SOX compliance initiatives, so there isnt a question of "begging or borrowing" an hour here or an expert there. Another strategy is to continuously automate business processes.
"The more often we can look at our environment, the less burdensome it will become," said Gautam. "We need to have some concept of continuous auditing."
He also recommends mapping applications back to specific controls, and to specific line items. That way, when a server goes down, for example, IT can have a conversation with its chief financial officer about the impact of that event. It will also provide the capability to provide a companys CEO and CFO with views into what is happening with financials.
"What companies really need to look at around SOX is that this is a journey. Weve got through one year—its not been positive for everyone. Now we need to look back and [determine] what is the game plan for the next 18 to 24 months," said Gautam. "A lot of change is going to come from existing technology that companies have. If they tweak a little bit there and change here, theyre going to be able to achieve significant benefits in regard to SOX."