Sustainable Compliance Worth Investigating

Opinion: If IT organizations continue with ad hoc development and incomplete testing, the continuing costs of meeting SarbOx and other mandates will be unsustainable.

Congratulations! Youve proved you could do it. Now you get to do it again and again and again ...

Thats the realization thats starting to sink in as enterprises come to terms with the success—which may not be the best word—of their initial completions of Sarbanes-Oxley Act audits. As the Greek King Pyrrhus said circa 280 B.C., "Another such victory, and we are undone."

Major companies faced their first SarbOx audit deadline in November; other large companies have had to meet rolling deadlines as their fiscal year-ends have arrived. Smaller companies, with publicly held stock worth less than $75 million, have until July 15 to document their internal controls.

With estimated compliance costs ranging to millions of dollars per company—and well into the billions of dollars across the country—the Sarbanes-Oxley Act of 2002 has not just triggered a one-time surge of IT process examination and documentation; its given birth to a new industry of continuing scrutiny and analysis.

"Weve got to do this again, and we cant do it with chicken wire and people sleeping in their cubes," said Christopher Lochhead, chief marketing officer at Mercury Interactive, while we were discussing the need for technology to achieve "sustainable compliance." I found that compelling phrase in a report jointly released this month by Mercury and the Economist Intelligence Unit, the latter being part of the same group of companies that also puts out the international news magazine The Economist.

Based on a survey of more than 800 IT professionals on five continents, that research effort found regulatory compliance ranked as a "high priority" challenge by 74 percent of U.S. respondents, following closely behind data security (92 percent) and IT cost-effectiveness (84 percent). SarbOx and data privacy laws were essentially tied, at 68 percent and 70 percent, respectively, for expected "high impact" in U.S. organizations during the next three years.

"Most people thought that compliance would be a finance and directors issue," Lochhead observed. "What people didnt realize was the straight line to the CIOs office because the processes and controls are automated in software."

Lochheads comments echo a scenario described to me by John Williams, chief technology officer of Preventsys, when we spoke on this subject last year. Williams said people have told him their Sarbanes-Oxley audits had just been completed and in the next breath told him that theyd just had a massive Slammer infection. "Well, Slammer affects databases," Williams said. "Youve got databases in your accounting department. If those databases are susceptible to an automated attack, then how can your CEO be certain that someone didnt use that vulnerability to change your financial results? Its like a train crashed right in front of you in slow motion, and you didnt even notice."

In short, if I may summarize Williams point, you cant take responsibility for a system if you cant say with confidence that its under your control.

But even in a perfectly secured environment, wed have to take note of a warning that I received from Mercury Vice President of IT Governance Alex Lobba. During the same conversation with Mercury staff that I mentioned earlier, Lobba said routine application development and deployment in the enterprise must now follow the sort of stricture thats long been familiar to those in financial functions. "The person making the changes to an application cannot be the person who puts it into production," Lobba said, putting in concrete terms the concept of "segregation of duty" thats one of the backbones of bookkeeping.

"You probably have between now and September to get the automation in place to deal with this," said Lochhead.

Yes, Mercury has a dog in this fight: It not only sells the tools; it sells compliance-oriented configuration management as a packaged service. But I wouldnt be writing about our conversation if I didnt think Lochheads and Lobbas points were valid.

If IT organizations continue their past practices of ad hoc development, informal and incomplete testing, and "gamma test" deployment (as disgruntled users have long called it), the continuing costs of meeting SarbOx and other mandates will be unsustainable.

Technology Editor Peter Coffee can be reached at

To read more Peter Coffee, subscribe to eWEEK magazine.