Home �   ITIL�  Index

SOX - Myth and Reality

By Guta Basner Millions of dollars, thousands of hours, and hundreds of accountants with overheated calculators - that's the cost of preparing for Sarbanes Oxley (SOX) audits.
May 9, 2005

ITSM Watch Staff

By Guta Basner

"A good name, like good will, is got by many actions and lost by one. "- Lord Jeffery

Millions of dollars, thousands of hours, and hundreds of accountants with overheated calculators - that's the cost of preparing for Sarbanes Oxley (SOX) audits. SOX's main objective is to protect investors and assure the public that anything affecting companys standing is disclosed in a timely fashion.

Financial processes are the hot topic of many board meetings and editorial pieces. Chief Financial Officer (CFO) is at the core of the SOX initiative - so let's examine the validity of concentrating on financial process.

The Other Processes
Data Management - A burglar smashes a window and takes one computer. That minor loss would not warrant a call to an insurance agent, but sensitive information was stored on the hard drive, now a simple burglary becomes a material breach.

Resource Management - Let's assume that several staff members surfed the web during the work day - some looked for bargains on E-bay, and some visited sites for a dose of dubious pleasure. How many work hours were lost, how many projects not completed on time; does that have an effect on business bottom line? If the answer is yes, then it has an impact on profitability of the company and has an impact on investors.

Research and Development - Innovative, hard working engineers spend countless hours developing new product. A "trusted insider" sends the source code to a competitor. It's a material breach and must be disclosed, but more significantly the company has lost market advantage and revenue.

Change Management - New server was installed, but nothing was working. Eighteen hours later it was discovered that operating system was not patched to pre-change level of configuration. Lost sales amounted to several millions of dollars.

Configuration Management - Data Base manager died in a fatal accident. Configuration baseline was not documented, and no back up information existed.

These examples are from recent real life events, none of them are connected to financial processes, but all of them have the potential of jeopardizing companys financial stability.

Preparing for audit is not the goal, monitoring, measuring and improving the health of company is, and every process that is in place must support the vision, goals, and mission of the company.

Compliance and security service offerings
Companies are inundated with proposals promising security and compliance. From software and hardware to monitoring and staffing, array of options are available. However, when all is said and done companies are frequently left with a patchwork system and a stifled agility to grow and manage. An assortment of good solution exist, but how to choose, what should be taken into account, how to set the priorities, and assess the different options.

For example:

  • First scenario, your next door neighbor is offering you intrusion protection - security cameras will be installed through your whole house, bedroom and bathroom included, he will monitor every move in your house and alarm you in case of a break-in.
  • Second scenario, your physician is offering to install devices in your house that will constantly check your vital signs and compare them to your recent data check list. You will be immediately notified of any abnormality, medication will be prescribed and a plan of remediation communicated. Armed with that information you can make an informed decision on how you want to proceed with any treatment.
Both scenarios offer you peace of mind, management of known and unknown threats, monitoring and risk notification in real-time, but only one solution pinpoints and prioritizes risks and is customized to your requirements.

It is imperative that business leadership receive inclusive, timely, and relevant information to make decisions that directly affect the company's future.

Laws and Regulations
Companies are spending money and resources to achieve compliance with various and ever growing number of laws and regulations. Most of the expenditure goes toward external protection, but what about internal controls required by Sarbanes Oxley; HIPAA; GLBA; ITAR; etc.

And what about safeguarding proprietary and confidential information? What about the "trusted" insider who sends your company strategy plan to a competitor, forwards a spreadsheet with personal or private customer information to outsider, discusses pending merger and acquisition in a chat room, or sends a confidential memo to a reporter?

From compliance breaches to excessive access to commercial sites, from leakage of the source code to disclosure of intellectual property, from improper behavior to hostile work environment, all have affect on the bottom line. Awareness of these events allows management to mediate risks in real- time and avoid loses associated with them.

Although CFOs alone cant, and shouldnt, be responsible of everything that is going on in the company, as it stands now they are the one who are driving the initiative of writing the processes and implementing internal controls. On the other hand IT personnel often dont understand the urgency and need for internal controls and frequently are kept out of the loop to support the compliance part.

Meeting legal requirements should be viewed as an opportunity for a company to tighten its management practices and improve its business operations. A proactive approach to problem and risk management, and well-defined management system and processes structure will not only help companies to meet the requirements, but provide real business value and a better return on investment.

p.s. Greatest Myth - only Fortune 500 companies must be concerned with SOX compliance

IT, Operations, and Logistics are three major areas of outsourcing. What will happen to a provider of outsourced service, if a material breach occurred because "they are a small company and don't need to be in compliance"?

The risks are not discriminatory and can impact companies of any size, regardless of industry, and render the executives vulnerable financially, legally, and personally. By changing the view on business management and integrated processes from expenditure to marketing investment, small companies can gain an advantage over competitors and ensure a larger market share.

Guta Basner, for over three years was supporting NMCI, the biggest contract ever outsourced by the DoD to the civilian sector. She performed Current State Analysis, outlined improvement areas, and facilitated implementation of various processes. Guta also, conducted training classes and executive briefings, has several white papers and case studies published covering Process Engineering, Optimization, and ITIL implementation.

Guta Basner is a recipient of numerous awards; recognition certificates and is a member of "Who is Who in Professional Managemen.t"