GRC Journal - (Page 89) THE IMPERATIVE FOR IT COMPLIANCE Sarbanes-Oxley may have changed the rules, but a new IDC report finds that information technology is the weak link in the corporate governance chain. WRITTEN BY ALISON EASTWOOD PRESENTED BY There’s no question that businesses are being severely impacted by the red tape of financial reporting legislation such as Sarbanes-Oxley. Now, their information technology departments are feeling the heat. “Sarbanes-Oxley compliance has been the 900-pound gorilla wreaking havoc in the IT organizations of companies publicly traded on U.S. markets and similar legislation has affected IT organizations globally,” according to a new IDC report*. The problem is, while enterprises have met the SarbOx challenge head-on at a corporate level, they’ve applied looser rules around IT governance. Most IT departments still do a great deal of manual reporting and sign-off, and these methods don’t hold up under auditors’ new levels of scrutiny. Industry analysts, consultants, and vendors such as HP are urging C-level executives to embrace a new level of automation so that IT can support, rather than hinder, new governance policies. “Sarbanes-Oxley is all about having, and being able to demonstrate, high-quality information,” says Lee Dittmar, a Deloitte Consulting Principal in charge of the Enterprise Governance Consulting Services Business. “But in many cases, it is not immediately available. One of the important lessons learned since the passage of SarbOx was that IT systems at many enterprises are not designed to provide ready assurance of business information.” Regulating control Although corporate America was hit hard by SarbOx, it was not the only compliance-related roadblock. Other regulatory frameworks that descended in the same time frame included the Health Insurance Portability and Accountability Act (HIPAA), which “IT must understand what information is important to monitor and collect.Then, they must understand what that data is, centralize it, and continuously report on that data.” - Brad Ames, HP regulates the privacy of patients’ health information; the GrammLeach-Bliley Act, which requires financial institutions to ensure the confidentiality of their clients’ personal information; and SEC 17A-4, which establishes information retrieval and retention policies for brokers, dealers, and exchange members. Section 404 of SarbOx, however, had public U.S. companies sweating. After 2002, companies became required by law to disclose all reporting procedures in every year-end financial report. Seeking to standardize their reporting methods, they put extensive effort into creating process and system documentation, performing more thorough testing, and responding quickly to requests from auditors. Substantial portions of budgets were swiftly allocated to forming cross-discipline project teams comprised of business managers, internal auditors, and IT professionals. The additional scrutiny uncovered a critical gap in the IT link of the chain, according to Brad Ames, Director of IT Auditing at HP. “IT must understand what information is important to monitor and collect. Then, they must understand what that data is, centralize it, and continuously report on that data,” Ames says. These abilities are currently lacking in many enterprise IT departments, which are “poorly equipped to take on the disciplines that compliance requires, to build aggressive project plans, and provide robust systems that can be tested and trusted initially by auditors,” IDC warns*. 16 BTQ Business Trends Quarterly Q3 2006 | www.btquarterly.com http://btquarterly.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.