The first thing to do is to get a clear idea of what you need to keep. Gerr stresses the importance of getting the business
side on board in this. He also warns against taking the shotgun approach. It may look easier at first: If you just save everything,
you’re covered, right?
Wrong. People do this primarily to avoid the time-consuming analysis required to implement an efficient archive that will
satisfy the law. And these are documents that can end up in court. “I have heard horror stories,” Gerr says of companies that
were hit with a lawsuit and subpoena. “They have to turn all this stuff over even though they aren’t sure of what they have.
Meanwhile, the prosecutors have better search and retrieval tools, and the defendant is confronted in court with e-mails they
didn’t know existed.”
Rein in your operational systems and user access
“Sarbanes-Oxley is still the big one when it comes to compliance and IT,” says Paul Hammerman, an analyst at Forrester Research.
“[Sarb-Ox 404] is where you have to identify the control measures that will attest to the integrity of your financial statements.”
One of these controls is segregation of duties. IT must be able to demonstrate that, for example, the person who makes a purchase
does not have the authority to take receipt and authorize payment. Hammerman says this is a particularly tough one for IT
because it involves many systems -- HR, ERP, and general ledger, to name a few -- together with access policies and procedures.
Tyler says this can be an enormous undertaking if you approach it from a global security perspective. So, a little analysis
up front -- identifying just those systems and personnel that come into play -- can pay off big. “Chances are, the majority
of users in your enterprise don’t need access to any of the critical systems,” he explains.
Tyler and his team set out early to identify all connections between users and systems. This allowed them to eliminate the
majority of personnel authorization profiles from their Sarb-Ox work. It was laborious, but it reduced implementation work
by more than a factor of 10. “It is about security,” he says. “But do not approach 404 compliance as security with a capital
S.”
The value of available solutions
When Energen’s Wagner got serious about Sarb-Ox 404, he started looking at authorization and access within his SAP system.
“SAP security is very complex,” Wagner says. “You don’t want to try and implement your 404 controls from within SAP. There
are a lot of things you just cannot do adequately with what they give you out of the box.”
Some will take this as a challenge, which is probably not a good idea. “I know some rogue DBAs who say, ‘Yeah I can build
this fancy little database to automate all this stuff,’ ” he explains. “That is a formula for disaster.”
When you understand what is lacking and what is required, you can confidently go with one of the many products on the market.
Wagner chose Approva and so far is pleased.
Quaker’s Tyler is currently testing software from Oversight Systems. “The Oversight engine historically came out of fraud
detection,” Tyler says. “We think it can help us to automate a lot of the supervision and auditing for compliance.”
At McDonald’s, Jensen is using Risk Navigator from Paisley Consulting to better automate the monitoring and gathering of compliance
data. “We can put our risks and controls together in a tree structure that links all the way up to corporate and all the way
down to individual processes.”
Push back when necessary
To form a more perfect compliance, IT must seek guidance from management and auditors. It is important to note, however, that
no one has all the answers. Sometimes it will fall to the IT chief to say no.
“I don’t know of any IT shop that has done everything their auditors suggested,” AMR’s Hagerty says. “If they did, it would
be prohibitively expensive.”
At Quaker, Tyler dug in his heels a few times. “Our auditors wanted to look inside our firewall,” he explains. “We went back
and forth and finally compromised by installing a monitoring system. They also wanted to delve into our application lifecycle
management. We are still debating this one.”
Pushing back requires that you have full confidence in your compliance team. If you have that, the right pieces will fall
into place at the right time.
“It is all about assessing risk,” Hagerty says. “It is often going to be a value judgment coming from IT: ‘Am I at risk or
not?’ ”
Ultimately, Hagerty says, if you come clean and show your auditors that you have some weaknesses but assure them you’ll do
what it takes to remedy any problems, it’s likely that everyone can sign off and go on to fight another day.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
