Turning Sarbanes-Oxley into a strategic Advantage
By Nerys Grivolas, Senior Consultant, Net Report SAS
Monday, 31 October 2005 16:00 EST
The key to turning your company’s conformity with Sarbanes-Oxley into a strategic advantage is to sustain your compliance year-on-year. To do so, you must embrace the idea that Sarbanes-Oxley compliance is an ongoing journey not a final destination.
To increase your company’s competitive advantage and close the IT audit gap you must leverage a combination of the right people, processes and technology. This means making compliance a repetitive process via careful planning, effective communication, efficient processes and applied technology applications aligned with best practices, audit and internal control guidelines and corporate culture.
Sarbanes-Oxley compliance has forced and is continuing to force companies to reengineer their business processes, which can improve overall enterprise risk management and business performance and therefore create enormous productivity gains. Complying with Sarbanes-Oxley mandates can be costly and time-consuming. Global companies have estimated that it will cost between $10-$20 million to implement the appropriate control frameworks (COSO, CoBiT) and create the environment needed to fulfill Sarbanes-Oxley requirements on an annual basis. Yet, for those companies determined to turn the business knowledge gleaned from Sarbanes-Oxley into a competitive advantage, an important silver lining beckons. The information that companies gather while complying with Sarbanes-Oxley, in particular regarding internal controls and risk management processes, can open up new opportunities to streamline businesses and increase profit. Here are ten tips to getting the most out of your company’s Compliance Strategies and benefiting from the silver lining.
Tip 1. Take a Strategic Approach to Conformity
Initially, organizations were focusing their compliance efforts purely on Sarbanes-Oxley. Now, as companies are deep into Year Two of Sarbanes-Oxley compliance, they are re-examining their first efforts. Most are finding that taking a rushed initial approach left them without a comprehensive strategy for ensuring ongoing, cost-effective and efficient Corporate Governance, IT Risk Management and compliance management. To decrease the burden of ongoing compliance costs, forward-thinking companies are starting to apply a more strategic approach to compliance by implementing technology to automate internal controls, reporting and testing and establish a centralized repository for this data to lower costs and ensure that annual compliance is a iterative and sustainable process. Companies are recognizing that if they do not start to address this now, their compliance costs next year will be at least the same as this year, and possibly higher.
Tip 2. Address Broader Risk Management Practices
Smart companies have also learned that they can leverage their Sarbanes-Oxley compliance efforts to address their broader risk management practices and thereby improve their overall business performance. Now more than ever, management teams are working to create stronger control of operational risks and compliance execution as a means to minimizing losses and improving business performance, which is critical to maintaining a positive brand reputation among customers and investors. Having a strong hold over risk management processes is a clear indicator to regulators, customers and investors that leadership is strong within an executive team and that it is being treated with the same sense of urgency as Sarbanes-Oxley compliance. The push for improved transparency in financial reporting and increased enterprise-wide accountability by companies who believe they will be stronger and more attractive to investors if they take the opportunity to institute transparency are also realizing the need for strong risk management practices.
To address all these needs, the organizations are now looking to utilize Corporate Governance and IT Risk Management specific technologies to drive inefficiencies out of the compliance process. A powerful, enterprise class solution that combines log collection, long-term archival, analysis, monitoring, correlation, alerting, reporting and forensic data investigation is now a key element in a company’s compliance.
Tip 3. Select the Appropriate Control Framework Mix
A combined approach marrying a known Risk Management Framework (for example COSO) and an IT Risk Management Framework (for example CoBiT) with an effective enterprise-wide risk management technology solution to automate your IT internal controls such as Net Report Monitoring Center can take your Sarbanes Oxley compliance that bit further to ensuring sustained conformity.
Tip 4. Bring Together the Right Combination for Sustaining Sarbanes-Oxley Compliance
Sustained SOX compliance takes the right combination of people, processes and technology to make the journey successful.
Tip 5. People - Instill Data Quality Mindset
The first step is to harness the best people in the company to manage the sustainment effort. The goal should be to instill a culture of data quality within your company. Educate anyone who has contact with company data (read: everyone) on how important it is to maintain the data quality standards developed in the SOX compliance process via Training, Corporate Communication, Seminars. To this end, develop metrics for measuring data entry accuracy rates, and tie performance to incentives.
Tip 6. Processes - Evaluate and Improve Your Compliance Methodology & Processes
Next, evaluate your initial compliance methodology and fine-tune it to enable the sustainment effort. The trials and errors that went into developing your SOX compliance methodology should give you valuable insight into which data quality maintenance processes work best for your company. Examine your initial compliance processes to confirm that they can be reused – and tweaked, if need be – to enable you to monitor and sustain the compliance effort.
Tip 7. Technology - Implement and Automate your Data Management Tools
To augment the work of your people and processes, it's critical both to implement best-of-breed data management tools and to automate data management processes when possible (data collection, archival, analysis correlation). Because of time constraints, your initial SOX compliance effort may have entailed using your existing technical architecture. However, now that you are in compliance, it's time to re-evaluate that technical architecture. You need flexible, scalable data management tools that can grow with your company and enable you to automate as much as possible of the data management effort.
Tip 8. Communicate – Report by People through Processes via Technology
Monitor your compliance and put accurate information into the hands of the people who need it – when they need it. A SOX compliance solution such as the Net Report Solution gives executives, managers and knowledge workers role-based views, allowing them to monitor multiple processes that occur simultaneously and to consolidate seemingly disparate information into a relevant and usable context for analysis and action. With this technology, data management issues can be identified and rectified long before they become serious, widespread problems.
Tip 9. Ensure Agility at Each Level of the Company
Corporate agility is the key to beating competitors to market with strategic initiatives, and to reacting more effectively to regulatory mandates. In today's market, this strategic advantage is fast becoming an imperative as business cycles rapidly decrease. Sustaining SOX compliance will never be easy. Regulations will change, and problems will almost certainly arise. The goal of compliance sustainment, however, is to gain the ability to identify and correct potential problems before they become endemic. The right combination of your company's best and brightest people, usable and repeatable data management processes, and flexible, powerful technology will go a long way toward helping you sustain SOX compliance.
Tip 10. Monitor, Test and Continue Improving the Compliance Strategy Constantly
IT organizations must ensure that they are continuously monitoring their Sarbanes Oxley policies to remain in compliance at all times, not just at the point-in-time that an audit is performed. One way to achieving this is via the real-time and robust advantages offered by an automated log lifecycle management solution. This kind of automation does not just save money, more importantantly, it gives organizations the tools to plan and prevent and react quickly, when necessary. It is no longer enough to think of compliance as a series of reports providing an auditable trail of change. Instead, compliance is a complete process not a final destination.
Conclusion
Sarbanes-Oxley forces companies to manage internal IT controls, justify the flow of information in the company, align internal audit procedures with best practices, focus on real-time reporting, implement an early-warning system to alert key stakeholders and boards of dubious accounting methods, and make hundreds of similar efforts. All of these actions will, no doubt, improve corporate governance.
However, this information poses a challenge to management it can, through the implementation of automated IT Security Control Tools (such as Net Report Log Analyser and Net Report Monitoring Center) and the integration of a rigorous Corporate Governance and IT Risk Management strategy, help a company mitigate risk and perform more effectively.
By implementing your Compliance strategy with Net Report’s Consulting Services and Automation Tools, smart businesses can reduce their ongoing costs, minimize regulatory and operational risk and turn compliance into a repeatable, sustainable, and cost effective process.
|
|
Prevent data theft & viruses through network connected USB sticks, PDAs & media players.
Control user access to endpoint connections with GFI EndPointSecurity - Free trial!
Visit GFI Security Software page for more information.
IT-Gear.com - Weblog dedicated to everything concerning IT tools and services.
Latest News
SECUDE appoints Open-Source specialist as Linux Expert
02.11.06 SECUDE IT Security GmbH has confirmed the appointment of Felipe Rodriguez, a Linux Kernel contributor and owner of the Open-Source project MGSTEP, as its Linux Expert.
Increased Spam Fuelled Through Botnet Activities
02.11.06 MessageLabs, a provider of integrated messaging and web security services to businesses worldwide, has announced the results of its Intelligence Report for October 2006.
How to keep your VoIP net safe
30.10.06 One of the major challenges in implementing a converged network is having a coherent security policy for the management and control of a system that is carrying voice, video and data.
User tricks, security treats
30.10.06 Thirteen malevolent spirits may haunt the halls and cubicles of your company, and if you're going to scare them into security compliance you may need to get a little bit spooky yourself.
10 Steps to More Secure Wireless
27.10.06 We have all heard about the stories of spammers using open home wireless networks to fill the net with junk mail.
BT acquires Counterpane Internet Security
25.10.06 BT has announced that it has acquired Counterpane Internet Security, a provider of managed networked security services, as part of its strategy to expand and develop its global professional services capabilities.
Perdemia updates Permission Analyzer
25.10.06 Perdemia has upgraded Permission Analyzer, a powerful Windows administration tool that quickly determines whether the system access permissions are properly set, need to be changed, or have been altered by people who are not authorized to make changes.
Mac OS Bluetooth exploit - Inqtana.d
25.10.06 Inqtanad is a proof-of-concept exploit, which has not yet been seen in the wild, that is installed on a Mac OS X computer via Bluetooth from a computer or PDA running a Linux system.
|
|
