Since the Sarbanes-Oxley Act became law in July 2002, it has altered radically the way public companies manage their procurement, accounting, auditing and other internal processes, especially those that are tied to financial reporting.

Public companies have invested tens of billions of dollars in SOX compliance, and many of these investments have been in labor-intensive manual processes. The cost and risk associated with these processes have become untenable, however, and more SOX investments are being directed to automated solutions.

Click to see: Implementing a compliant provisioning process

An automated approach to compliance provides the speed, accuracy and visibility necessary to prevent, detect and correct compliance violations. More important, automation can do this without taxing an enterprise's resources, which in most cases are taxed heavily already.

Integrated compliance solutions optimize and streamline compliance by addressing all compliance-related activities - provisioning, monitoring, analysis and remediation. Such solutions call for the seamless integration of controls-management and identity-management systems. This integration is the essence of an emerging practice called compliant provisioning.

This best practice entails managing several key compliance initiatives jointly, ensuring that:

•  Compliance applications integrate with identity-management and provisioning systems.

•  The roles of IT security and business process owners are identified clearly in the automated provisioning process.

•  Financial and ERP systems provide for clear segregation of duties.

•  User requests for privileges and changes to user roles do not create segregation-of-duty violations.

By incorporating the principles of compliant provisioning into an integrated, automated approach, an enterprise can implement a sustainable system of compliance. Such a system addresses everything from the granting of user privileges to the ongoing monitoring of those privileges, the continual analysis of access activity in the light of those privileges, and the steps to remediate any violations before they become audit issues.

Not only does this approach address compliance requirements, which is the key business driver, but it's also a better way to conduct business. With an integrated solution, these critical tasks can be handled through a single seamless process, with no additional action required to assess whether a user's privileges continue to be in compliance as they change, and no special effort needed to address noncompliance.