Qualcomm will have a year of experience under its belt when the next major Sarbanes-Oxley deadline arrives - barring any more extensions to key provisions of the law, that is.

CFO Bill Keitel says the San Diego chipmaker was on track to comply with Section 404 of the legislation last fall. But as the date neared for companies of Qualcomm's size to begin attesting to the effectiveness of their internal controls, the Securities and Exchange Commission (SEC) announced an extension.

---

Tips from the trenches
Sarbanes-Oxley spending weighted heavily toward tech projects

---

"Imagine troops storming Omaha Beach, they're halfway up the beach when some general back in an office somewhere says 'Oh, never mind. Come back to the ships,'" Keitel says. "You don't stop, you keep going for sake of the people who worked so hard to get you there."

So Qualcomm forged ahead and today is among a handful of companies that have achieved early compliance with Section 404 of SOX - in Qualcomm's case, a full year before the close of its 2005 fiscal year in September.

But it wasn't without pain. Qualcomm employees put in 67,000 man-hours to comply with Section 404, Keitel says. That meant the staff worked many late nights and many weekends for the better part of the year, he says. And the financial tally? Qualcomm spent more than $7 million, Keitel says.

Sox in a nutshell

SOX became law in 2002 in response to high-profile scandals at companies such as Enron and WorldCom. At its most basic, the legislation is intended to deter fraud and protect investors by establishing more stringent standards for corporate governance. Key provisions include:

•  Section 302, in effect since late 2002, requires a company's top executives to certify the accuracy of corporate financial reports.

•  Section 409, which is still being ironed out, will require companies to give investors information related to any material changes in their financial condition or operations in a timely manner.

•  Section 404, which takes effect in staggered deadlines beginning this spring, says companies must prepare reports - to accompany their annual reports filed with the SEC - assessing the effectiveness of their internal control structures and financial reporting procedures. Compliance with Section 404 is where most public companies' SOX efforts are aimed today.

On the surface, those efforts seem like something for financial departments to tackle. But in its execution, SOX is all about IT.

"When it first came out, everybody was thinking about finances and the accuracy of year-end reports. But it starts to take on a life of its own. Because when you ask that one question-'Is this number accurate?' - then you have to ensure its accuracy. On the IT side, all these other things have to happen to answer that one question," says Bernie Donnelly, vice president of quality assurance and control at the Philadelphia Stock Exchange.

Who goes there?

For Phil Blank, vice president of IT for the ProBusiness division of ADP in Pleasanton, Calif., SOX compliance is first and foremost an identity management issue.

"With Sarbanes-Oxley, the regulators want to know who was in what system, what they did, why they were there, whether they were authorized to be there, and how long were they there. You have to be able to answer those questions for almost everything," Blank says. "From my perspective, without a role-based access control system or an identity management system, compliance is going to be a Herculean task."

Before its acquisition by ADP, ProBusiness invested in identity management software from Waveset Technologies (which Sun acquired in late 2003). Blank bought the software to formalize what were manual, ad hoc processes for managing employee access to business systems.

As SOX came into play, Blank tweaked the rollout to better address the legislation's requirements for securing system access. "Now we can show, with a very strong audit trail, the access provisioning and deletion processes, and the auditors can come in and test. It's all mechanized," he says.

RailAmerica, too, is focused on users' access to corporate systems. In its case, segregating duties is a critical issue, says Pedro Carrera, SAP manager at the Boca Raton, Fla., short line and regional rail service provider.

One thing SOX auditors look for is potential conflicts-for example, a person with the authority to both create a vendor in an ERP system and cut checks to vendors.There is a potential for fraud if one person has that much power.

"As we analyzed the roles people had to have, there were just certain circumstances that required a person to be a back-up for someone else, but it was incompatible with their day-to-day role to have that other role," Carrera says. For example, his role as SAP manager gave him unconstrained access to the financial systems of RailAmerica's 40-plus subsidiaries. "I support over 40 companies in North America. I need to get into their purchasing and general ledgers and look at what they're doing. Imagine having that broad access without having some control over it - that would be a problem," Carrera says.

To secure possible gaps in its internal controls, RailAmerica rolled out software from Virsa Systems. The vendor's Firefighter software lets IT users, such as Carrera, retain the broad access they need to fix system problems, but tracks, logs and reports their activities for auditing purposes.

Cheese steak, voluntary compliance, automated tools

Philadelphia Stock Exchange uses current technology to aid in its compliance efforts. The exchange isn't public, but some day it could be. To prepare for that scenario, it voluntarily complied with SOX, Donnelly says.

"One thing that makes the Philly Stock Exchange different from other organizations trying to comply with Sarbanes-Oxley is that we've been under SEC regulations since the time of the Exchange Act of 1934," Donnelly says. "This type of oversight, or requirements for ensuring the integrity of data, is old hat to us."

Software from Consul Risk Management helps fill in the SOX compliance gaps. Philadelphia Stock Exchange has used it for nearly 20 years to collect log data from its mainframe, Sun and Stratus trading engines.

Consul's server-based audit and compliance-monitoring software spots discrepancies with Philadelphia Stock Exchange's development and change control policies. "No developer is permitted access to the production system. If a developer who is supposed to be accessing a development box tries to access a production box, the system flags that," Donnelly says.

There's no way to catch those lapses manually, he says. "We have eight Stratus systems, 50-plus Sun servers and one mainframe. Each of those boxes would put out three feet of paper every day. It's impossible to physically go though all that," he says.