Tools to help you fall into regulatory compliance

Opinion
Jun 20, 20054 mins

* IT audit compliance and Sarbanes-Oxley tools

* Today’s newsletter is co-authored by Brian Musthaler, a principal IT audit consultant at Essential Solutions.

Thanks to companies like Enron, WorldCom and Healthsouth, all U.S. public companies live under much tighter government scrutiny these days. The Sarbanes-Oxley Act of 2002 established an array of regulations designed to make companies and specifically their officers more accountable for financial information. Not surprisingly, this created more work for the IT department to help control access to and audit computerized financial records and processes. As a result, companies are moving from manual, decentralized controls to automated, centralized controls.

Since the original act is ambiguous in the area of IT controls, the audit, financial and IT communities – in an effort to protect themselves from Securities and Exchange Commission sanctions – went to an extreme in documenting and testing all IT processes and controls. Though expensive, time consuming, and oppressively over burdensome to many organizations, the process of documenting processes and controls allowed for the identification and repair of significant weaknesses in many organizations. (Just recently, the U.S. Securities and Exchange Commission issued new guidelines on the testing of IT controls for compliance with the Sarbanes-Oxley Act. These clarifying guides appear to be in response to complaints that Section 404 of the act was too vague.)

Not ones to miss an opportunity, many software vendors developed new tools to assist in the management of controls, both IT and business-specific, in support of “accurate financial reporting.” This article takes a look at some of those tools and how they might help an organization struggling to meet the requirements of Sarbanes-Oxley.

IBM’s recently updated Workplace for Business Controls and Reporting helps provide a common platform for a company to document, evaluate and report the status of controls management across multiple initiatives in an enterprise. It simplifies risk assessment and control management by addressing a wide range of business control related challenges. Role-based access to disclosure controls documents, internal controls matrices, testing procedures and results – residing in a single repository – helps individuals to quickly identify issues and help mitigate risks. (See https://www-306.ibm.com/software/info/ecatalog/en_US/products/S108070A15439I39.html)

The new HP OpenView Compliance Manager software automates and continuously monitors internal controls and manages business processes while adhering to compliance regulations. The software provides a comprehensive dashboard view for a CIO to assess and address areas of emerging IT compliance risk. (See https://www.managementsoftware.hp.com/products/ovcm/ds/ovcm_ds.pdf)

As part of its business service management strategy, BMC Software offers several types of products to help automate general IT control activities and to meet Sarbanes-Oxley audit requirements. The products fall into categories such as Data Management and Recovery Controls; Change and Configuration Controls; and Identity and Access Controls.  (See https://www.bmc.com/products/products_services_detail/0,0,19052_19453_22019030.html)

BindView’s Compliance Monitoring products aim to help organizations satisfy network security control requirements for regulations such as Sarbanes-Oxley, Health Insurance Portability and Accountability Act, and others. The products are designed to review regulatory guidance; map regulations, standards, and controls to policies; define/publish policies and controls; measure compliance; remediate non-conformance; demonstrate due care; and create controls documentation.  BindView’s claim to fame is that the products work across all major operating systems (Windows, Unix, Linux, and NetWare) plus on platforms such as Oracle, SQL Server and Microsoft Exchange. (See https://www.bindview.com/Solutions/ComplMonit/)

Computer Associates, too, has several product suites designed to help an enterprise with Sarbanes-Oxley compliance. Unicenter has modules for identity and access management, software change management, and service desk that put controls and reporting into your IT processes.  (See https://www3.ca.com/technologies/subsolution.asp?id=4806)

These are just a few of the many software companies offering “Sox” compliance tools. No matter where your ship needs to be tightened, you’re sure to find a software tool to help automate your controls and reporting.

Oh, and here’s an interesting tidbit. If you believe that the focus on controls and governance issues being addressed by Sarbanes-Oxley is new, you might be surprised to learn that Alfred Sloan, chairman of General Motors from 1937 to 1956, popularized financial controls for corporate governance during his tenure.  The reasoning behind financial controls is no different today than it was during Sloan’s two-decade reign at General Motors: companies that are based on strong corporate governance produce superior long-term growth and shareholder returns.  Isn’t that what every company wants?

Linda Musthaler is vice president of Currid & Company.  You can write to her at mailto:Linda.Musthaler@currid.com

Brian Musthaler is a principal IT audit consultant at Essential Solutions Corporation.  You can write to him at bmusthaler@sbcglobal.net