COLUMN

Sarbanes-Oxley as an IT-business alignment driver

By Jasmine Noel 27 Sep 2004 | SearchCIO.com Digg This!     StumbleUpon     Del.icio.us

If something affects the business -- be it emerging competition, shifts in market demand, process re-engineering, or government regulations -- then it affects how the business' computing systems are managed. The Sarbanes-Oxley Act's regulations are a perfect example. When the law was passed in 2002, most enterprises viewed it as an issue for their auditors and financial officers. But lo and behold, in October 2003, the Public Company Accounting Oversight Board proposed an auditing standard (PCAOB; Release No. 2003-017) that states "the nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."

More on Sarbanes-Oxley Survey shows SOX brings IT, business together CIOs share ideas, fears on Sarbanes-Oxley compliance

Surprise, surprise! IT does matter in how the business is run -- at least, that's how government regulators see things.

What this really means is CEOs and CFOs cannot fully document their Sarbanes-Oxley compliance without active participation from CIOs. However, many IT executives have been caught flatfooted and are not on compliance committees. They also have been hamstrung by years of buying tactical point products for their organization, which fostered technology fiefdoms and did little to create the robust IT processes that make compliance documentation simpler.

Those lucky enterprises that have taken IT and business alignment seriously, and have already bought or are in the process of choosing enterprise-wide configuration control and infrastructure relationship mapping solutions, will find complying with the regulations much faster and easier than their reactive counterparts. The reason is that those tools provide ready answers to the questions central to compliance, namely:

• "Which of my computing resources are related to the regulation?"
• "How do I actively control my constantly changing infrastructure so that the resources to the regulation remain in compliance?"

These enterprises simply point their mapping solutions at their financial systems and will receive logical topology maps detailing which resources are related to the financial systems. Automatic configuration discovery capabilities allow companies to ensure, and document, that their change management processes are followed consistently. CIOs who approved these technologies for service management or capacity consolidation projects can readily apply them to compliance efforts.

For other enterprises, CIOs now have a unique opportunity to use a tactical issue to implement strategic configuration management processes and solutions that can have benefits beyond reducing the manual effort needed for yearly compliance auditing. Service-level management, problem resolution, capacity planning, patch management and security management issues are all related to active control of infrastructure configurations. They all need answers to the same two questions raised by Sarbanes-Oxley -- for example, substitute the phrase business service for regulation and you have the core questions surrounding service-level management. Thus it behooves IT organizations to use their Sarbanes-Oxley budgets and resources to kill several birds with one stone.

Needless to say, there are several products with configuration control and infrastructure relationship mapping from the likes of Collation, Cendura, Relicore and Troux, and acquired by BMC and Mercury as part of their enterprise portfolios. This fall, we will be looking more closely at the compliance requirements, solution capabilities, and how to maximize the benefits across multiple IT arenas.

Jasmine Noel is co-founder of Ptak, Noel & Associates, an analyst firm addressing converging IT trends and how to leverage them. Previously she was director of systems and applications management at Hurwitz Group, and a senior analyst at D.H. Brown Associates.

Tags: Leadership and strategic planning,  Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Leadership and strategic planning The Real Business of IT: Download a free chapter Gartner's top 10 strategic technologies for 2010 Qualities of a great leader from Jim Collins Lean thinking in IT: Case studies and advice from practitioners FAQ: IT and organizational change management ITSM and ITIL best practices for process improvement Maturing an ITIL strategy beyond incident, problem, change management CIO management mistakes that can harm CIO careers, cause IT failures Do you have the qualities of a good leader? Test your leadership IQ Google Wave: A sea change for business collaboration, communication? Compliance strategies and best practices Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Economic downturn hits IT budgets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary