PEBBLE BEACH, CALIF. -- Imagine Y2K every year.
The very idea would make Stephen King break out in a cold sweat. But that's how some CIOs view the Sarbanes-Oxley Act (SOX) -- a pain that doesn't go away after New Year's Day.
At TechTarget's CIO Conference, Cal Braunstein, CEO and executive director of research for consulting firm Robert Frances Group, discussed the impact of SOX on IT.
It's a deep impact.
The deadline for compliance with Section 404 of SOX, which requires an annual management assessment of internal controls, is Nov. 15 for public companies with a market cap greater than $75 million.
SOX affects IT more than any other department except finance, according to Braunstein. Sixty-five percent of the attendees at the session said that SOX is having a major impact on them, and 40% said that SOX was a "bet your job" project that would put their jobs on the line every year.
That's a lot of responsibility for a department that isn't "the first to be invited to the table," according to Braunstein. "In fact, IT is usually the last to get involved," he said.
So why is SOX compliance a pain of Y2K proportions for IT? "It's a real process-oriented regulation where everything can be traced and monitored. We [IT] are not very process-oriented," Braunstein said. "You're taking things you used to throw away and studying them."
Many IT departments don't have comprehensive documentation or evaluation processes for internal controls and must shoehorn SOX into their ongoing development activities, Braunstein said. Getting all that done requires a cultural change -- change that can be the difference between compliance and defiance.
"It was a significant change in prior business practices and behavior, and that took a moment to sink in for everybody," said IT manager Louis Curet, who recently took on a compliance project at Rainbow Technologies Inc. in Irvine, Calif. (the company has since been acquired by SafeNet Inc.)
Every quarter -- rather than every year – Curet found himself sitting down with the auditors who had collected a random sample of transactions from the company. "They would expect you on the spot to be able to recite from memory what happened with each transaction and why you did what you did.
"That was a huge cultural change, but once you got used to it, it was fine," he said.
"[SOX] forced a major reprioritization of everything from top to bottom," said Bobby Russell, IT director at First American CIG in San Diego.
"It's rare to have something literally fall from the sky that stops business process re-engineering and all of the projects that we had on the table from an IT perspective."
Russell should be able to sleep on Nov. 15 -- he said that trial audits and drills helped get his department ready.
"We formed teams throughout the company where one division comes and audits us, we go and audit another division, and we bring in third-party auditors. Drilling helped us isolate the big items."
Other CIOs are feeling a little more angst.
"Many regulations aren't defined, so why would I pay an auditor to do things that haven't been decided yet?" said Skip Borland, CIO of Seattle-based SeaBright Insurance Co. Borland's next big project is compliance, and he came to the conference to hear SOX war stories like those from Russell and Curet.
It's frustrating," said Mike Cloutier, CIO of Emeryville, Calif.-based Peet's Coffee & Tea Inc. "No one knows what's really required, and no one's been taken to task for lack of compliance." Cloutier said he spends about 35% of his time getting ready for the November deadline.
But CIOs who aren't sure about their SOX need not press the panic button just yet. Braunstein said there really is no best way to comply with SOX. "Everyone is still learning, and any problems will be resolved in court over a number of years.
"The objective isn't to be the best on the street. Just be as good as everybody else."
Braunstein said the key is to be consistent and know your code, data and transactions. He also offered these recommendations:
- Establish an overall cross-functional compliance team and a dedicated sub- team managed by a director level person. The team should be supported by C-level executives and include executives from finance, IT, legal, marketing and affected business units.
- Coordinate IT activities within the scope of an overall security and disaster recovery plan.
- Have Finance or Audit be responsible for ensuring compliance with SOX. Marketing should take the lead on customer data usage decisions affecting privacy, as well as the Do Not Call Registry. IT is one input to the whole process.
FOR MORE INFORMATION: