Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, March 21, 2005

Sarbanes-Oxley compliance may be a burden, but it’s helping some companies improve operations at v

To hear many company executives tell it, the Sarbanes-Oxley Act has been a monumental burden, sucking up time and resources without making their businesses more competitive.  “The cost has been overbearing,” says Chris McWilton, CFO at the charge-card company with $2.6 billion in revenue.  But MasterCard is trying to get something back from that investment.

A post-mortem of its Sarbanes-Oxley compliance effort, looking at what worked and didn’t work, found inconsistent documentation of financial controls, as well as ones that should have been automated.  Among the lessons learned is that “standardization of processes minimizes the risk of misstatements on financial reports,” McWilton says.  Nextel Communications Inc. found it needed to do a better job controlling employee access to sensitive data and IT systems.  And United Technologies Inc. discovered that it wasn’t making full use of the financial controls built into its enterprise-resource-planning systems.

The Securities and Exchange Commission estimates that companies collectively spend nearly 5.4 million staff hours each year implementing Sarbanes-Oxley’s section 404—the part of the federal legislation that deals with financial-reporting controls.  Sarbanes-Oxley, which took effect late last year, was designed to improve the quality of financial reporting and restore confidence in financial statements in the wake of the Enron and WorldCom accounting scandals.

No wonder Sun Microsystems CEO Scott McNealy in 2003 likened Sarbanes-Oxley to throwing “buckets of sand into the gears of the market economy.”

At Nextel Communications, which is merging with Sprint Corp., the compliance process “began as an administrative task but has evolved into a basis for achieving competitive advantage,” says Michael Bryan, who until leaving the company last week was Nextel’s director of IT governance.  While working through the steps to comply with Sarbanes-Oxley, Nextel managers discovered they needed to pay more attention to how employees were given access to sensitive data and programs.  The company installed Thor Technologies Inc.‘s Xellerate Identity Manager system to automate the management of Nextel’s 90,000 user identities.

Companies are finding that beyond complying with Sarbanes-Oxley, automating access controls helps enforce information security policies, such as limiting access to sensitive data to authorized users, according to a February report from the Aberdeen Group market-research firm that examined the Sarbanes-Oxley compliance efforts of 40 companies.  As information security and access control become more important, they’re being transformed from a set of ad hoc activities into coordinated business processes.  The company has gained peace of mind that it had the necessary financial controls in place for complying with Sarbanes-Oxley, CFO and executive VP Frank Terence says.

But working through the compliance process also uncovered areas where business processes needed to be improved, particularly IT change-management processes and procedures used to control access to critical software programs and data.

United Technologies is another company that discovered through its compliance-assessment process that its IT systems had automated capabilities of which the company wasn’t taking advantage.  The survey also has brought a sense of unity to a company that’s sprawled out over 125 countries, Howells says.  And the process of developing a standard way of documenting and testing financial-reporting controls has led to standardization in other accounting processes and policies.

Posted on 03/21