IT organizations are increasingly facing regulatory compliances – Sarbanes-Oxley Act, Basel II, HIPAA, Patriot Act, etc., requiring immediate and sometimes simultaneous proactive internal measures. Besides the pressure of meeting the regulatory deadlines, organizations are also faced with the significantly large investments required for getting compliant.
Consider the following facts
-
IT operates at the core of every initiative in an organization. The overall effectiveness of IT operations within an organization therefore becomes a critical component for every business trying to achieve compliance.
-
Organizations worldwide will spend millions of dollars on aligning their IT to comply with SOX requirements. A major part of the investment will be on IT systems and process improvements, Applications and Multi-tier platform security and scalability, Document management and reporting, ERP and other financial systems upgrades, archiving, and IT control framework implementation.
SOX compliance:
An Opportunity (and not just a challenge)
Robust IT control frameworks are required to run and to ensure reliability of the audited financial process systems. Without a clear vision for IT that translates into clear strategies for identifying, developing and executing well-planned and effective IT control and reporting systems, organizations will not be able to move one step forward towards achieving compliance. Thus, achieving compliance is possible only by achieving an effective organization-wide IT control framework. Once that is achieved, the regulatory mandate, like any learning experience, gets ingrained into an organization's knowledge base as a self-sustaining best practice; an ongoing process rather than a project component.
This presents a great opportunity in three unique ways.
- The compliance requirements finally broaden the IT focus from just being technology-centric to defining the business impact areas of IT and aligning with overall organizational objectives.
- The compliance requirements finally provide the opportunity to setup an organization-wide IT control framework that will over the years become an underlying Business-IT best practice.
- The compliance requirements provide IT professionals the opportunity to contribute their collective expertise to develop the most effective IT control framework that addresses every critical component in the IT value chain.
Leveraging the Compliance effort to add sustainable value
IT professionals can help create a strategic IT value chain that not only addresses the compliance requirements but translates into a seamless check and balance network to develop an effective IT control framework.
- At the base of the value chain IT professionals collaborate towards identification and assessments of existing control frameworks for the IT systems in place and their effectiveness.
- At the next level, IT Managers integrate this data with their assessment plans of the most critical control areas: IT Systems management, Database security, Operating systems and Applications, Network security, etc. and take remedial steps to upgrade, improve and set up newer strategic IT controls.
- Finally, at the CIO level, the strategic and budgetary decisions become far easier to make with the real-time recommendations and a holistic audit report on the effectiveness of the IT control and reporting frameworks deployed.
Thus, with the key financial and audit processes for internal IT controls established, the CIOs are ready with complete IT control plan for the financial reporting.
Compliance Strategy and Roadmap
Creating an IT value chain requires a clear strategy and roadmap for compliance. This is to monitor: How much are you spending on getting compliant and where are you spending it. Defining your own compliance strategy and developing a roadmap is the best approach forward in meeting business compliance requirements. This requires a proactive approach to understand the areas of focus, the activities required to achieve desired outcomes, and applying the derived results within your organization. What you have to remember is not all compliance issues may require adherence to the letter. You will have to understand IT aspects from within, interpret the compliance requirements and then devise a strategy that is most optimal for your organization. Here are some points to help you devise a compliance strategy that works.
- Interpret the compliance requirement your organization is dealing with
- Create a compliance environment by formalizing enterprise compliance management processes
- Focus on elements that relate directly to compliance requirements
- Document a plan to achieve compliance
- Execute the plan
- Devise measures and controls
Here is a compliance roadmap that ensures your strategy addresses and fits perfectly into every stage of compliance process.
-
What is the IT environment and required Control Objectives for SOX compliance
-
Communication of compliance strategy to the organization
-
Gaining understanding of the controls
-
Creating the IT value chain
-
Assessing impact of control deficiencies
-
Identifying gaps and evaluating Key controls against Control Objectives
-
Defining remediation actions and evaluating operational effectiveness
-
Completing and releasing Process documentation results
COBIT:
Complementing SOX Compliance
Also complementing your compliance strategies is the increasingly adopted IT Control Framework solution worldwide – COBIT . COBIT is the essential solution to get SOX compliant. As the most comprehensively developed IT Control Framework solution, COBIT help you implement IT Controls specifically from the SOX compliance standpoint. COBIT has been developed by ISACA and IT Governance Institute (ITGI) by adopting the COSO financial control framework to meet the requirements for SOX compliance. C OBI T stands for Control Objectives for Information and related Technology and is increasingly internationally accepted as best practices for control over information, IT and related risks. It is a governance and control framework with guidance for IT controls that focuses on "What needs to be achieved" rather than "How to achieve." The COBIT model provides both organization-level and activity-level objectives and associated controls enabling you to implement effective governance over IT that is pervasive and intrinsic throughout the enterprise.
Afterword
With IT at the core of every corporate initiative, and with recent regulatory compliance acts requiring more from the IT department, IT governance is increasingly becoming a critical component of any successful business-driven IT group that is supporting the organization's overall objectives. Interestingly, SOX which was directed towards making large organizations accountable throughout the US, has today extended its scope of business regulatory compliance to the world at large. IT professionals need to clearly understand the business aspects of IT, analyze IT systems and processes, define plans for IT control, and translate them into an effective IT governance framework strategies - in short, help their organizations to gain SOX compliance. ITpreneurs, as the exclusive developer of the official COBIT courseware for ISACA and ITGI, offers you knowledge solutions to enhance your professional and organizational competence for effectively meeting and implementing SOX compliance requirements.
Acknowledgements
SOX Information
www.sarbanes-oxley.com
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm
http://www.sec.gov/rules/proposed/s74002/card941503.pdf
COBIT Solutions
www.isaca.org www.itpreneurs.com
Reference Sources
www.isaca.org www.itgi.org
For purposes of this article, the term “SOX” refers to the Sarbanes-Oxley Act of 2002 in its entirety, including all sections of the Act as laid down by the Congress and by the Securities and Exchange Commission, United Sates of America.
