|
Put SOX on Automatic: Use Tools for Compliance
Commentary
The tools to accurately audit the relationships among computing resources on an ongoing basis have only recently become available.
By Jasmine Noel
For years IT organizations have put process-control technologies like configuration management databases or change control systems on their budgetary wish lists. They were always told the same thing: “It is not a priority, maybe next year.” In walks the federal government to change all of that. The Sarbanes-Oxley Act of 2002 (SOX) tackles the integrity of the financial-reporting process for publicly traded companies. SOX outlines civil and criminal penalties for enterprise officers and external auditors if financial information is not accurate and complete. That got people’s attention.
Now everyone is talking the compliance talk and some are even recognizing that IT process controls are part of the equation. Maybe this is the year IT will get its wish list — or not. It depends how well the decision-makers understand how compliance reality is affected by IT and how IT communicates the benefits of the tools.
There are two places you can start when talking about compliance. From the top down — usually the CFO and auditors take this approach because it’s closest to what they understand: workflows and processes. These guys are worried about:
Procedures — are the stated procedures followed, and are the right authorizations obtained along the way?
Information integrity — how do we insure that our financial information is accurate, and how do we prevent fraud?
Access control — how do we ensure that only authorized personnel have access to confidential information?
Change control — healthy enterprise processes adapt and change as the market needs change. At issue is how to ensure that process changes have the necessary authorizations and are being adopted by employees.
Auditing and documentation — what set of reports must we generate to prove our compliance and how do we spend the least amount of time generating those reports?
Alternatively you can view compliance from the bottom up — usually IT administrators take this approach because it’s closest to what they understand: namely, technology. These guys are worried about:
IT procedures — how do we incorporate compliance into our everyday IT tasks, and how do we strengthen adherence to our own best practices?
System integrity — how do we prevent internal and external tampering with corporate data sources and applications that manipulate those sources?
Assess control — how do we deliver the right amount of administrative control to myriad administrators who need a particular software stack resident on a server?
Change control — how do we match the change requests with what actually happened in the infrastructure? How do we account and control ad hoc changes? How do we tighten control without losing speed and flexibility?
Auditing and documentation — what set of reports must we generate to prove our compliance and how do we spend the least amount of time generating those reports?
Similar issues but vastly different perspectives. Is it any wonder compliance committee members have a hard time communicating with each other? It doesn’t help that there is little consensus on exactly how to judge which IT efforts are relevant to SOX. For example, most agree that the goal of SOX is to ensure the integrity of the financial results. However, it is still an open question as to how much the availability and performance management controls found in COBIT (Control Objective for Information and related Technology, from the Information Systems Audit and Control Association (ISACA, www.isaca.org), and ITIL (Information Technology Infrastructure Library (www.itil.co.uk) affect the infrastructure’s integrity. An auditor can use any number of questions to determine IT relevance, including:1
Is the computer processing directly or indirectly related to the timely production of financial reports?
Is the application characterized by: high-value and/or high-volume transactions, automated computation and reconciliation, straight-through processing, and a high volume of non-routine procedural bypasses/overrides?
Is the application shared by many business units across the enterprise?
Most IT executives do not have ready answers to those questions for several reasons. First, IT has been ham-strung by years of buying tactical point products for operations tasks, which fostered technology fiefdoms and did little to create the robust, enterprise-wide IT best practices that make compliance documentation simpler. Second, the tools to accurately audit the relationships between different computing resources delivering a particular business service or application on an ongoing basis have only recently become available. Third, security and database management solutions that control application and database access have been implemented in a piecemeal fashion. Something has to change so that those questions are readily answerable.
To date, most of the compliance budgets have been spent on people, both internal staff and external consultants to determine relevance, write policies and document processes. All of this spending is tactical, aimed at getting enough done to squeeze companies through the compliance gate before the various deadlines. Not repeating this intensely manual process in the future is fuelling some interest in software solutions.
However, many companies are skeptical about the vendors now hawking compliance tools. Some companies have said they are willing to continue with the manual documentation in spite of the lost productivity. Others are playing chicken with the federal government — waiting to see what enforcement will actually occur before seriously implementing a solution. For those unwilling to waste talent or wait for a sword to start falling there are ways to automate the compliance auditing without turning it into a multi-year Y2K or ERP integration project. The idea here is to build on the manual work that already has been done, not start from scratch with some massive software project. Additionally, we believe that strategic tools implemented for compliance can actually be leveraged into additional benefits for IT and the business.
Process and Application-Mapping Tools
In spite of the growing popularity of process-modeling tools, most corporations depend on scattered documents and charts for process documentation. Indeed, the majority of companies undertaking their compliance activities in 2004 started by manually mapping and documenting their processes. Most argue that there is no automated way to do this — and to a certain extent they are right. But that doesn’t mean that you must continue in this vein. Trust me — enterprise processes and procedures will change over time and those documents that were so carefully prepared last year will become obsolete. Why not take this opportunity to implement ways to automate the process and workflow mapping and documentation as part of the compliance activity.
The same thing is true for applications and databases used to generate, store and manipulate corporate information. Modern enterprises are developing new applications and connecting traditionally separate applications and data-stores to streamline processes, obtain complete pictures of their customers, and shrink quote-cash times. Therefore, the environment surrounding enterprise financial applications is more susceptible to change than ever before. The more infrastructure changes that occur in the data center, the more important application-level mapping becomes in determining what controls are needed and what documentation must be collected. Wily Technology Benchmark Survey already shows that a whopping 74% of respondents are pushing J2EE application upgrades into production at least once in a two-month period. As businesses incorporate more dynamic infrastructure they will need dynamic mapping to keep track of which applications are connected to their financials.
Follow-on benefits of implementing mapping solutions include:
Better inventory control, which will quell out-of-control capital expenditures,
Less finger-pointing during problem resolution, which saves downtime costs, and /li>
Easier process improvements, which increases speed of business execution.
Change Auditing
Provisioning, software distribution, and patch management tools do this to some extent already. Most of them can automatically generate reports that list which scheduled changes were unsuccessful. However, a compliance solution must go further and document ALL relevant configuration changes on ALL relevant systems — including those made without management tools, that were not scheduled or that were done to quickly address some other problem. That independence of who, when, and how makes the auditing system robust enough to ensure compliance.
Follow-on benefits of a robust change-auditing solution include:
Improved mean-time-to-repair and increased problem prevention that can save enterprises millions in application downtime costs and penalties.
More stable system configurations that can prevent availability and performance problems from occurring.
Security Policy Control
To control security policies we must first have a means of maintaining those policies. And there are a lot of them — physical, logical and procedural policies that encompass upper management support, regulations and standards, procedures, guidelines, practices and controls. Then we must proactively monitor controls across threat areas to assess and assure compliance to all of those policies. Needless to say, a piecemeal approach to security policies will not endear anyone to their external auditors. The policy database must be comprehensive and, like the change auditing, the monitoring must be independent and have enterprise-wide scope.
The primary follow-on benefits of these tools are that improved vulnerability detection and incident prevention both can save corporations millions in lost productivity and revenues when the next major threat arises.
Data Protection
SOX data protection involves two related aspects — ensure the data is authentic (that it hasn’t been altered in any way) and ensure that information processes are auditable (so we can demonstrate who had access to data, what actions were performed, and so on). Most data centers already have database management tools that perform these tasks or can tweak them with new reporting to deliver the right proof. The trick is regulated data does not necessarily reside on corporate servers; some of it lives on desktop systems, mobile laptops and PDAs. Many companies simply do not have the right level of data protection for those systems. A good chunk of the manual work to identify what data needs to be regulated and where it resides already had been completed manually last year by the majority of companies. Like process mapping, one of the automation goals should be to understand when the list of regulated documents needs to change. Then we can apply data protection and record retention policies to data that resides on desktop and mobile systems.
The primary follow-on benefit of data protection is improved disaster recovery because critical information on desktop and mobile systems is protected more stringently.
Compliance auditing and reporting will become part of enterprise culture eventually — it has to because quarterly reports have to be generated. The saving grace of SOX compliance is that it requires companies to do things that they know that they should be doing anyway. Compliance is really a matter of proving that they are being done — not easy to do but it definitively needs not be the massive burden on employee time that it was last year. The vendor hype can positively affect compliance reality and relieve some of that burden — but only if IT tools are applied in effective ways that leverage the work done last year. Play the cards right and they also will give your company some bonuses in other areas.
Jasmine Noel, of Ptak, Noel & Associates, focuses on converging IT trends and how to leverage them. The company follows trends in ways that help IT directors translate executive strategies into action blueprints. Noel can be reached at www.ptaknoelassociates.com.
Apr2005, Software Magazine
|
