Professional Documents
Culture Documents
Note: The opinions, descriptions, and recommendations contained in this document may include
general or summary information about aspects of the Sarbanes-Oxley Act of 2002, and related
current or proposed rules, regulations, or standards of the US Securities and Exchange
Commission and national securities exchanges and associations. The information presented is
intended simply as an aid to your understanding of such rules and neither constitutes nor is
intended to constitute the provision of legal advice. We urge you to refer to the actual laws, rules,
regulations and/or standards, and to consult with legal counsel concerning your responsibilities, if
any, with respect to applicable provisions thereof.
Contents
SECTION 1
The SOX Landscape
Chapter 1 The State of SOX
Compliance Efforts ............................................................ 1
Key Areas for IT Organizations ...................................................................................................... 3
Compliance Progress ........................................................................................................................ 4
Creating a Technology Blueprint .................................................................................................... 6
Maturity Levels ................................................................................................................................... 9
Investment Timeline ........................................................................................................................ 11
Creating a Governance Framework ........................................................................................... 12
Conclusions ..................................................................................................................................... 13
SECTION 2
IT Best Practice Areas in SOX Compliance
Chapter 5 Security ..................................................................... 63
Security Provisions Within SOX .................................................................................................. 63
Getting With the (Security) Program ......................................................................................... 65
The Holistic Approach .................................................................................................................. 67
The Security Game Plan ............................................................................................................... 68
Mapping Security Control Objectives Into SOX ..................................................................... 70
Security Maturity Levels ................................................................................................................ 74
Level 0: Exploration ....................................................................................................................... 74
Level 1: Building Awareness ......................................................................................................... 74
Level 2: Project Initiation............................................................................................................... 74
Level 3: Project Execution ............................................................................................................ 75
Level 4:Assessment/Review of Results ....................................................................................... 75
Level 5: Optimization ..................................................................................................................... 75
Conclusions ..................................................................................................................................... 76
Insurance .......................................................................................................................................... 85
Conclusions ..................................................................................................................................... 86
iii
iv
Section 1
Chapter 1
SOX and related compliance mandates, then, will become permanent elements of business operating models organizations must address them. Handled correctly, compliance can be an enabler for beneficial business change. Beyond meeting the short-term
deadlines, a major part of the compliance effort will involve incorporating it into how
the organization operates infusing it into all aspects of the technical architecture and
examining how all IT products support that effort.
Internal controls must be documented and tested, and management must be able to
demonstrate support for its assertions to auditors and regulators.
The external auditor will attest to managements assertions and include a report in
public filings regarding the results of the attestation.
Management must utilize a framework such as the COSO internal control framework for assessing its controls and making its assertions.
Management must disclose in its quarterly Section 302 certification any material
changes in internal control over financial reporting.
Although there are literally hundreds of provisions contained within SOX, a few are of
particularly critical importance to the IT organization. These include the following:
Section 302: This instructs that officers of the company must make representations
related to the disclosure of controls, procedures, internal controls, and assurance
from fraud.
Section 906: This states that the 10-Ks, 10-Qs, annual reports, and periodic reports
containing financial information comply with SOX and represent an accurate picture
of the firms financial condition.
Section 409: This requires that corporations disclose to the public on a rapid
and current basis material changes to the firms financial condition (see Chapter
4 and Appendix A).
ITs role here is twofold. First, it must support enterprisewide compliance around the
key sections indicated here. Second, the CIO must ensure that IT has its own house in
order, with adequate and documented controls around security, application deployment, change management, and other areas (see Section 2).
Compliance Progress
The role of IT in internal control is extremely important, visible, and critical to the
financial reporting process. Section 404 of SOX goes beyond requiring companies to
establish and maintain an adequate internal control structure; in fact, companies now
must assess (and report) effectiveness on an annual basis.
Internal control is defined within US auditing standards as a process, effected by an
entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
SOX mandates an evaluation of internal controls over financial reporting by management. It also requires attestation of that assessment by auditors. Accelerated filers (large,
publicly traded firms) are now required to comply for fiscal years ending on or after
November 15, 2004. Small business and foreign private issuers are required to comply
for their fiscal years ending on or after April 15, 2005. There is also a requirement for
financial records program management with a specific compliance deadline of 2004.
Chapter 1
Our discussions with clients about SOX concerns reveal that many firms have initiated
business process audit projects (around targeted business applications), often with the
assistance of a compliance/audit vendor. As firms gain a better understanding of their
business processes, many will initiate financial ERP and business intelligence/business
performance management projects to address issues arising from this audit process
(but we believe these projects will be initiated after a firm has successfully completed
Section 404 compliance activities).
Many firms can achieve compliance by configuring existing functionality (e.g., workflow)
in integrated suites they already own and enabling new components (e.g., expense management) that may have pre-existing integration to their solutions.Although new licenses
will be purchased (e.g., business performance management [BPM], expense management, portals, new user licenses for existing software), a larger impact will center on the
need for professional services to integrate the solution and coordinate the appropriate
change management efforts to enable its use.
SOX practically impacts financial management expectations for nearly all companies.
Compliance with SOX is a long-term objective with potentially shifting goalposts. The
Public Company Accounting Oversight Board (PCAOB) is charged with building the
actual requirements of SOX. While the board has stated it wants to produce some
results by the end of this year, it is more likely a two-year effort (minimum) to rewrite
the audit standards for public companies, though some initial pronouncements around
audit standards were made available in March 2004. It has also commented that the
current standards have little to no value, so we can expect significant change from the
current standards. Enterprises investing significant money to meet the standards used
by audit firms prior to that rewrite may be wasting a lot of money. Initially, minimum
compliance may be an important strategy, though ultimately organizations should seek
to gain maximum SOX compliance levels.
Although the act affects publicly traded companies with a public float of more than $75
million, SOX will have an impact on private companies and smaller organizations as well.
Larger customers or suppliers may dictate compliance as part of an ongoing relationship.
Likewise, companies that are looking to obtain financing or insurance may also need to
35% rely on a compliance vendor to help with the effort, and 41% are doing it alone
71% are on track with compliance efforts, and 21% are struggling
59% are in the process of defining a technology blueprint
49% see SOX as a necessary evil, but 39% believe that it will improve the enterprise
Chapter 1
Transactional ERP/best-of-breed financial management solutions (50% of effort): Although many firms have implemented leading financial ERP solutions, most
need to revisit configuration of these solutions and implement critical financial controls (e.g., spend management, subscription-based revenue recognition) that are critically linked to workflow in support of required approval/authorization processes
within an end-to-end process. Firms that operate on legacy and custom financial
applications are unlikely to support SOX enablement without significant, expensive,
or unavailable rewrites.
Records management and retention (10% of effort): Section 802 requires that
firms retain all records relevant to the audit and review processes for at least
Chapter 1
BI/BPM (30% of effort): Firms will need solutions that can provide visibility and
transparency, while also managing and automating the results and consolidation process across a decentralized enterprise. This is an area where solution and tool decisions must be made from a strategic business intelligence (BI) infrastructure perspective (i.e., choosing a BPM tool that can leverage existing BI investments in reporting, OLAP, data warehousing).
Beyond these application areas, the portions of the IT organization that will play a significant role in compliance efforts include infrastructure and security (see Section 2).
Maturity Levels
As part of developing a SOX blueprint, organizations must look beyond tactical SOX
compliance and focus strategically on leveraging SOX investments. Requirements
for products and services will vary and evolve as efforts mature, shifting from services to a product focus.
For the IT group to effectively participate in the SOX initiative, it must understand the
maturity level or stage of the SOX project and how it can help. SOX projects must be
effectively managed through the following phases, with the IT group playing a strategic role:
Building of awareness (Level 1): We estimate that 10% of affected firms are at this
stage (which will go through September 2004). This is where the enterprise SOX
project is being defined and resources are being identified/sourced for the expertise
to manage the Section 404 process.
Project initiation (Level 2): We believe 15% of firms are currently at this stage with
SOX initiatives, and this phase will go through December 2004. This is where the
formal enterprise SOX project has begun, and the IT group must participate by
sharing documentation (including the creation of new documentation, where absent)
and ensuring that appropriate governance processes are in place.
Project execution (Level 3): We estimate that 60% of firms are actively involved in
executing their internal control projects, given the rolling compliance date (through
June 2005).This is the execution of the internal control project, through the internal
control documentation, risk mitigation, and assessment processes.
Optimization/continued compliance (Level 5): Few firms, if any, are at this stage,
and for most, this will begin after the initial Section 404 compliance date (June 2004
and ongoing). This is where many firms can (and should) leverage the cost of SOX
business case and improve weak or insufficient areas of compliance.
Level
10
Stage Description
Where Is the
Market Today
Market Timing
Exploration
5%
1/04-6/04
Building of Awareness
10%
1/04-9/04
Project Initiation
15%
1/04-12/04
Project Execution
60%
1/04-6/05
Performance of
Assessment and Review
of Results
10%
1/04-4/05
Optimization and
Ongoing Support
0%
12/04-Onward
Investment Timeline
Many organizations have already made significant investments in time and resources to
develop compliance programs. At this point, organizations now are investing in some of
the tactical tools they will need for compliance, primarily Section 404 tools that can help
with process mapping, reporting, and creating an environment where reporting can be
evidenced back to the auditor.
SOX Investment Timeline
SOX
Deadline
Pushed
Scoping
Tactical
SOX
Compliance
ERP/FMS
Upgrades
Process
Transformation
Regroup
1H03
2H03
1H04
2H04
1H05
2H05
Business and
Audit Services
IT Services
Content and
Collaboration
ERP/FMS
BI/BPM Portals
Point
After the initial compliance deadlines are met, a period that will occur from the middle
of 2004 through the middle of 2005, organizations will need to regroup and examine
investment requirements over the longer term.
On the other side of the coin, it will take time for vendors to embed SOX-relevant
capabilities into ERP or financial management system solutions. Such enterprise applications are by nature large in scope. Enhancing workflow or reporting, consolidation, and
other functions is a long-term effort, in terms of both development and upgrade cycles.
Most of these will not appear before 2005.
11
Performance management:This supports a KPI/metrics-based approach, including closedloop planning and reporting for managing top-down and cross-business area performance.
Risk management: Risk management establishes an enterprise approach for managing financial, operational, compliance, and reporting objectives. It includes a codified
process for the identification and assessment of risks in achieving specific corporate
objectives (also including usage of the COSO framework to manage SOX projects,
as well as COBIT for IT governance), applying frameworks to achieve competitive
advantage, and determining sense-and-respond processes for risk. In addition, it includes understanding and managing the risk appetite for a firm.
The important point to remember as part of all these efforts is that compliance is an
ongoing, dynamic process. Once the initial work of SOX compliance is completed, orga-
12
Chapter 1
At its logical extreme, SOX affects just about everything within an organization ERP,
supply chain, procurement, partner relationships. What happens if a key supplier gets
downgraded and its bonds become junk bonds, thus putting supply of a key raw material
at risk? Compliance can become that complicated an issue. So while basic goals are
important, developing a program that looks at all compliance initiatives is critical. The
good news is that the effort should provide greater visibility into organizational processes and supply chains. Exploiting these improvements will help turn the compliance
effort from a necessary evil into a potential competitive advantage.
Conclusions
Exploiting SOX and related compliance efforts residual benefits is key to improving competitiveness.
The CIO must develop techniques to leverage IT as part of improving compliance initiatives.
SOX compliance is about process, not just products. Organizations have already
invested heavily in the IT products most relevant to SOX compliance efforts, especially short-term tactical requirements. Changes to enterprise software will occur
over a longer period of time.
While spending and development may experience a brief lull after initial compliance
efforts, annual evaluations and organizational evolution will demand ongoing support.
Organizations thinking about SOX must shift from seeing the process as a cost of
compliance to considering it as a lever to do business more effectively.
13
14
15
There are multiple elements that an organization must address when defining a SOX
compliance program. Organizations must profile their current state and then track progress
over time across these multiple elements, which include the following:
Defining SOX program ownership, participants, and the overall program plan;
ownership for most organizations should ultimately report up to the chief compliance
officer or similar executive position
Defining a road map to move efforts forward, assess progress, and coordinate across
multiple initiatives
In addition to strong/defined ownership, organizations must deploy clearly defined
and adequately resourced SOX teams made up of finance, audit, IT organization, and
line-of-business professionals.A single controlling entity must exist to coordinate efforts
across multiple sections, including assessment of additional program plan elements.
16
Road Map
More than one year after SOX legislation was signed into law, its effect on improving
corporate financial accountability/visibility is unclear, especially given the fact that most
companies are still working to enable and evidence compliance. However, given the
creative nature of the corrupt or criminal executive mind, companies intent on bending
the financial rules will still be able to do so it may just take a little more work.
The immediate priority for organizations is to meet mandated SOX compliance deadlines, with the next major date being fiscal YE04. This involves solid project and program
management best practices and techniques (harkening back to Y2K efforts).
As they strive toward those deadlines, however, organizations should also be building for
the future. Organizations must look beyond mere tactical SOX compliance and focus
strategically on leveraging SOX investments. The first step is to gain compliance, but
organizations must also develop plans from the outset to maintain compliance on an
ongoing basis as well as to leverage it for greater competitive advantage and to exploit
the residual benefits that SOX compliance will deliver (e.g., greater process transparency, visibility, and control).
17
Educating the IT group on the business and technical issues related to SOX
Evaluating the SOX impact on the IT group and infrastructure, including support
of business applications, IT financial management, and governance
18
Identifying the appropriate role for audit firms or service providers and determining the access to IT business processes they will need
Evaluating the compliance service provider landscape, understanding the capabilities of the major players, and making a selection about who should be enlisted to
help (it is rare that a firm can do this solely with internal resources, and it is
unadvisable)
Chapter 2
At this level, the organization should also fulfill the following requirements:
We have a SOX task force in place. For this element, a firm must have completed
its core ERP implementation with all minimum interface requirements, and its business and IT resources should not be overly committed to ongoing geographic or
organizational rollout.
We have strong SOX leadership at the operational and executive levels. Enduser training is commonly shortchanged due to budget and time shortfalls.To achieve
par for this element, end users must have received sufficient training to allow them
to run basic ERP functions in support of business processes.
We have defined an IT blueprint for SOX. A compliance solution requires a combination of business processes and technology infrastructure. Although technology
can support many of the business process requirements, it is not the sole solution.
Instead, technology must be considered within the context of how it can work in
conjunction with financial, accounting, and other business processes.The technology
blueprint identifies where appropriate investments in technology should be made.
We have defined our external auditors role in our SOX efforts. The challenges
organizations face in interpreting external audit firms appropriate roles are exacerbated by the complexity and fluidity of SOX regulations, and the fact that SOX nonexperts in the rank and file of Global 2000 organizations are often being tasked with
driving SOX compliance efforts and selecting external service providers to help.
19
We have the adequate IT infrastructure in place to meet tactical SOX requirements. The CIO must guarantee that the SOX project is effectively supported for Section 404 business process documentation activities. This includes
the identification of where IT investment can be leveraged to ensure that business applications and IT infrastructure can adequately support SOX requirements
for an effectively managed and certified business process.
We have adequate processes in place to ensure audit committee involvement in audit/service provider usage. Section 404 internal control/risk management business applications are targeting management tools to help organizations
develop a plan to document business processes and risk areas, and to facilitate the
auditor assessment process at year end. Connectivity to ERP processes should
be enabled to evaluate adherence to documented controls in the assessment
process.
20
Reviewing the enterprise SOX plan and proactively enlisting for all IT-related activities
Leveraging any existing work on IT governance (e.g., COBIT controls) and mapping them to the COSO framework (what an auditor or compliance consulting
vendor will most likely use to structure the Section 404 control project)
Selecting a risk management solution to assist in the internal control documentation, risk identification, and assessment phases (see Chapter 6)
Chapter 2
At this level, the organization should also be able to support and document the following
statements:
Financial reporting details are readily accessible by executives. In a post-training mode, the end users are capable of fulfilling their functions without overwhelming levels of help desk assistance.
We can support frequent flash reporting. If IT operations around ERP are generally routine, this should be an obtainable goal. Note that firms in their first year of
ERP operations tend to score low in this regard because the notion of sufficient IT
resource is still in question.
Management has tools to drill down on accounting reports. Business and enduser staff will be primed for evolution only if existing operations are reliable.
We can routinely highlight key analysis areas based on tolerances and financial metrics. This indicates that business management is aware of how ERP drives
business processes related to business decisions.
21
Granting access to IT controls, creating controls (if missing), and leading internal
IT assessments
22
We have business-assigned business process ownership. Active ownership presumes that the business people do more than request or approve changes to
business processes and actually participate in those changes.
We have measures of our current KPIs. This presumes that the organization has:
1) identified the key performance indicators (KPIs) that will be used to guide
center-of-excellence efforts around business process improvement; and 2) measured current performance in that regard.
Chapter 2
Establishing an ongoing (most will choose quarterly to match the 10-Q reporting
process) assessment process, including documentation reviews and risk mitigation processes
Ensuring that all IT controls impacted by SOX are being effectively executed to
achieve compliance
At this level, the organization should also be able to support and document the following
statements:
23
Implement IT improvements to optimize compliance processes, improve effectiveness, and reduce risk
Link SOX to other measures to ensure consistency across global compliance initiatives
Business process changes are directed by KPI results. Key performance indicators
are closely monitored by the business process owners. Results provide direction
for continuing business process improvement, which can be enabled through
changes to the enterprise software configuration.
Although organizations are in various stages of Sarbanes-Oxley projects, they must attempt to ensure that the IT group is adequately included as a supporter of enterprise
24
Chapter 2
Compliance
Internal Audit
SOX Compliance Process
2
1
Section 802
Section 404
Result
Par
Section 409
Section 302/906
25
26
SOX requires that firms have documented and compliant internal controls around
financial management processes. This includes ensuring that IT infrastructure (both
solutions and governance processes) have effective controls enabled. Firms must
ensure that the IT organization is effectively engaged throughout the enterprises
SOX initiatives, for which a proactive approach is required.
Organizations must apply solid project and portfolio best practices across SOX
compliance efforts to ensure adequate coordination, track progress and maturity,
and help ensure that the minimum requirements for compliance levels are met.
SOX has a major impact on the IT organization, including support for business applications and IT governance (including IT controls financial management and business processes). Engaging in active support of the enterprise SOX project is critical.
Developing Controls
Chapter 3
External auditors (e.g., Deloitte, Ernst & Young, KPMG, and PricewaterhouseCoopers
among the Global 2000)
Risk management firms (e.g., Protiviti, Jefferson Wells) that have audit and related
skills but do not actually perform external audit work
IT service providers (ITSPs) offering direct and indirect SOX services (e.g.,
BearingPoint, IBM BCS)
The first two groups also offer their own software tools (e.g., process analysis/management, repositories) to support SOX efforts. These tools vary in terms of capabilities and
sophistication and are generally provided in conjunction with larger service efforts. Long
term, most software solutions will come from enterprise independent software vendors (e.g., ERP, FMS, enterprise document management, portals, analytics) as SOX compliance becomes a core capability integrated into these applications.
27
Assessment: Regulations generally (i.e., most of the time, but clients must understand and interpret regulatory caveats) allow all three service provider classes to
perform.
Best practices/advice: This is allowed, but a clients external auditor generally is not
permitted to manage any financial/regulated process change-management efforts.
IT financial management systems:
Assessment: This is generally allowed for all three service provider classes to
perform.
28
Developing Controls
also guard against the appearance of conflicts when using external auditors for additional
services, even if that work is technically allowed.
Chapter 3
Organizations must build SOX stipulations on external audit firms appropriate roles
directly into strategic sourcing and service supplier relationship management processes,
specifically addressing how decisions are made to direct work to auditors and who
must approve. In many cases, executive management and board audit committees must
approve these work assignments, but practically speaking, they will rely on the advice of
others in the organization (e.g., IT group, procurement) on what work to direct to which
service providers. Organizations must also pay keen attention to the process of managing relationships and handoffs among external audit and other service providers, potentially including audit firms hired to perform SOX-related work. All involved parties must
directly gain a clear understanding of SOX stipulations. However, in general, the following
constraints apply to external auditors:
Services external auditors cannot provide:
29
30
Developing Controls
controls for financial reporting, and this must be done/accompanied by an audit of the
companys financial statements.The auditor will need to test controls because the auditors
own work must provide the principal evidence for the his or her opinion on internal
controls as well as the effectiveness of the audit committee (within the enterprise) and
the 404 control effort.
Chapter 3
Size will determine the types/nature of control processes that will need to be in place
because internal control is not one size fits all. Accordingly, size and complexity of the
entity will determine the nature of control that is necessary (i.e., in smaller firms, or in
firms with less complex operations, the need for elaborate internal control systems will
be reduced).
Companies will need to concern themselves with material weakness and significant
deficiencies. Most will deploy the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework to help with the assessment of controls
and leverage the Control Objectives for Information and related Technologies (COBIT)
governance framework if this has been deployed (as many of the COBIT control
points map directly into COSO). If the auditor concludes that the audit committees
oversight of external financial reporting and internal controls over financial reporting is
ineffective, that is a strong indication of material weakness and, at a minimum, is a
significant deficiency. The auditor must issue an adverse opinion on internal controls
when a material weakness exists.
The PCAOB requires that the auditor test controls every year regardless of whether
the controls have obviously changed, because each years audit must stand on its own,
and the walkthroughs must be performed by the auditor because the objectives of
walkthroughs cannot be achieved secondhand. SOX controls must be continuously proved
and do not go away after the initial audit. However, we believe a strong control process
will help organize all the material in one place for the auditors, ultimately saving time and
audit costs. It is important to note that the internal audit committee must specifically
pre-approve all internal control-related services to be performed by the independent
auditor. A process to record and provide an internal assessment is critical.
The PCAOB clarified numerous items, including determining where walkthroughs of
financial processes are required by the auditor, the effect of a misstatement of financial
results, the effect of an ineffective control environment, and leniency for the inclusion of
entities acquired late in the year (at the auditors discretion).Walkthroughs (consisting of
31
32
Developing Controls
Chapter 3
COBIT Components
The two COBIT framework components most effective for IT process health checks
are the Management Guidelines and the Control Objectives.
Management Guidelines
COBIT Management Guidelines provide a governance focus as a business aid to balance
IT risk and return. The IT governance approach links processes, resources, and information, enabling CIOs to leverage best practices into all facets of the IT organization (ITO).
For each major process, the guidelines provide the following:
A brief description of the process purpose, including the business goal it addresses.
For example, the business goal for the process Manage Projects is setting priorities
and delivering on-time and within budget. Savvy CIOs compile these descriptions
into a services list, cataloging for business the activities IT performs for or with the
business. In certain cases, these descriptions will need augmentation with information contained in the following areas of the guidelines to afford business an adequate
understanding of the IT work performed.
33
Business Objectives
COBIT
M1 Monitor the
processes
M2 Assess internal
control adequacy
M3 Obtain independent
assurance
M4 Provide for
independent audit
Information
PO1
PO2
Monitoring
IT Resources
Planning &
Organization
Delivery &
Support
Acquisition &
Implementation
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
AI1
AI2
AI3
AI4
AI5
AI6
Identify solutions
Acquire and
maintain
application
software
Acquire and
maintain
technology
architecture
Develop and
maintain IT
procedures
Install and
accredit systems
Manage changes
Each of the 34 process expands into specific control objectives, as shown here for the Monitoring Process
number 4 (M4). A paragraph description for each control objective describes the process requirements.
34
Critical success factors (CSFs) defining the consequential and observable organizational, technical, strategic, and tactical actions required for the ITO to achieve
process goals. They help define accountabilities for both IT and the business and
therefore indicate areas where governance principles might need to be defined. As
IT/business relationships mature, these success factors should form the basis of
overall IT governance. Distributed ITOs and those without mainframes will need to
review this area of the guidelines for appropriateness. Some of the statements contained in this COBIT section reflect ITs batch-processing history and are not applicable to all ITOs.
All rights reserved.
Developing Controls
Key goal indicators (KGIs) providing measures (lagging) indicating success of the
process in achieving its business outcomes, providing a safe, reliable, cost-effective
environment with integrity. Goal indicators address what needs to be accomplished
by the process.
Key performance indicators (KPIs) measure (leading) indicating capabilities and skills
and predict whether the process goals will be attained. Performance indicators address how well a process is performing. By combining the KGIs and KPIs into an
overall measurement approach, ITOs gain insight into factors important to business
continuity. However, few of these measures are useful as communication metrics
with the business. Their usefulness lies in their ability to granularly indicate where IT
may need internal process improvement.
Chapter 3
The information criteria defining the information characteristics within the process:
Efficiency: The provision of information through the optimal (most productive and
economical) usage of resources
Integrity: Information accuracy and completeness as well as its validity in accordance with the businesss set of values and expectations
35
Information reliability: Relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to
users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations
These criteria should be used as signposts assisting CIOs in meeting outcome and performance measures (KGIs and KPIs) by flagging the importance of system and service
availability, pointing out integrity and confidentiality risks, noting where reliability, effectiveness, and compliance must be confirmed, and indicating process and operations where
cost efficiency is critical. Although ITOs easily determine many criteria, areas of confidentiality and compliance requirements demand business involvement. ITOs involved in
developing service-level agreements should pay particular attention to the information
criteria section of the guidelines because these are all subject to a level of perception
from users. Clearly defining levels of confidentiality, availability, etc. will make service
levels more valuable to both business and the ITO.
The following are the IT resources required by the process:
Technology: Hardware, operating systems, database management systems, networking, multimedia, etc.
Data or information: Data objects in their widest sense (e.g., external and internal,
structured and non-structured, graphics, sound)
The resources required by each process are generally obvious, rendering this component of the guidelines least valuable for ITOs. Where this information can be used to the
ITOs advantage is as an education tool with business, if it is unaware of the complexity of
IT activities.
36
Developing Controls
Control Objectives
Control objectives are the link between the business goals and IT processes, developed
within the principles of business re-engineering (see Figure). They are stated as desired
business results achieved when the control objectives are fulfilled. A paragraph description for each objective, directed at IT staff members and business process owners, gives
the reader working documentation outlining the minimum activities required for success. They are the policy and practice of IT control.
Chapter 3
To answer the question How do we ensure adequate control over IT? business and IT
leaders can turn to the Control Objectives of COBIT. Not all organizations require the
same level of regulation to be effective and meet their goals. Reading the aforementioned
objective, some company leaders will adopt a complete methodology, embarking on
extensive project management training and template generation. Others will ensure that
MS Project is used on all projects over some financial or effort threshold. However, to
evolve to completely optimized processes, organizations will eventually incorporate mature
methodologies.
The detailed Control Objectives provide organizations with options. They should be
reviewed and the relevant ones noted and strived for. Some objectives will not be relevant for some organizations, and trying to achieve all the relevant objectives would
overwhelm young and small organizations. Practicality must be the rule when determining which and to what level of effort detail Control Objectives will be pursued. Ensuring
a business environment that is safe, secure, and reliable for business needs to be the
criterion businesses use when evaluating their use of this component of COBIT.
37
38
Developing Controls
Chapter 3
ID #
PROCESS
PO1
Max
170
0%
PO2
You Max
8
155
0%
PO3
Determine technological
direction
145
0%
5
5
7
8
2
3
1
4
15
3
195
175
0
0
0%
0%
PO4
You Max
You Max
You Max
You Max
You Max
PO5
9
12
PO6
Communicate management
aims and direction
Manage human resources
10
7
5
6
5
8
2
1
1
2
11
8
170
160
0
0
0%
0%
6
8
8
10
3
5
6
5
3
7
6
7
3
5
4
4
3
7
2
4
6
8
13
19
120
200
195
245
0
0
0
0
0%
0%
0%
0%
12
18
230
0%
17
230
0%
14
195
0%
160
0%
8
12
7
5
6
6
5
5
3
5
14
8
215
205
0
0
0%
0%
195
0%
12
230
0%
145
0%
9
10
6
9
5
6
5
5
9
8
5
9
5
5
5
1
3
5
2
2
13
21
3
3
220
275
130
145
0
0
0
0
0%
0%
0%
0%
11
11
7
4
6
6
2
3
2
3
5
8
165
175
0
0
0%
0%
8
11
7
12
6
5
6
5
6
4
7
8
7
11
8
5
1
1
4
5
3
2
2
4
7
5
30
6
8
4
165
290
140
225
170
0
0
0
0
0
0%
0%
0%
0%
0%
PO7
PO8
PO9
Assess risks
PO10
Manage Projects
PO11
Manage Quality
AI1
AI2
AI3
AI4
AI5
AI6
Manage changes
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
Manage Data
DS12
Manage facilities
DS13
Manage operations
M1
M2
180
0%
M3
Obtain independent
assurance
210
0%
7
306
4
185
4
226
5
116
7
129
8
318
175
6400
0
0
0%
0%
M4
0
34
0
306
0%
0%
0
170
0
185
0%
0%
0
226
0
116
0
129
0
318
Column Percentages
0%
0%
0%
0%
Average %
0%
For a process to be complete, it should include all the components listed as CSFs in the
Management Guidelines. Using the success factors as a checklist for each process, CIOs
can determine what percentage of factors their current IT processes meet.
The worksheet contains the number of CSFs for each objective in the Max column
under the CSFs heading. When an ITO is working on implementing a subset of the complete CSFs, the number being focused on should become the Max, or control number
39
There is an understanding of the abilities and limitations of the organization and the
IT function in managing large, complex projects
All projects have a plan with clear traceable work breakdown structures, reasonably
accurate estimates, skill requirements, issues to track, a quality plan, and a
transparent change process
The transition from the implementation team to the operational team is a wellmanaged process
A system development life-cycle methodology has been defined and is used by the
organization
40
Beyond giving the CIO an understanding of process maturity, this information can
make benchmarking activities more fruitful. When comparing against external service providers, the ITO should expect the external provider to be at Level 3 maturity or above. Service level, cost, and quality can be more accurately compared when
the ITO has attained similar process maturity or factors into the comparison the
difference in maturity level.
Plotting maturity ratings for each process within (or across) domains on a Kiviat
diagram can help CIOs gain valuable insights into the interdependencies of processes.
A pattern of immature processes within a domain can indicate the need for processes improvement focused specifically within the domain (see Figure for a sample
Kiviat template for the Planning and Organization processes).
Developing Controls
Maturity Kiviat Diagram for Planning and Organizational Processes
Chapter 3
5
Manage Quality
3
Manage Projects
1
0
Assess risks
Information Criteria
Handling information as outlined in the information criteria section of the framework
(see Figure) helps fulfill the processes intended quality, fiduciary, and security requirements. By comparing the primary and secondary criteria within the Management Guidelines with the current ITO process expectations, CIOs gain awareness of inadequate
emphasis paid to such things as confidentiality, compliance, and integrity. The percentage
of criteria met is one process health gauge.
41
P
P
P
S
S
P
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
P
P
P
P
P
P
P
M1
M2
AI3
M3
M4
P = Primary
S = Secondary
P
P
P
P
Information
S
P
Facilities
P
P
AI4
AI5
AI6
AI1
AI2
Technology
S
P
P
Applications
P
P
P
People
Reliability
P
P
Compliance
Availability
Efficiency
P
P
PO5
PO6
PO9
PO10
PO11
Monitoring
Integrity
Effectiveness
S
S
S
S
PO7
PO8
Delivery and
Support
P
P
P
P
PO1
PO2
PO3
PO4
Acquisition and
Implementation
Process
Domain
Planning and
Organization
Confidentiality
This chart indicates the information criteria affected by these processes and the IT resources involved.
S
S
P
P
P
S
S
S
S
S
S
S
S
S
P
S
P
S
S
S
P
S
P
S
P
S
S
P
P
P
P
P
P
P
P
P
P
S
P
S
S
S
S
S
S
S
S
P
S
S
S
S
S
S
S
S
P
P
S
S
= Applicable
IT Resources
Applying the right resources to a process is essential for success. CIOs can use percentage of resources in their ITOs process of those listed in the guidelines to evaluate this
component of the processes health.
The worksheet control numbers for the information criteria and IT resources required
for a process should not be modified, because these factors are realistic regardless of
the level of maturity or stage of implementation of a process or improvement activity.
Performance
Leading and lagging indicators (as listed within the KGIs and the KPIs of the Management
Guidelines) are evaluated by comparing them with existing measurements. Determining
42
Developing Controls
the percentage of measures in place will provide adequate indication of initial process
measurement health. As with the CSFs, not all ITOs will be in a position to measure
and monitor all these measures on every process. A target number of measures in the
outcomes (KGIs) and performance (KPIs) categories should be selected (one to two
measures each, initially), with more included as the ITO develops data capture methods and familiarity with monitoring them. The control numbers in the Max worksheet
columns should be modified to reflect the number of measures being monitored for
each process.
Chapter 3
43
Conclusions
44
Organizations should leverage external service providers and their tools as needed to
gain minimal SOX compliance levels but focus efforts on building a long-term strategic
compliance model that leverages the new capabilities compliance will enable.
Organizations must review and understand the stipulations that SOX has on external
service provider usage especially auditors in gaining and evidencing SOX compliance and build them into service sourcing and management processes.
Business leaders whose CIOs focus on IT governance through process improvement will derive the benefits of business continuity, integrity, and agility that result
from complete, robust IT processes.
Chapter 4
Successful compliance efforts demand that the IT organization (ITO) frame and communicate enterprise-level process capabilities and deficiencies, demonstrate how technology may
be used to implement needed Sarbanes-Oxley (SOX) initiatives, and ensure that the internal
IT processes and controls that affect financial performance and reporting meet or exceed
those needed for compliance. This chapter discusses how the ITO can develop a technology
blueprint to address such issues, and link existing technologies to compliance programs.
At the core of Sarbanes-Oxley is the need to restore trust in the financial reporting
practices and controls in place at publicly held enterprises. Sections of SOX require the
CEOs and CFOs at such companies to:
Attest to the quality of the data reflected in financial statements and reports
Mitigate the risks inherent in financially related business processes and information
flows
45
Forward-minded organizations will use the mandates inherent in SOX to address needed
improvements in the enterprise, information, and technology architectures proactively.
By leveraging the skills and disciplines necessary to implement or enhance key enterprise-level systems to ensure SOX compliance, the ITO will be well positioned (and
should be encouraged) to bring about needed improvements to the business processes
and procedures in place to collect, collate, verify, and distribute the information necessary for compliance.
46
Chapter 4
To reach this desired end state, several key activities must be staged and completed.
Areas marked for detailed review of controls and procedures should include:
Data
Governance structures and practices (i.e., corporate and IT)
Enterprise architecture (i.e., manual and automated processes)
Applications and technology architectures
Security systems (i.e., automated and physical)
Data archive, retrieval, and recovery capabilities
Administrative controls (i.e., vendor, service provider, and asset management)
Infrastructure management practices (i.e., computer operations and communications)
Business continuity plans
47
48
Chapter 4
49
50
Chapter 4
51
Section 802
52
Transactional ERP/best-of-breed financial management solutions (50% of effort): Although many firms have implemented leading financial ERP solutions, most
need to revisit configuration of these solutions and implement critical financial controls (e.g., spend management, subscription-based revenue recognition) that are critically linked to workflow in support of required approval/authorization processes
within an end-to-end process. Firms that operate on legacy and custom financial
applications are unlikely to support SOX enablement without significant, expensive,
or unavailable rewrites.
Records management and retention (10% of effort): Section 802 requires that
firms retain all records relevant to the audit and review processes for at least
seven years and that these records not be deleted, altered, or otherwise manipulated during this retention period. For many firms, policies already exist for records
retention and records management (especially in regulated industries). Recently, there
has been clarification from the SEC that these records should also include businessrelated exchanges between parties involved in the audit process that occur using
electronic mediums, such as e-mail, instant messages, or internal chat rooms.
BI/BPM (30% of effort): Firms will need solutions that can provide visibility and
transparency, while also managing and automating the results and consolidation process across a decentralized enterprise. This is an area where solution and tool decisions must be made from a strategic BI infrastructure perspective (i.e., choosing a
BPM tool that can leverage existing business intelligence investments in reporting,
OLAP, data warehousing).
Chapter 4
SOX compliance is about process, not just products. Many organizations have already
invested heavily in the IT products most relevant to SOX compliance efforts, especially
short-term tactical requirements (see Figure). Offerings must meet specific SOX stipulations and requirements not just offer more IT stuff in a loose SOX wrapper. Firms
must focus on the following dimensions of technology:
2004 META Group, Inc.
53
54
43%
43%
11%
11%9%
9%
11%
36%
36%
40%
40%
27%
27% 11%
11% 22%
22%
11%
27%
26%
26%
26% 10%
10%
10%
29%
29%
20%
20%
20% 12%
12%
12%
29%
29%
43%
43%
24%
24%
10%
24% 10%
10%
24%
24%
43%
43%
19% 12%
12%
12%
19%
19%
27%
27%
23%
23% 13%
13%
23%
13%
26%
26%
38%
38%
29%
29%
17%
17%11%
11%
11%
17%
41%
41%
33%
33%
35%
35%
34%
34%
21%
21%
14%
21%
14%
21% 14%
31%
31%
34%
34%
20%
20%
13%
20%
13%
20% 13%
34%
34%
32%
32%
22%
22%
13%
22%
13%
22% 13%
34%
34%
32%
32%
21%
21%
12%
21%
12%
21% 12%
20%
22%
22%
13%
22%
13%
22% 13%
40%
60%
30%
30%
35%
35%
80%
100%
Control: Many firms, through their prior investments in ERP and best-in-class
solutions, already own the code to the financial solutions they will ultimately
need to meet SOX financial transaction requirements. Firms must reconfigure
these solutions for tighter financial controls, such as use of contract management, three-way matching for invoice-purchase-order-goods receipt, and expense
management processes that ensure appropriate authorizations. Firms should evaluate ERP systems (e.g., Oracle, PeopleSoft, SAP) and best-of-breed products (e.g.,
Concur, diCarta, Contiki, Softrax) that can provide tighter/optimized processes
(e.g., single-source transactions versus requiring rekeying of financial codes in multiple systems, ensuring controls in role security such as separation of duties for
requestor and approver). Firms may also use SOX to justify moving off legacy
mainframe financial applications or consolidation into fewer, more consistent ERP
instances to deliver consistent financial management functionality.
Communication: SOX compliance will require wide-scale communications capability, and many firms will implement internal and external portals, content management processes, and e-mail-based workflow. Internal communication tools are nec-
55
Risk management/fraud prevention: Firms must document their financial management/control business processes as part of Section 404 and will require tools to
help coordinate these activities. Such solutions should bring together content, program management, and business process management capabilities, and many leading
solutions are blending these capabilities (e.g., Oracle, Documentum, Movaris).Although
the landscape is becoming one of boutique solutions, firms should first leverage
tools that may come bundled at no (or minimal) cost from their audit/compliance
service provider until they fully understand the ultimate requirements (which will
be determined by future case law). Many firms will also turn to data auditing tools
(e.g., ACL) to gain an understanding of risk areas as data is bridged from one component solution to another. Firms should also leverage business intelligence to provide
deeper analysis into transactional areas (e.g., Concurs use of Cognos Metrics Manager) and thereby identify areas of risk.
56
Documentation of internal controls: To store documentation (e.g., content, process flows) about all relevant critical financial controls.
Identification of risk areas: To identify areas where there may be financial/operational risk and address how that risk is being mitigated.
Chapter 4
Ongoing assessment has the critical requirement of integrating with legacy processes (including ERP, operational, and offline management processes). Depending on the level of
business application consolidation that an organization has undertaken, an ERP-based solution or a solution that has leveraged significant ERP integration will be critical (obviously, the
strongest case for an ERP-based solution will be for a company that has moved to a singular
ERP solution for financial and operational areas). The assessment process requires the
enforcement of centralized policies and procedures to detect and manage exceptions
early (ongoing monitoring is one of the five components of the COSO Framework).
Unlike standalone solutions that are focused on immediate documentation needs, an
integrated ERP solution for SOX works in conjunction with the transaction systems to
address long-term management of Section 404. ERP-centered risk management applications (e.g., Oracle Internal Controls Manager, PeopleSoft Enterprise Internal Controls
Enforcer, SAP) as well as solutions that have effective integration with ERP (e.g., Movaris)
have prebuilt diagnostic tools to test and continuously monitor many controls within
ERP transaction systems and automatically alert process owners to configuration changes.
A major advantage of leveraging an ERP-based tool (or a third-party tool that has integration into ERP) is to be able to exploit integration that can enable access to timely, accurate, and relevant information across the enterprise with a single source of truth.
When selecting a risk management application, firms should consider the following ERP
integration capabilities:
Built-in assessment processes: ERP systems help enforce policies and procedures
through functionality such as workflow, role-based security, and configured business
57
ID control changes: To help ease the burden of evaluating and testing system controls going forward, these solutions can assess whether a companys ERP transaction
systems are working as intended, and if the people with access to the system have
changed. This will enable companies to manage the impact of employee changes,
system modifications, upgrades, and potential system failure on internal controls.
User authority and limits to enforce segregation of duties and approval limits
(e.g., the ability to prevent someone in accounts payable from setting themselves
up as a vendor and creating a fraudulent payment).
Business rules and configuration switches within the transaction systems (e.g., if
someone changes the configuration option to allow changes in revenue-recognition methods, a company risks having inconsistent revenue recognition across
contracts).
An audit trail of system changes for evaluation and testing purposes, and to
provide greater confidence in certifying internal controls.
Global support: Although SOX is US-based compliance regulation, global operations may be considered if the firm has equity/debt issued in the US. Niche players
are not global and this may favor ERP providers, which is very important to large
global enterprise customers that need one integrated operational solution to support global compliance (e.g., IAS, Basel II, SOX).
Chapter 4
Sarbanes-Oxley requires business processes to be effective from a reasonable assurance perspective. We believe the degree of action will be determined by the severity of
breakage in business process. At this point, do not believe the intention is for a full business re-engineering process along with new ERP and business intelligence infrastructures, though that may be advisable for a small percentage of organizations.
Several business applications have come to market to address an organizations auditing of
internal controls. However, it is critical to note that these are regulatory not technological
(e.g.,Y2K) or competitive (e.g., business process re-engineering, ERP, e-business) mandates.
Businesses require frameworks to plan assessment projects (a project management tool
is required), develop an assessment of the current state, prepare required documentation, and document plans to close potential gaps.The risk management business application should provide the following:
A collaborative interface into the organization to enlist the appropriate parties in the
business control process.
59
A scalable and secure solution that can be extended to all contributing corporate users.
Mediation through the life cycle of business processes as issues progress through
unreliable/insufficient/reliable/optimized states.
Although these tools should focus on financial reporting elements, they must also provide the ability to extend beyond compliance to regulation for financial processes, and
extend into the safeguarding of enterprise assets. These tools should be capable of
repurposing to cover the ongoing enterprise auditing process.
Leading compliance tools are from Protiviti (Robert Half), Paisley Consulting (partnership with Ernst & Young), and Open Pages. PeopleSoft partnered with Protiviti and has
integrated its audit/risk management functionality. Some risk management solutions provide a risk assessment from a security perspective. Oracle has brought a proprietary
solution to market, leveraging its projects functionality (e.g., Internal Controls Manager),
and should be considered for an organization that has Oracle applications particularly
Oracle projects. Currently, SAP offers Audit Information Manager and will extend mySAP
Financials to enhance its corporate governance offerings to include support for Section
404, internal controls, and further audit information system functionality, and to provide
whistle-blowing provisions of SOX. Because there is a close relationship with project
management solution requirements, we believe more vendors will repurpose their project
solutions within the next six months. Documentum has released Corporate Governance
and Compliance, a risk management solution built on its content/records management
solution, and eRoom and Oracle provide the most comprehensive enterprise capability.
60
Chapter 4
Conclusions
Enterprises will need to look across financial controls in most business processes to
ensure they are in compliance with SOX.
A SOX technology blueprint will include Section 404, ERP, and best-of-breed transactional, content, portal, and business intelligence solutions.
SOX will have an impact on most firms enterprise application infrastructure, since
these applications can provide the required infrastructure to ensure a firm can meet
the standards set forth in the act.
Organizations should develop an enterprise strategy for risk management and should
evaluate third-party tools where appropriate, some of which may be coupled with
compliance consulting services.
61
62
Section 2
IT Best Practice
Areas in SOX
Compliance
Security
Chapter 5
Chapter 5 Security
SOX requires new attention to security as part of a risk management framework to certify
internal controls and attest to the accuracy of financial information (e.g., relating to fraud,
accidents, or lack of discipline). Information security has moved from being a good idea to
being a mandate, and companies must act now to meet these new requirements. This chapter examines SOX security issues and identifies specific actionable areas on which organizations can build their own customized security plan.
The regulatory environment is among the most significant drivers of security and riskrelated activities. While information security is a central SOX control requirement, the
act is not very clear about specifics. Therefore, no list of specific activities can be compiled that applies to all organizations covered by SOX each must tailor its security and
other compliance activities to its own situation.
However, SOX does build on existing security and control-related regulations, including
the Foreign Corrupt Practices Act of 1977 and the Federal Deposit Insurance Corporation Improvement Act of 1991. SOX adds the requirement for management certification
of a companys internal controls as well as reporting on internal controls for financial
reports. Organizations should immediately include security control review as part of
their SOX compliance, and in fact, SOX will accelerate the rate of creation of security
programs in corporate America. Pre-SOX, META Group estimated that 80% of large
corporations would have formal security programs by YE06; now we believe the corporate environment will reach 80% penetration by YE05.
The draft National Strategy to Secure Cyberspace reinforces the need for these programs by creating a national focus on information security. This raises information security to the level of the board of directors and CEO and advocates that organizations are
responsible for ensuring that appropriate security has been implemented for information
systems, networks, and data. Failure to do so can result in legal liability for damages to
third parties. Organizations should add information security to the boards agenda, including regular briefings from management as well as risk management discussions.
63
Section 302 requires that officers of the company make representations related to
the disclosure of controls, procedures, internal controls, and assurance from fraud
Section 409 requires that the organization disclose to the public on a rapid and
current basis material changes to the firms financial condition
Section 906 requires that the 10-K, 10-Q, annual, and periodic reports containing
financial information accurately represent the firms financial condition
Although SOX does not require specific security features, these requirements have obvious security implications. If the data is not adequately protected, then neither the
auditors who must render that opinion, nor the corporate officers who are required (in
Section 302) to personally sign affidavits attesting to the completeness and accuracy of
that information, can in fact be reasonably sure that the data is either accurate or correct. No one can be sure of the accuracy of the 10-K reports and other financial documents based on such unprotected data.Thus, security controls reduce the personal risk
that corporate officers face of possible arrest, as well as the significant risk corporations
face of stock devaluation, loss of business, and bond rating devaluation, from failure to
comply adequately with SOX.
A comprehensive security program is not only a SOX requirement but also an integral
part of corporate governance and corporate and IT architecture. Organizations with
strong governance including a security program do not have to scramble to meet the
requirements for each wave of new regulations. Compliance becomes largely a paper
exercise, matching the requirements to programs and systems already in place.
64
Security
Getting With the (Security) Program
META Group research, including polls of attendees (mostly CFOs and IT managers) at
META Group events, shows security as one of the top four priorities for SOX initiatives.
However, in many cases, security is mistakenly thought of as an IT issue and is handled as
a series of projects rather than as a program with repeatable processes that must be
integrated with the business.This routinely leads organizations into a cycle of failure with
security that is very difficult to stop. A program is needed to address these security
issues comprehensively and change the culture so that risk management is an aspect of
all business thinking.
Chapter 5
65
Developing a security program requires management that provides guidance regarding the
needs of the business as a whole.This represents a significant change in how most organizations have traditionally approached information security. Security teams must typically deal
with fragmented budgets, years of underinvestment, and technology that is complex and
expensive. All this can combine to create an inconsistent approach to security.
66
20%
40%
Always
Mostly
60%
80%
Rarely
Security
The organization looking to develop an enterprise security program must focus on creating a holistic approach, adhering to legal and regulatory guidelines, and exercising due
diligence and a standard of care that is appropriate for a given industry.
Chapter 5
Technology
Policy
Processes
Weaknesses in any of these areas will cause the program to fail. For example, technology
is expensive, can involve a considerable amount of new and unproven products, and in
itself is not the solution to information security.Technology, while useful and necessary, is
the least mature area of IT today. Yet many technologists will maintain they can handle
the information security program on their own. But if a tool or technology does not
work as advertised, it is the technologist who will take the blame.This type of disconnection between the security program and the business must be avoided.
Policy and process are as important as the technology being used. Development of policy
and process must happen on a continual basis. Policies must be actionable and specific to
the domains they cover. The consequences of non-compliance should be severe. Processes must cover risk assessment (see Chapter 6), control selection, implementation,
ongoing maintenance, and forensics and reporting.
Failure to develop and enforce appropriate policy exposes the business to untenable risk.
A consistent policy framework and hierarchy contribute to policy awareness, enforcement, and adherence. Such a framework helps develop policy on an ongoing basis. Consistency and continuous improvement are more important than having comprehensive,
end-to-end policy from Day 1.
67
Building a foundation on the basis of the enterprises need for security management
Ensuring that an appropriately structured security organization is in place
Ensuring that the enterprise is motivated to support these efforts
Next, the security team must define security domains. The primary purpose of domain
definitions is to delineate policy boundaries. The security policies defined later in the process will be specific to these domains.To group resources according to security needs into
security domains, security management must build a resource-classification scheme. A
security domain consists of all secured resources that exist within a secured perimeter.
The META Group Security Model
Program Governance
Generate
Program
Plan
Charter
Organization
Process
Marketing
68
Fast Track
Security
Operations
Define
Security
Domains
Define
Trust
Models
Define
Requirements
Policy
Project
Technology
Governance
Process
Prioritize
Security
Most organizations use various computing platforms, operating systems, applications,
and relational database management systems (resources) for both related and unrelated business functions. Any attempt to fix security must deal with the fact that
more things need to be fixed than there are staff and money available to fix them (at
least in the short term).
Chapter 5
One task in planning security improvements is to assess risk. However, long before that
task is reached, areas of potential risk must be identified.Todays computing environment
simply offers too many risks to address them all. Grouping the enterprises resources
the business objects that require protection from unauthorized access into security
domains helps to facilitate that process.
Once the domains are in place, the organization can move forward to create policy, select
technology, and develop processes. Organizations that have an enterprise architecture or
an enterprise program management office already in place will be in a good position to
implement this sort of security program (see Chapter 7).
At the most basic level, though, developing an information security program involves
seven fundamentals:
1. Charter a champion: One person, whether it is the CIO or a designated chief
security officer, needs to be responsible for security.
2. Plan a program: It is important to know where the security program is going,
but the plan is what tells you how to get there.
3. Focus and organize: There will always be too much to do when developing a
security program. The key is to accept it and deal with it.
4.
5. Divide and conquer: Trying to do everything at once is a sure recipe for failure.
The security program needs to break large goals into smaller, more manageable
tasks.
6. Improve key processes: Without processes, the program will not scale.
7. Call for reinforcements: Outsiders can be useful in providing external review.
2004 META Group, Inc.
69
Operations: The security program includes management and operations of traditional security technology such as firewalls, intrusion detection software, and
antivirus software. In many ways, security operations represent the (limited)
extent to which most organizations currently view security.
70
Security
Chapter 5
X
The process to determine whether
internal control is adequately
designed, effective, executed and
adaptive
The process which ensures that
relevant information is identified and
communicated in a timely manner
The COSO framework gives the auditors something to assess against. COSO is usually
represented as a cube. One of the dimensions includes operations, compliance, and financial reporting. The second contains the business units and specific activities that should
be covered by the controls. The other defines the five primary control objectives:
1. Control environment: The foundation for effective control. It addresses IT at
the company level.
2. Risk assessment: A subject near and dear to the hearts of security professionals. Its goal is to manage risk to predetermined levels, not to eliminate it.
3. Control activities: Policies, processes, and procedures put in place to ensure
that risk mitigation strategies are executed.
4. Information and communication: Recognition by COSO that communication
and combination of information from all levels of the organization (a.k.a. transparency) are keys to success.
71
72
Security
Chapter 5
PO1
PO2
PO3
PO4
Business Objectives
PO5
PO6
M1
M2
M3
M4
COBIT
PO7
PO8
Information
Monitoring
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Delivery &
Support
PO9
PO10
PO11
Planning &
Organization
People
Application Systems
Technology
Facilities
Data
Acquisition &
Implementation
AI1 Identify solutions
AI2 Acquire and maintain
application software
AI3 Acquire and maintain
technology architecture
AI4 Develop and maintain IT
procedures
AI5 Install and accredit systems
AI6 Manage changes
73
Developing and starting to execute security and awareness programs for three
major audiences: the IT organization, executives, and the general population
74
Reviewing the enterprise SOX plan and enlisting resources for all security or
risk-related activities
Security
Level 3: Project Execution
This entails the execution of the internal controls project, through the internal controls
documentation, risk mitigation, and assessment processes. During this period, the security group should focus on the following steps:
Identifying and initiating projects to close security gaps related to Section 404
compliance
Chapter 5
Ensuring that all risk-related controls affected by SOX are being effectively executed to achieve compliance
Level 5: Optimization
During this stage, organizations are optimizing their processes for efficiency and cost
savings. Level 5 should be an ongoing compliance effort.The security group should focus
on the following activities:
Monitoring for ongoing Section 404 compliance and protecting the integrity of
financial controls
Implementing improvements to optimize compliance processes, increase effectiveness, and reduce risk
75
Conclusions
76
Failure to comply with legal mandates exposes the corporation to undue risk
and can result in personal liability.
Leading organizations are implementing a process-centric approach to security management, versus the traditional interrupt-driven, activity-based, reactive approach.
Organizations must address security at the board level as part of their SOX
compliance efforts. A gap analysis against the COSO framework is a good first
step in creating a comprehensive security program, which includes ensuring
that security is a component of all business thinking.
Risk Management
Chapter 6
77
A collaborative interface into the organization to enlist the appropriate parties in the
business controls process.
A scalable and secure solution that can be extended to all contributing corporate users.
Mediation through the life cycle of business processes as issues progress through
unreliable/ insufficient/reliable/optimized states.
78
Risk Management
of internal controls. However, it is critical to note that they are designed to meet regulatory not technological or competitive mandates (e.g., business process re-engineering, ERP, e-business). Although these tools should focus on financial reporting elements,
they must also provide the ability to extend beyond compliance to regulation for financial processes, and extend into the safeguarding of enterprise assets. These tools should
be capable of repurposing to cover the ongoing enterprise auditing process.
Chapter 6
Leading compliance tool vendors include Protiviti (Robert Half), Paisley Consulting (partnership with Ernst & Young), and Open Pages. PeopleSoft partnered with Protiviti and has
integrated its audit/risk management functionality. Some risk management solutions provide a risk assessment from a security perspective. Oracle has brought a proprietary
solution to market, leveraging its projects functionality (e.g., Internal Controls Manager),
and should be considered for an organization that has Oracle applications particularly
Oracle projects. SAP offers Audit Information Manager and has extended mySAP Financials
to enhance its corporate governance offerings to include support for Section 404, internal controls, further audit information system functionality, and whistle-blowing provisions of SOX. Because there is a close relationship with project management solution
requirements, other vendors are repurposing their project solutions to encompass SOX
support. Documentum has released Corporate Governance and Compliance, a risk
management solution built on its content/records management solution, and eRoom and
Oracle provide the most comprehensive enterprise capability. Although the impact of
SOX is still being defined, point solutions (e.g., Lotus Notes-based) may be outgrown
quickly and replaced by larger, more stable applications.
79
80
When to outsource (e.g., use any external service provider from contract labor to
entire business/IT process services) work versus perform it internally
Which external service providers are viable candidates for different types of work
(e.g., master service-level agreements, predefined shortlists, standard shortlisting
procedures)
Risk Management
What the processes are and who is involved with identifying, vetting, engaging, and
managing the service provider and its delivery processes (e.g., sourcing, supplier
relationship management, project/portfolio management)
Chapter 6
Given the nascent, often unclear, and sometimes convoluted nature of most current
regulatory requirements particularly as they are phased in and clarified during the
next several years it is imperative that managing external service provider usage
receive executive attention and support, as well as adequate and skilled resources to
implement it. Along with management support, these efforts will require joint efforts
among the IT group, finance, and sourcing/procurement as well as appropriate specific
oversight committees and task forces. Often, regulatory compliance efforts will serve as
the impetus to accelerate existing sourcing and supplier relationship management improvement efforts, as well as to prepare organizations for larger IT and business process
outsourcing initiatives.
External service providers are deploying several types of offerings around regulatory
compliance efforts such as SOX. Organizations must independently determine whether
it is appropriate to employ specific services and service providers based on individual
circumstance and specific regulations. This includes reviewing regulatory requirements
and consulting with respective financial/legal counsel and experts. However, it is important to highlight that compliance to the letter of the law may still lead to perceived
conflicts of interest in the eyes of shareholders, clients, partners, and regulators. Providers must also use care and caution when defining and packaging new offerings. Although
compliance-related services are lucrative particularly in a down market longerterm ramifications of non-compliance with what at the time seemed appropriate and
legal (remember Andersen) must remain an over-riding consideration.
COBIT
SOX mandates the use of a comprehensive management framework, and the PCAOB,
which is charged with enforcing SOX, strongly recommends the use of COSO and its IT
component, COBIT, for that framework. Fortunately, COBIT is an excellent tool for
developing comprehensive RM checklists for IT and line-of-business (LOB) process
owners, thereby greatly strengthening any organizations efforts to comply with SOX.
First released in 1996, COBIT is an IT governance tool that links IT control practices
with business processes and provides a framework of resource risk management processes for business leaders, IT professionals, and auditors.The COBIT risk model bridges
the gaps among business and regulatory risks, control needs, and IT technical issues.
2004 META Group, Inc.
81
COBIT
M1
M2
M3
M4
Information
4. Monitoring
Define SLAs
Manage third-party services
Manage performance and
capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users
DS8 Assist and advise IT
customers
DS9 Manage the configuration
DS10 Manage problems and
incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations
Effectiveness
Efficiency
Confidentiality
Integrity
3. Delivery &
Support
Availability
Compliance
Reliability
IT Resources
DS1
DS2
DS3
82
1. Planning &
Organization
People
Application systems
Technology
Facilities
Data
2. Acquisition &
Implementation
AI1
AI2
AI3
AI4
AI5
AI6
Identify solutions
Acquire and maintain application software
Acquire and maintain technology architecture
Develop and maintain IT procedures
Install and accredit systems
Manage changes
Risk Management
COBIT provides more high-level control processes/standards guidance than alternative
standards models currently used by many ITOs. In addition, there is a real possibility that
the PCAOB may require organizations not using COBIT for their SOX compliance to
document why they chose an alternative. COBIT incorporates the principles of many
disparate models and methods. However, COBIT alone may be too generic to make the
control objectives operational.The following standards can be used in translating COBITs
34 high-level control objectives to concrete measures:
Chapter 6
LOB issues: Business managers typically focus on the following three LOB issues:
83
IT processes: Process owners, IT specialists, and LOB staff may have a specific
interest in a particular process or activities/tasks; auditors may be interested in the
IT processes or the overall COBIT framework:
Does the process employ control procedures in alignment with information policy and generally accepted IT best practices?
Do the processes support the control objectives?
COBIT management guidelines are composed of maturity models to help determine the
stages and expectation levels of control and compare them with industry norms. The
guidelines include the following:
Critical success factors to identify the most important actions for achieving control
over IT processes
COBIT Domains
84
Risk Management
Domain 3 Delivery and support: This defines the actual delivery of required
services, from operations through security, including training and capturing information required for SOX compliance. It also covers delivery and documentation of
services from third-party suppliers and therefore can be used to determine whether
such services meet SOX requirements. Such activities support the processes that
are the lifeblood of the organization. This domain includes the actual processing of
data by application systems, often classified under application controls. COBIT includes control over the IT process of defining service levels (capturing, creating, and
communicating the ITOs value proposition) that satisfy the business requirements.
Domain 4 Monitoring: This focuses on ensuring achievement of the performance objectives established for the ITO, including gathering data to document the
proper functioning of interfaces between systems and other potential problem spots
in maintaining the accuracy of financial records, required by SOX. It addresses
managements oversight of the organizations control processes and independent
assurance provided by internal and external audit.
Chapter 6
Insurance
As a result of the post-Enronitis epidemic and the trickle-down effect of the SarbanesOxley Act, CIOs are becoming increasingly concerned with officer and director (O&D)
liability and the potential risk of fines and penalties (as well as personal-asset jeopardy)
that can be levied against directors and key officers if they are found liable. The risk
extends beyond just Sarbanes-Oxley legislation.
CIOs (and IT software development firms and vendors) should be cognizant that commercial general-liability (GL) insurance does not provide coverage for programming errors, contract performance disputes, or any other professional-liability issues, including
those associated with SOX compliance. Therefore, IT consultants and companies that
have GL coverage without professional-liability (e.g., E&O) coverage are taking a serious
85
Conclusions
86
Risk Management
By implementing COBIT risk management processes, the CIO can lower IT risks to
the business and improve IT risk/reward communications.
CIOs should adopt the COBIT risk management process to adequately address
SOX requirements and avoid harming the organizations financial standing, market
share, brand image, and goodwill.
Understanding the appropriate role and tightly controlling external business and IT
service provider usage are critical to gaining and exhibiting compliance with new
regulatory mandates, as well as optimizing external service provider usage.
Although external business and IT service providers can play a major and valuable
role in helping organizations achieve regulatory compliance, situations exist where
their usage is inappropriate, and in general, organizations must not over-rely on them
to define, deliver, or guarantee compliance.
As part of an overall risk management strategy, CIOs (and IT vendors) must have a
well-grounded understanding of the various insurance policies available to transfer risk.
Chapter 6
87
88
Chapter 7 Architecture
Increased legislation around accuracy, privacy, and timeliness of information is a trend, not
a fad. An overall compliance program should be created to address this press of new
legislation, and work in concert with enterprise architecture (EA) efforts. This chapter
presents an approach for leveraging IT architecture to respond more effectively to the
compliance onslaught.
META Group research indicates that 50% of US businesses facing Sarbanes-Oxley (SOX)
compliance are treating the effort as a one-off project. However, the reality is that businesses face a wave of regulatory efforts with which they must comply, at all levels of
enforcement. Failure to address this trend will lead to excessive costs and effort at least,
and to excessive fines and possible criminal penalties at worst. The better strategy is to
treat compliance as an ongoing program, applying governance principles and building it
into business practices and IT architecture.
89
A rapid trend toward centralization of control over planning, design, and implementation of information technology solutions
90
Architecture
Chapter 7
91
facilitate this by selecting solutions that will establish harmony among the existing environment and the new or enhanced infrastructure, systems/applications,
and business processes.
2. Extensibility: Every architecture component should be designed such that it
even mutate as the business requires it, depending on the changes that occur in
the business environment.
4. Supportability: This involves the capability of the solution not only to support
the full extent of the business, but also to be supported by its provider on either
a local or global basis.
5. Comprehensiveness: As the architecture seeks to provide the widest possible
solution or support to the business at large, the architecture should also be such
that it covers the current and future environments of the organization, tending
toward completeness.
92
Architecture
6. Lucidity (business change-driven): IT organizations are expected to respond
Chapter 7
to a schizophrenic enterprise where change is constant and the architecture should play the bridging role, establishing clear targets for change and making them understandable to the organization in clear business language. It is also
becoming imperative for organizations to distinguish between change through
growth (continuity), which is more of the same, versus real change (disruptive), which introduces different design perspectives, roles, and actions.
7. Component-based nature (modular or reuse-driven): Systems/applications
93
reprioritization, resource realignment, and closing the loop) to ensure the project
portfolio represents the best use of resources enterprisewide to deliver business value.
3. Delivering accurate and timely decision-quality information to the executives
94
Architecture
It is no accident that establishing EPM and fostering project management discipline in an
organization are inextricably tied to enterprise architecture.The transition planning phases
of the process model rely on the rigorous adoption of project management best practices. Many enterprise architects have leveraged an EPMO build as a foundation for
introducing the architecture process and accelerating its development/adoption.
Chapter 7
Establishing an EPMO requires the support of senior business and IT leadership, as well as
the correct staffing, communications, reporting procedures and standards, and architectural documentation to be successful. Often, the chief architect or other IT leaders
understand the need for an EPMO, but ultimately, the CIO must be informed and make
the decision.
EPM provides the mechanism for assessing the cost and risk of new, proposed projects
based on past experience. The best way for an organization to maintain its competitive
edge is to ensure that the projects and programs that receive the allocation of limited
corporate resources result in the greatest possible business value. This is the true EPM
value proposition.
Effective EPM ensures business decisions are highly quantitative (versus subjective), balances risk and value of business ventures, cultivates a learning-focused and change-tolerant pool of human capital, and can mitigate staffing problems by identifying the requisite
skills needed to perform projects in support of the business agenda.
Without EPM, burgeoning cost overruns, mismanagement, and resulting project failures
can draw the ire of senior management, and in some cases even prompt the outsourcing
of IT. Building best practices rather than merely adopting cookie cutter approaches
from outside vendors and surrendering control to external consultants is critical to
success. Global 2000 organizations must adopt strategies for developing EPM talent inhouse and bootstrapping adoption, in addition to leveraging emerging organizational structures such as effective program management.
Although the blistering pace of technology change decoupled strategic planning and budgeting processes from the enterprise architecture process, they are about to be reunited. More tightly controlling spending on information technology and governing what
is implemented, eliminated, or changed are the only mechanisms to ensure compliance
with Sarbanes-Oxley and will supersede the need for speed.
95
User Actions
Compliance with Sarbanes-Oxley will be no small task. Because it is currently a law, pure
compliance though mandated will be seen in few, if any, organizations. Organizations must leverage a portfolio management approach to allocate resources to areas
where non-compliance exposes the greatest risk.
Many of the analysis tools that financial portfolio managers use can be applied directly to
managing IT investments in hardware, infrastructure, applications, people, information,
projects, and processes. The most successful business leaders have distinguished themselves by following the models of the financial industry and applying portfolio management disciplines to business and IT investments.
Leaders have found portfolio management valuable and viable when they were able to
answer the following questions positively:
META Group research indicates that CIOs who embrace IT portfolio management have
exemplary records of continuous IT efficiency improvement, with some enterprises
able to reduce costs by up to 30% while improving effectiveness with enterprisewide
asset deployment/management. Much like a financial investment portfolio, IT portfolio
management enables the CIO to categorize, evaluate, prioritize, purchase, and manage
technology projects and assets (hardware, software, and people).
One main benefit of the portfolio management approach as we define it is that it
can be applied at varying levels, from very basic to extremely sophisticated. Individual
organizations can apply portfolio management at the level of sophistication appropriate
to their situations. Small organizations or those in relatively stable situations can remain
at a fairly basic level, while Fortune 500 companies often become very detailed, leveraging complex financial models and management techniques.
96
Architecture
A second key benefit of IT portfolio management is the introduction of the concept of a
management life cycle with a beginning, a middle, and an end for each portfolio
investment. Great financial managers often know what will drive them to exit an investment even before they buy into it. In contrast, all too often, IT managers do not recognize that software and processes have a life cycle. The result is that, while hardware is
refreshed and replaced on a regular schedule in many organizations, software and processes often long outlive their usefulness.
Chapter 7
97
Managing and coordinating organizational evolution through a project portfolio, coordinated via an enterprise program management office or similar function
98
Project portfolios, both business and IT, since projects are the building blocks of
strategic change
Customer relationship management, as customer loyalty and interaction drive revenue and future performance
Financial and operational analytics, as pro formas (to a large extent) drive investor
expectations
Product life-cycle management, as product life cycles correspond with current and
future revenues
Architecture
Chapter 7
Conclusions
An enterprise architecture cognizant of ever-increasing legislative compliance demands, combined with a plan to achieve that architecture and a program to oversee
its execution, is a business imperative.
Compliance is not accidental. A road map and a destination are required to thrive in
a world with ever-increasing legislation.
99
100
101
102
Records Management
Chapter 8
103
Records Management
Collection of this material from normal corporate channels can be partially automated by
setting the corporate e-mail system to copy copies of all e-mails with SOX or SarbanesOxley in their headers and all e-mails originating from or going to specific individuals
the SOX consultants or employees who are assigned full-time to SOX compliance to a
SOX e-mail account that then can be automatically managed in the SOX records management system.This may result in capturing messages that do not need to be preserved, but
it will be better than missing messages that should be preserved.
Chapter 8
However, some communications will invariably be missed. Thus, to some extent, compliance will depend on the voluntary actions of individuals, and that opens the door to
anything from honest mistakes to purposeful omissions which of course is the case
with records management in general. Some companies are already talking about adding
a checkbox to each e-mail that enables the sender or recipient to flag it as SOX-relevant.
The problem is that honest employees might forget while the dishonest employees
exactly the people SOX is intended to stop might attempt to circumvent the system.
This virtually guarantees that those messages will be mishandled.
The bottom line is that corporations will fall short of full compliance with SOX Section
802 to the extent that they depend on voluntary action by employees to identify and
capture relevant electronic records and SOX-related communications. This is a potential major SOX compliance issue, particularly in large corporations where the daily email volume is measured in tens of gigabytes. It is likely to be less of a problem with
auditors, who may choose simply to capture all e-mails, IM sessions, and Web meetings
involving persons engaged in SOX audit work, whether they are actually SOX-related or
not. Corporations can do the same thing with individuals assigned to work specifically
on SOX. The problem will be most severe for corporate senior management exactly
the individuals that SOX compliance is most likely to focus on because for them
SOX traffic will be only a percentage of their total e-mail and IM traffic, even during
SOX audit periods. They are also less likely to remember to check off a SOX checkbox.
Best practice for these individuals will probably be to focus on training their personal
administrative assistants to be alert to SOX traffic.
The automated methods of capture are intrusive and do raise privacy issues for employees, particularly if all electronic communications involving some individuals assigned
to SOX full-time are captured. Those employees should be warned that their communications are being preserved. However, this may simply become a requirement for the
job, and they may have to use alternative systems for personal electronic communica-
105
106
Records Management
Formal training for all these individuals, therefore, is absolutely necessary if the enterprise is going to achieve SOX compliance. Unless the organization has an in-house SOX
expert who specifically understands all SOX requirements from an end-user perspective and who is a good teacher, the organization probably would be wise to consider an
outside consultant with this combination of skills and knowledge.Training should emphasize the potentially severe personal as well as corporate implications of failing to comply
and corporate policy that prevents the data from being used against the employee.
While SOX only specifically mentions senior management as being personally liable,
other key players in the SOX process should not presume they are immune to personal
prosecution (whether judicially or liable for breaking company policy, etc.).
Chapter 8
However, the best training wears off in time as the impact and memory fade. Thus, it is
vital for the enterprise to keep users aware of SOX through internal marketing. This
should include posters and other items that individuals will see every day as well as
follow-up training before each annual SOX audit is conducted. SOX slogans should be as
common in the lives of these individuals as the famous loose lips sink ships was to the
American public during World War II and for much the same reason. It will remind
them to think about compliance throughout their day. Individual items such as coffee
cups, printed pens, and note pads for their desks, are inexpensive to have made and can
be a constant reminder.
107
108
Records Management
practices (e.g., as required under Section 404). Certainly, most firms with existing investments in enterprise content and records management technology (e.g., Documentum,
IBM, Hummingbird, Open Text, FileNet) are now exploring ways to leverage content and
records management as a strategic foundation for all content and records generated
through the review and audit cycles, as well as to leverage any collaborative and workflow
components also offered by these vendors. Furthermore, a centralized content repository with a base built on a records management foundation (i.e., compliant with DoD
5015.2) ensures systematic control over all content during its life cycle and manages
retention and destruction rules for this content.
Chapter 8
Beyond meeting the SOX requirements, being able to provide complete, secure, and
timely access to information (content) throughout the enterprise, while also protecting
content integrity, managing availability, protecting sensitive information, and reducing
operational costs (or cost avoidance) is fundamental to an effective enterprise records
management strategy. Broken down into its base components, the retention regulations
required under SOX are essentially no different from retention requirements already
incumbent on most organizations, though largely ignored in a digital form to date due to
the difficulty of applying a consistent set of policies to tactical solutions. It is the nature
of the content required under SOX that is the differentiator.
Integrated Workspaces
As critical documents and records are maintained in a secure SOX repository, a closely
linked factor to be considered is enabling the communications throughout this process
among the different stakeholders and various internal staff as well as with accounting
firms or any number of board members or other relevant parties that would like to see
a more aggregated and personalized environment. Ideally, this would be an environment
where certain snapshots (e.g., financial extracts), key performance indicators (based on
analytics), or other point-in-time content (daily ledgers, purchase orders, etc.) can be
securely deployed and accessed as well as personalized for specific users and for whatever role or position they have within the process.
This is very relevant for internal review, enabling identification of problems before they
become material and facilitating identification of risk as well as collaboration (e.g., to
query ERP or other line-of-business systems). An integrated workspace can also be
used as a centralized workplace for statements on director-level or company information as well as on all types of content and resources related to achieving compliance
with Section 404 or any of the other sections requiring a collaborative process, reten-
109
110
Records Management
Chapter 8
Conclusions
SOX demands rigorous capture and retention of a large volume of financial records,
including informal electronic communications (via e-mail, IM, Web meetings) concerning SOX 404 and other SOX sections.While most financial documents are fairly
easily identified and captured for the SOX record, e-mails and other informal electronic communications present a more difficult challenge.
Clients should view SOX and other compliance/risk-related projects as an opportunity to standardize and upgrade all content-related systems. As part of this process,
content-related purchases should be viewed as an infrastructure-like purchase to
which a consistent set of content and record policies can be applied.
To meet SOX compliance, an organization must have complete, secure, and timely
access to content throughout the enterprise, while protecting content integrity, managing availability, and ensuring immutability throughout the life cycle.
Enterprises will need to look across financial controls in most business processes to
ensure that they are in compliance with Sarbanes-Oxley. A SOX technology blueprint will include Section 404, ERP, and best-of-breed transactional, content, portal,
and business intelligence solutions.
111
112
113
114
Asset Management
of data cleansing should be targeted at troublesome areas that subsequently require
minimal upkeep. Tools can be helpful to understand asset deployment and configuration
and to monitor use, but with assets constantly changing and organizations restructuring,
data reconciliation processes must be clearly defined and followed to continuously improve data accuracy and reduce errors.
Chapter 9
Political Issues
In general, the strongest AM programs have not only executive support for reducing
cost, but also a focus on delivering value (e.g., improved delivery time), assisting in overall
buy-in. Without additional value-add, processes are often circumvented using numerous
tactics (e.g., This is the only product that will solve our particular problem), which
causes process erosion and sheds a negative light on AM in general.Within the organizational structure, there is often a political agenda that conflicts with asset management
goals and objectives. Project and application rollout are often considered to be career
advancement opportunities, driving unrealistic cost and benefit analyses. Exacerbating
the problem are programs championed by the lines of business, which are interested
only in quick results. AM programs must focus on ensuring that supporting analysis is
performed on aspects such as total cost of ownership (TCO) and the asset life cycle, but
these areas should be tread on carefully, since decisions ultimately lie elsewhere in the
ITO. AM programs must follow a delicate path, understanding and communicating the
balance between cost and value without impeding overriding corporate issues.
Prepare for success: Understand asset management evolution, and plan ahead for
process and data integration of new functions
Understand accurate versus inaccurate data: Since AM data initially will not be
accurate (nor will it be useful), focus on key data that can be used to manage the
largest pain points and to facilitate portfolio management, using formal, iterative
processes to improve data accuracy and sampling methodologies to spot-check
cleansed data
115
Asset Management
A growing trend toward involving asset management at the onset of projects (and architecture creation) leverages experience in efficient and cost-effective procurement. This
enables procurement delay to be minimized and protective Ts&Cs to be pre-established.
AM programs can also assist project teams by using existing assets to start projects, or
alternatively, substituting an asset refresh for a new project request, thereby effectively
eliminating any procurement delay. For the longer term, AM teams will also begin managing application costs, helping project teams to improve overall costs.
Chapter 9
The use of RFP (request-for-proposal) templates to establish pertinent Ts&Cs will greatly
speed the overall process while forcing vendors to answer difficult questions before any
decision is made rather than after the vendor is fully aware that the business is
secured.Although the specific answers to questions are important, the questions that are
not answered (or those that are dodged) will provide insight into risks of the acquisition.
For example, if the vendor is unwilling to provide long-term unit costs, the customer can
assume that the purchase is a loss leader, which the vendor intends to make up over the
longer term.
One clear requirement is the need to build a network of relevant people prior to project
execution. We continue to see many acquisitions in which key people are not informed
of information before the decision is made. In organizations with corporate procurement departments, key executives must be notified early in the process to ensure swift
resolution. The executive approver must be clearly in the loop and be kept apprised of
the economics, Ts&Cs, and risks associated with the acquisition. Since this is a daily
activity for AM programs, acquisitions can be prioritized and facilitated through existing
processes, mitigating unnecessary delay and workload.
For project teams, the benefits are clear. Better estimates will build more confidence in
project teams. The ability to leverage existing assets can help facilitate quick starts to
projects. Improved Ts&Cs help enhance project budgets, not just infrastructure costs.
For AM teams, the ability to finally improve vendor and negotiation management will
reap rewards that far exceed the additional effort in project involvement. By helping
sculpt the costs and Ts&Cs before vendors are chosen, procurement effectiveness becomes optimized for any given acquisition. The ability to leverage the existing asset installed base and additional vendor business becomes a critical factor in controlling the
explosive number of vendors and products in the IT suite.
117
Asset Management
nology and unique architectures over time. Because A-COEs are able to deliver reliable
cost metrics, customers will ultimately rely on this information to make decisions. This
improved decision process results in, at a minimum, better chargeback metrics and, at
best, improved adherence to corporate standards. The tighter adherence to standards
will enable operations to more efficiently align resources and improve skill sets, and
thereby provide better support to customers. These improved conditions will ultimately
result in application asset management moving into A-COEs, as the disciplines honed
during infrastructure management become critical for managing long-term, application
life-cycle design.
Chapter 9
119
Level 1: Reactive AM
What assets do I have?
Level 2: Active AM
How can I manage multiple asset types across geographic and organizational
boundaries?
Level 3: Proactive AM
How can I leverage planning information to optimize asset procurement, utilization, and management?
Asset Management
Lease returns: As a financial vehicle, leases are effective only when returns are
performed in a timely manner. Tracking hardware assets (e.g., desktops, servers) as
they relate to their contracts can save leasing company penalties when assets are
not turned in on time. Best-practice AM programs have reached 100% on-time
returns, avoiding costly lease overruns and delivering more effective computing in a
timely manner.
Invoice errors/vendor challenges: ITOs that have not had effective invoice verification processes can typically achieve 5% savings during the first two years of establishing an effective asset management program. In addition, customers have often been
charged more than contractual rates due to lost contracts or poor vendor backoffice processes. Effective AM programs are attuned to contract terms and conditions, ensuring ITOs pay the correct contractual price, not the then-current price.
Product removal: Many ITOs have assets (especially software) that are underused or
not used at all. AM programs provide the only efficient method to track the asset
financial life cycle, providing an effective process to ferret out these assets for disposal.
Software license compliance: Managing software licenses can also yield tremendous payback. It is not uncommon for IT groups to overpurchase desktop software
by as much as 40%. Typical enterprises overpurchase by 10%-15%. This is a result of
the fear of software audits, which can yield penalties of as much as $100,000 per
license violation. Although actual audits are infrequent, there is a higher incidence
recently due to the tough economic environment. Activity of the Business Software
Chapter 9
121
Reuse of assets: By tracking assets throughout their life cycle, assets can be reclaimed. Proper software asset accounting can lead to reuse without overpurchasing.
Tax burdens: If assets are purchased, tax burdens can be reduced by as much as
25% by properly disposing of assets when they have been fully depreciated and are
no longer of value to the enterprise. In addition, notoriously inaccurate fixed-asset
ledgers could result in inaccurate corporate financial reporting, which is currently a
very sensitive issue.
Increased efficiency at the service desk: Accurate information regarding hardware and software can accelerate diagnosis of problems and avoid dispatching of illprepared personnel. In addition, tracking problems associated with assets can give
better insight into real costs of asset ownership and provide trending information
that can assist in contract negotiations.Typical efficiency gains range from $30-$100+
per desktop, per year.
Improved warranty service: Knowing the disposition of each asset allows more
efficient use of warranty periods, reducing overhead associated with understanding
whether warranties are still in effect. In the long term, this understanding helps build
optimal asset refresh dates based on when asset warranties (or maintenance contracts) expire.
122
Asset Management
Chapter 9
Cost modeling: TCO modeling of IT assets leads to improved contract protections and shifting focus during negotiations. The result is significantly improved costs
over asset life cycles, because historically hidden costs are revealed during initial
procurement instead of during subsequent asset change events (e.g., upgrades, relocations). Improved cost models also help improve IT credibility, since accurate estimates will foster respect for ITO business acumen, which is currently a weak ITO
trait. By 2005, more than 25% of AM programs will also be responsible for application
asset management activities, providing additional expertise in controlling cost and
deployment information.
Cost trends: Understanding asset cost trend information provides the improved
ability to manage asset life cycles and retirement thresholds. A granular understand-
123
Effective/equitable chargeback: Comprehensive chargeback based on controllable cost drivers results in more efficient computing, with architecture standards
and policies that have financial merit instead of being just another IT statement. Linking high-cost customers to high costs results in more equitable computing for all ITO
customers. Equitable chargeback also provides customers with the opportunity to
control both internal and corporate costs through closer adherence to standards
after initial decisions are made. In addition, the ability to tie applications to the associated infrastructure becomes a powerful tool for communicating the impact of
business decisions on the ITO.
Developing Standards
Beyond the tactical programs designed to solve a singular problem, the centralized cost
information gathered for managing assets becomes the focal point for understanding IT
costs and helps guide overall IT architecture and project decisions. The long-term impact of delivering cost-effective computing ultimately becomes the largest return on
investment for AM programs. Some examples of these benefits include:
124
More attentive vendors: ITOs that focus on problem issues through a single escalation point receive better service than those using multiple, separate interaction
points. Vendors and customers develop a stronger relationship and a better understanding of what constitutes critical problems.When discussions are dispersed across
ITOs, issues that are not related to revenue-generation opportunities are relegated
to a lower priority, regardless of customer criticality.
Asset Management
tects, and procurement teams all have a vested interest in decisions affecting technology. Centrally positioned AM programs are able to provide balanced information
to facilitate executive decisions. Leveraging the cost models previously noted, AM
can assign risk and cost to decisions based on vendor cooperation (or lack thereof)
to assign a more comprehensive understanding of any technology decision.
Chapter 9
As IT grows into a mature service-oriented business, CIOs must become literate in how
to run the ITO as a business. Without AM, it is difficult to effectively manage diverse IT
businesses and costs. As systems, staffing, and associated interactions increasingly influence the costs of one another, the ability to understand resource allocation and impact
across the entire ITO becomes imperative. How else will IT begin to be managed as a
business?
The asset management road map must incorporate strategic responsibilities and objectives, including chargeback and planning/budgeting. Additional responsibilities should be
addressed as part of phased, future integrations. Ongoing objections to successful AM
maturation should be countered through:
Regular communications
Understanding of the various constituencies involved
Tailoring deliverables to the needs of those constituencies
Conclusions
CIOs must integrate project and asset management disciplines to improve costs
and control vendor behavior. Only after this integration will IT organizations be able
to manage IT as a portfolio, enabling improved value to and communication with
lines of business.
125
Asset centers of excellence can generate significant ROI for IT organizations beyond
mere cost savings. Best-practice ITOs are building on strong asset management programs during development of portfolio management, focusing on building cross-platform, cross-discipline asset centers of excellence.
Portfolio management of IT resources builds a better understanding and alignment
of IT value to lines of business, enabling improved delivery of business services from
the IT organization.
126
127
Privacy of financial
information
Basel II
Health Insurance
Portability and
Accountability Act
(HIPAA)
Right to carry
insurance between
jobs; privacy of
patient information
Sarbanes-Oxley
Capital assessment
and reporting standards
for global banking
COMPLIANCE
NASD 3110
Written policies and
procedures for review
of correspondence
with the public
DoD 5015.2
and UK PRO
Federal standards
of records management
As businesses contend with SOX directives to address flaws in financial practices and
reporting procedures, it is likely that corollary legislation to address security flaws and
vulnerabilities will soon be passed (2004/05). Just as SOX was enacted to safeguard stakeholders financial assets, the increasing rate of breaches in information security and physical premises defenses will prompt legislators to require senior executives to attest that
due care and diligence have also been taken to protect human, capital, and non-tangible
resources across the enterprise.
128
Chapter 10
On December 17, 2003, the SEC published final rules that require investment companies and investment advisers registered with the SEC to adopt compliance programs.
Under the final rules, investment companies and investment advisers are required to
do the following:
Annually review those policies and procedures for adequacy and effectiveness
of implementation
The effective date of the new rules is February 5, 2004. However, the compliance date is
not until October 5, 2004.
Dedicated Budget for Specific Regulations
56%
56%
48%
35%
33%
Basel II
28%
27%
IAS
0%
20%
40%
60%
80%
129
130
Chapter 10
Basel II will most likely continue to evolve; however, we do not expect any immediate or
major delays, extensions, or changes to the 2007 compliance schedule. CIOs and their chief
technology officers (CTOs) should plan and build an adaptive technical architecture to
incorporate any changes and the corresponding technical upgrades, should they surface.
CIOs/CTOs should integrate the Basel II solutions within the existing technical infrastructure and any other planned major systems implementations.The CIOs focus should
be to deliver enhanced controls and business benefits from Basel II, such as reducing
capital set-aside requirements and enhancing shareholder value.
Prohibiting financial services to foreign shell banks (i.e., banks without a physical
location)
Maintaining records with respect to accounts for foreign banks, and the sharing
of transactional information among financial institutions and between financial
institutions and law enforcement
131
All financial institutions must have a US Department of the Treasury Office of Foreign
Assets Control (OFAC) compliance program in place today.The October 1, 2003, deadline to implement the Section 326 CIP Policy was not changed for OFAC requirements.
Financial institutions are currently required to screen the names of their new and existing customers against OFACs list of specially designated nationals (SDNs). Wire transfers must also be screened against the OFAC list because wires are the tool of choice
for money launderers and terrorists. The SDN list also includes OFAC-blocked countries from which financial institutions are restricted from doing business.
On October 1, 2003, financial institutions were required to screen their customer accounts against a new watch list (Section 326 List), which has been replaced by the OFAC
132
Chapter 10
Another important provision of the USA PATRIOT Act, Section 1012, amends the Hazardous Materials Transportation Act. Section 1012 is important to CIOs of energy, chemical/petrochemical, transportation, Department of Motor Vehicles, and other enterprises
and agencies because they most likely will be required to redesign or implement appropriate system changes that better support hazardous material (hazmat) compliance provisions (e.g., hazmat material identification, transportation licensing provisions). CIOs of
affected industries would be wise to revisit their material safety data sheet applications
to determine if existing systems meet, or can be modified to comply with, Section 1012,
rather than starting anew with yet another application/system designed specifically to
comply with the Act.
133
Setting forth the provision of certifications relating to internal controls, disclosure controls, and procedures
The OSC has stated that small cap (e.g., public float) companies will be exempt from
some of the specific rulemaking.
Meanwhile, in Australia, the attorney generals department has proposed changes to AML
regulations governing financial institutions by releasing Anti-Money Laundering Reform
Issues Paper 1 for the financial services sector. We expect this new law to be finalized in
2004/05 and reflect the revised FATF 40 recommendations (OECD Financial Action Task
Force). Financial institutions (bank and non-bank) should not underestimate the impact
the proposed changes will have on all aspects of their operations, nor the length of time
it will take to implement the systems and compliance process changes.
The present reporting-based approach of the Australian law will expand to adopt a riskbased monitoring approach consistent with international expectations.This will put considerable legal and financial responsibility on ITOs and the enterprise to take the necessary steps to work with business units to make the requisite consumer financial application changes (or implement new ones) to comply with the law.
134
US
Mostly concerned about
SOX and HIPAA
Europe
Mostly concerned about
privacy and company law
revisions
More awareness of IAS,
Basel II
Asia Pacific
Privacy maturing, critical
infrastructure protection,
cybercrime
Europe
AP
Corporate
Governance
SOX
33 Codes of
Conduct
CLERP
Privacy
HIPAA,
Safe
Harbor,
COPPA
EU95/46,
EU02/58,
National
PA&PAA
Infra
Protection/
Cybercrime
FERC,
NIIPA,
PDD63
Various
Crime
1901Etc.
Regulated
Industry,
Examples
FDA21,
GLBA
1400/02
Record
Retention
DoD
5015.2
PRO,
DOMEA,
MoReq
VERS
Australian financial institutions will need to examine and retain identification documentation (identification records and photographs, such as drivers license, birth certificate,
passport, etc.) at the time of opening the account (document imaging for storage and
retrieval comes to mind); conduct enhanced due-diligence review (perhaps automating
background checks using Internet third-party providers) on customers assessed as higher
risk; and monitor the transactions over the life of the customer to be alert to changes in
the money-laundering risk profile (e.g., automated audit/reporting applications, such as
Tripwire [www.tripwire.com], which sells data integrity checking software).
An interesting opinion rendered by the Australian CPA organization
(www.cpaaustralia.com.au) provides a keen perspective on the pending Australian Corporate Law Economic Reform Program (CLERP) 9 bill in what might be a mere windowdressing effort on the part of government to legislate meaningful reform:
Australias largest professional finance and accounting body is today questioning whether
the draft CLERP 9 Bill has missed an opportunity to redefine the big picture for corporate
disclosure in Australia despite including many positive reforms. CPA Australias concerns are in
response to initial indications of extensive reforms to audit regulation, but what appears to be
limited focus on the wider financial reporting framework and the responsibilities of other key
stakeholders including boards and management
135
based approach, including closed-loop planning and reporting for managing topdown and cross-business-area performance.
136
Chapter 10
137
IT value: This provides the ability to ensure a consistent approach to communication of IT strategic initiatives.
138
Chapter 10
CIOs should apply the lessons learned from Y2K (e.g., inventory controls, assessment and code remediation processes for disparate financial and fixed-asset reporting systems) and apply portfolio management discipline as a means to better ensure
compliance (e.g., retiring legacy systems and consolidating accounting and asset management systems to reduce complexity and ensure Section 404/409 compliance activities in the process).
Ethical business practices within the ITO largely instituted as an overall program
approach toward quality assurance, security, and risk management communicate a
vital message to the business community at large. CIOs must adopt rigorous data
integrity control processes so that automated corporate data is not compromised by
unauthorized access, modification, destruction, or disclosure. They must adopt bestpractice principles and communicate their ethics standards to the ITO staff and business colleagues.
Other suggested activities around compliance and governance activities include:
Working with the business (chief privacy officer, CFO, general counsel, HR, etc.)
to better understand the operational, financial, and compliance risks across the
business (usually most effective when done through a steering committee)
Determining what mechanisms are already in place to track and evaluate compliance and ITO risks
139
Developing an automated means within applications to monitor transaction activities to establish controls and ensure they are consistent with prevailing laws,
as well as consumer and employee policies and practices
Providing evidence that the ITO is compliant with prevailing laws and directives,
and that prudent care has been taken to minimize and control risks
Periodically conducting an ITO self assessment and third-party audit of IT systems and controls
Being prepared to brief the board of directors/executive management/audit committee on the ITO state of compliance; COBIT is a good starting point for conducting a controls self-assessment
In considering governance, privacy legislation, hazmat, and anti-money-laundering security-related compliance issues, we foresee a major impact on the level of security required to protect the information being collected and stored as part compliance mandates contained in various state, federal, and international laws, directives, and regulations. For example, consumer-related information collected, if stored in California, would
be covered by California SB1386, which addresses disclosure of unencrypted personal
informational to an unauthorized individual. So, as a minimum due-care process (from a
US-centric perspective), the information must be stored encrypted on the financial
institutions system. In addition, access to the information will have to be limited and
logged; with the log reports being reviewed periodically to ensure that no unauthorized
access has occurred.
These compliance activities will require new security policies and technologies, in addition to well-defined security processes that detail how the policy and laws will be enforced via the selected technologies. This will, in turn, require a significant commitment
to information security on the part of the Australian, Canadian, and EMEA financial institutions, over and above what they are currently doing.
140
Chapter 10
The role of establishing and maintaining trust is centered on the CIOs response to the
issues of risk, corporate governance, and regulatory compliance. CIOs must continually
strive to strike an appropriate balance between government and market regulation, because regulation will not work fully by itself and the cost of total compliance can easily
outstrip available IT resources. CIOs must stress that business ethics and individual
behavior within the ITO remain integral to risk management, credibility, and trust.
Conclusions
Organizations must develop global and integrated corporate governance strategies, practices, and processes that are supported by a standard IT architecture
and application portfolio.
Protracted litigation, censure, fines, sanctions, imprisonment, and personal liability are the by-products of a failure to properly manage legal and regulatory compliance mandates.
141
142
143
144
Chapter 11
Business service providers have long operated under regulatory conditions, though during the past 10 years they have run into regulatory problems and conflicts of interest, as
they bundled additional services often IT-related atop traditional audit/assurance
offerings. Although PricewaterhouseCoopers, Ernst & Young, and KPMG have shed their
formal IT service arms, they are already rebuilding such capabilities (albeit on a smaller
and more controlled scale). In maintaining all business and IT services under a single
entity, Deloitte & Touche has the finest line to walk to ensure regulatory compliance.The
growing regulatory sphere of control and associated liability is now being extended to
pure-play ITSPs.
The New BPR: Business Process Regulation
Historically, business megatrends (e.g., business process re-engineering,
e-business) and potential disasters (e.g., Y2K) have driven IT direction,
spending, and market growth. More recently, regulatory mandates (e.g.,
SOX, HIPAA, Basel II, GLBA, USA PATRIOT Act) have emerged as
potentially more severe IT nuisances, as have some of the few current
drivers of IT investments (though nowhere near to the level of past big
things, to date). In addition, the costs of failure are higher, particularly for
executives being held liable for regulatory compliance. Painfully, IT's
critical role and the true cost of its past often haphazard promulgations
are now being recognized at organizations highest levels.
The old pillars of a client/ITSP relationship (i.e., personal relationships, past performance,
and personal trust) are being subjugated and, in some cases, torn down as a result of
these changing market conditions. The new pillars are visibility, clarity, and accountability.
There is already a clear regulatory conflict in providing audit and IT services related to
underlying financial applications. It is not a long stretch to find a conflict in advising on
financial management system (FMS) process optimization (or providing process outsourcing)
and implementing underlying software applications particularly if the client organization
is eventually found to have committed illegalities through those processes.
ITSPs must understand which services are appropriate to provide around FMS transformation and compliance efforts and guard against guilt by association (e.g., automating
flawed compliance processes). Given the systems and processes involved, much IT-
145
146
Chapter 11
147
148
Selling SOX is not easy: Vendors face numerous challenges turning SOX opportunities
into sales. The top-cited impediments (35% of those polled) identified were mapping
offerings against prospect SOX requirements/showing SOX relevance and gaining adequate visibility/getting on prospects radar screen. Defining a compelling value proposition was third at 14%, while identifying the appropriate decision maker and differentiating against the competition came in at less than 10%.This highlights that it is not clear how
to translate SOX needs into specific purchasing decisions.
Findings from surveys conducted in 1Q04 include:
SOX compliance efforts are often pursued independently: Only 46% of respondents indicated their SOX compliance efforts were coordinated and integrated with
efforts to meet other regulatory requirements (e.g., HIPAA, Basel II, GLBA). This creates
2004 META Group, Inc.
149
150
Chapter 11
Most organizations are now in the midst of executing SOX compliance efforts:
From a SOX progress and maturity level, most organizations are progressing toward
compliance:
Product vendors and service providers must understand where specific clients/prospects are in this maturity model and tout offerings appropriate for that level. Business
and IT service providers have the additional opportunity to help clients understand maturity and how to progress up the curve, though clients will view IT service providers
with parallel agendas (e.g., outsourcing, application development, products) more skeptically than they do business service providers.
Concerns still exist over evidence of SOX compliance for outsourced processes:
This question elicited the greatest percentage of dont knows of any polling question
(54%). Of those that did know, 59% expected to certify SOX compliance for outsourced
processes, and 4% indicated they had already done so. Twenty percent expressed concerns over being able to accomplish this, and 17% were ignoring outsourced processes
as part of their SOX efforts. IT and, especially, business process outsourcing providers
will face increased challenges and scrutiny during the next 12 months as organizations
begin to recognize the difficulty and uncertainty in certifying SOX compliance for
outsourced processes. This is, in part, a function of inadequate regulator (e.g., PCAOB)
guidance, a situation that will not change prior to 2H04. It is also due to the fact that
151
152
Chapter 11
Business and IT service providers must fundamentally rethink the common components
in a compelling service offering. This will redefine and broaden the definition of full
service (see Figure). There are various areas where corporate governance elements
affect other service offerings, in addition to the already mentioned offshore and BPO
scenarios. Examples include assessing the risk associated with deploying new financial
management systems and processes, appropriate governance models for sourcing and
consuming external services, and how most major process areas (e.g., CRM, ERP, SCM)
evolve to support compliance, as well as leverage the improvements gained through such
compliance efforts (e.g., greater process visibility and transparency). All these areas are
potential targets for new service offerings if providers can assemble the appropriate
skills, resources, and process frameworks.
Broadening the Business and IT Service Footprint
To date, most business and IT service providers have been caught up in
expanding their footprints by moving upstream and downstream. For example,
this elusive quest to become full-service providers led to IBMs PwC Consulting
acquisition, Accentures movement into outsourcing, and Cap Geminis Ernst &
Young acquisition (see Delta 2147). Although laudable, such movements still do
not create true full-service providers from the perspective of comprehensive
offerings across all business process and industry segments. They also largely
do not address gaining competencies around governance issues. Service
providers must recognize that corporate governance capabilities are an
additional dimension, or a third leg on the proverbial stool, that they must
integrate into service offerings.
To address such requirements, service providers need to define new service offerings
that include corporate governance dimensions and reconfigure the resource teams
that deliver and support them. For example, though most service providers are currently arranged around industry and process areas (e.g., CRM), an added dimension is
required to address corporate governance. Such practice areas should exist discretely
but be applied against client engagements in conjunction with industry and domain
expertise, ideally in preconfigured offerings that target specific process areas (e.g.,
153
154
155
156
Chapter 11
157
A final challenge to SOX compliance that affects outsourcers is inter-enterprise compliance. Users must approach process compliance holistically, covering insourced and
outsourced processes, as well as intersection points and continuums of processes that
span supply and service chains. For example, how can a users controls account for the
breakdown in a suppliers financial controls that could lead to a parts shortage, which
could affect revenue/profits, which would then require a timely disclosure? Clearly, organizations cannot address SOX compliance in an isolated fashion. Outsourcers have the
added dimension of being intertwined in numerous client compliance efforts across
multiple process areas.This in itself increases the outsourcers risk and demands greater
focus on enabling compliance, for its own sake as much as its clients.
Overall, vendors must develop a realistic time frame and approach to compliance product and service markets. Although end users are facing short-term imperatives, that
does not translate into quick buying decisions or the propensity to find allure in slightly
warmed-over offerings in a SOX wrapper.Vendors must make the effort to tailor offerings to meet users business pains from SOX, not just search for appeal in IT features/
functions. For many vendors, this implies working with SOX domain experts (e.g., external audit firms, business/finance/risk consultancies) as well as key clients to gain an adequate awareness and understanding of SOX implications and compliance requirements.
Although these investments will take time, they will also lead to more robust and mature
solutions that will meet clients strategic not just tactical needs. Given that SOX is
not going away and not likely to lessen in importance, the investment is worthwhile,
158
Chapter 11
Conclusions
SOX and related compliance efforts are part of the permanent fabric of organizations operating models. Vendors and services must reflect this reality in all
their offerings.
Compliance creates long-term opportunities for business and IT product and service vendors, but only if the solutions offered can support users strategic compliance needs.
In addition to driving increased business for audit/risk service firms, SOX compliance efforts will prove to be a boon to IT product and service vendors. However, it will also be a more complicated sell than were past demand drivers (e.g.,
Y2K, e-business).
Business process and IT outsourcing currently do not mix well with SOX and related compliance requirements. However, outsourcers and their clients cannot wait
for regulatory clarification and must define, document, and rationalize interim bestfaith efforts for gaining and evidencing SOX compliance for affected outsourced
functions and processes.
Addressing SOX and related regulatory compliance efforts is a challenge and a risk,
as well as an opportunity for business and IT outsourcers. Longer term, enabling
compliance becomes a standard element in an outsourcing scenario. It also means
that outsourcers overall risk and exposure increase as a result of operating in a
more highly regulated environment.
As organizations progress and mature in their SOX compliance efforts, opportunities for IT service providers and especially for IT product vendors will grow,
but only for those that develop truly relevant and beneficial SOX offerings mapped
to clients strategic compliance needs.
159
160
Note: The opinions, descriptions, and recommendations contained in this document may include
general or summary information about aspects of the Sarbanes-Oxley Act of 2002, and related
current or proposed rules, regulations, or standards of the US Securities and Exchange
Commission and national securities exchanges and associations. The information presented is
intended simply as an aid to your understanding of such rules and neither constitutes nor is
intended to constitute the provision of legal advice. We urge you to refer to the actual laws, rules,
regulations and/or standards, and to consult with legal counsel concerning your responsibilities, if
any, with respect to applicable provisions thereof. Opinions and recommendations expressed by
outside parties who participated in the META Group events transcribed here are their own.
META Group is not responsible for any inaccuracies contained within these transcripts; please
visit metagroup.com to hear the audio files.
Appendix A
Transcript 2048
28 October 2003
Stan Lepeak: We have a lot of material to go through today, so let us jump right into it and move to Figure 1,
where we see the smiling mug shot of Mr. Bernie Ebbers, our well-known friend from WorldCom. In terms of a
business update, we all know the scenario here. SOX is on everyones agenda: public companies, private
firms, large organizations, small, those based in North America, and those based elsewhere. Certainly, this is
a higher priority for large, US-based firms, but this is something that everyone is working on these days.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript
Depending on your perspective, it is a scourge, a necessary evil, or a full employment act for IT. What we
want to go through today is doing some level setting in terms of what is required, where organizations are at,
where your peers are at in meeting SOX compliance, and what we feel is imperative that you need to get
done short term for tactical compliance and longer term for strategic compliance, as well as leveraging some
of these SOX investments for the bettering of your companys competitive capability.
Firms are rushing to evaluate their financial processes. There is a lot on the table; there is a lot to get done.
But I think what is key is to lay out a road map such that these efforts are achieving compliance, but are doing
so in a way that also can help you to maximize business benefits. What is key with all this as opposed to
other recent full employment acts for IT and others, such as e-business and ERP initiatives and Y2K is that
this does not go away. What we are looking at here is laying out a road map that will serve your organization
for years to come. And there are a lot of different pieces to that.
Figure 2 All Companies Will Need to Care
John Van Decker: Again, thank you Bernie, because as a result of some of the accounting flops that have
occurred over the past 18 months, we have the Sarbanes-Oxley Act, with the intention to protect investors by
improving the accuracy and reliability of corporate disclosures. And what I am seeing in numerous client
inquiries is that the impact is not just on the publicly traded companies. Rather, I see that many other
companies, namely smaller public companies as well as private companies, will need to care.
So I think we can take a look at a number of organization categories. What I am seeing is that for private
companies, members of the board, many of them are participating in Sarbanes-Oxley projects with their
public companies. They are going through an assessment process in their public companies, and they expect
the private companies (on which they are serving as board members) to also go through a financial controls
process.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
Growing companies companies that are below $75 million want to grow up and will eventually fall under
the SOX microscope. The $75 million is the threshold right now, but I think there is also the possibility that will
go lower. Companies that are pursuing an exit strategy (e.g., they want to be acquired) will have their financial
control scrutinized during the buyers due diligence process. When they do get acquired, they will need to
conform to a larger enterprise standard. By having a certified set of controls around financial management
processes, that is going to make the privately owned firm more attractive to the firm that is doing the
acquiring.
Also, many private companies are in business with larger companies. Let us say they are part of the supply
chain or sales channel. They may have a higher level of systems and process integration, and may need to
adhere to the controls of the larger firm. Also, the Public Company Accounting Oversight Board and we will
go over that in a little bit more detail in upcoming figures spells out requirements for all public companies.
Public companies that are under $75 million will have to conform to internal control requirements by their
auditors for fiscal years ending April 15, 2005, and later.
There are many institutions that receive public company grants. And the grantee organizations may be
required to demonstrate an internal control competency around grant management as well as overall financial
management. So I think, in general, SOX is raising the bar. For companies looking for financing and
insurance, Sarbanes-Oxley is raising the bar around the expected financial controls. So while it is specifically
targeted for the publicly traded company with revenues over $75 million, all companies will have an impact
and will feel the impact.
Figure 3 Critical Issues
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
Stan Lepeak: Figure 3 details the critical issues that we are going to get into in todays session. First we are
going to provide a SOX update and talk about the findings of some research that META Group has been
performing on this topic over the past couple of months. Then John is going to lay out a SOX IT blueprint,
looking at, from an architectural standpoint, what are the different classes of products that will fit into a
comprehensive blueprint to address SOX compliance and also talk about some of the specific vendors
therein.
We will talk about the records management imperative and where that fits into SOX compliance. Then we will
look at some of the legal issues around SOX in general, but also specifically delve into some of the legal
issues and ramifications of records management. So first let us look at some of the findings of some recent
META Group research.
Figure 4 The Last META Group SOX Survey Says
On Figure 4, here are the results of a survey we did over the summer. In the interest of time, we are not going
to read through all these, but just to highlight a couple of key points. This was a survey that was conducted
approximately eight weeks ago. At this point in time, 65% of organizations were actively engaged in a SOX
project, and another 25% were getting ready to kick them off. So by this point in time, well over 90% of the
respondent organizations were actively engaged in a SOX initiative.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
For those initiatives, they are global in nature 88% of organizations responded that compliance efforts in
SOX were global initiatives. So despite the fact that some of the ramifications for non-US-based divisions and
companies vary from those based in the US, these are really global initiatives. They are initiatives that are
primarily led by the CFOs organization 45% of respondents cited the CFO as leading the SOX initiative,
and another 24% indicated that SOX was being led by the internal audit group. I think the point here to
emphasize is that, while there are key leaders for these initiatives, these are joint efforts involving lines of
business, professionals, the CFOs organization, internal audit, and then certainly IT professionals within the
organization, and then also external groups such as the external audit firms and related IT service providers.
A key point though is that firms were unsure of SOX readiness. Only 6% indicated at this point in time they
were in fact ready for SOX compliance. These other surveys have borne out a similar figure 20% estimated
that major investments were going to need to be made, and 27% indicated at least minimal investments, but
the real telling number was that 48% of respondents were unsure. We have done some additional work since
that time, which continues to illustrate that people are still in the learning phases of what it will take to fully
achieve SOX compliance.
I think the point here is that this is still very much a work in progress, even from the standpoint of scoping the
initiative to the extent that you can accelerate those efforts, but also start to put a framework around how
you achieve SOX compliance so you can understand where the effort is being made in an appropriate volume
and amount, and where perhaps you can pull back, given there is a lot to get done in a very short time frame.
Figure 5 Where Are Firms on the Curve?
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
John Van Decker: We have been involved in a number of surveys. We have participated in Webinars with
vendors that provide compliant solutions, and we are seeing a tremendous amount of consistency across all
the surveys and the responses. Most folks believe that they are not ready yet for Sarbanes-Oxley, or more of
a full-blown Sarbanes-Oxley solution blueprint. About 90% of publicly traded firms are actively involved in
Sarbanes-Oxley projects, but the majority are focusing on Section 404. The idea is that they will go through
Section 404, which is really the internal controls evaluation, and then out of that identify IT projects.
So I think we are going to see an increase in IT spending the first quarter of next year through 2004/05. And I
think a lot of organizations are looking eventually toward a global corporate governance initiative. Many are
actually seeding that with Sarbanes-Oxley compliance. I think over time we will start seeing more corporate
governance executives, but at this point, Sarbanes-Oxley compliance is within the bailiwick of the CFO.
Figure 6 Top Preferences for SOX Solutions
One thing that I see quite a bit is vendors pitching that they are the only Sarbanes-Oxley solution, and as we
go through a briefing with them, it turns out to be a Section 404 tool, which involves internal control
documentation and assessment. But to enable Sarbanes-Oxley from the transactional and business intent,
intelligence, and financial management perspective, I think it gets back to better configuring solutions that you
have already purchased.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
So go back to ERP instead and look at some consolidation opportunities. Perhaps replace some of the legacy
ERP solutions. I am starting to see that, in my business performance management inquiries from clients,
there is a need for visibility and transparency. And according to this survey, 30% of companies are looking at
business intelligence (BI) and business performance management to help provide that visibility and
transparency. So a lot goes back to doing a better job at more smartly configuring existing solutions, and
perhaps making some investments in business intelligence and performance management.
Figure 7 PCAOB Update
The PCAOB just released a draft on October 7. The draft is entitled An Audit of Internal Control Over
Financial Reporting Performed in Conjunction With an Audit of Financial Statements. I think what is important
here is that this is an independent accounting organization that is putting some controls and some meat
around Sarbanes-Oxley expectations, around auditors, and around audit work.
A number of deficiencies were identified, and I think the important point here without going through the whole
draft is it is putting more auditor definition around Sarbanes-Oxley. I think it is going to put more
standardization around auditor focus. In addition, I think it is also going to give auditors a lot of leeway in
determining what financial controls are, since it is clearly identified within this draft that internal control is not a
one size fits all. It varies by company, it varies by industries, etc. The important takeaway here is that for
those thinking that Sarbanes-Oxley was just a legislative act, we are starting to see more standards and more
guidelines being applied to Sarbanes-Oxley. So if anything, this makes it much more real.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
Figure 8 Business/IT Services SOX Checklist
Stan Lepeak: We are going to talk about the role of external service providers relative to SOX compliance.
This is particularly important given some of the recent wordings that have come out of the PCAOB about the
ideal role of external auditors. So in terms of the class of the service provider, there are four types. In
business services, you have your auditors, the Big Four, E&Y, KPMG, Deloitte, and PwC. You also have
other specialized management risk assessment firms. Those are firms that have similar skills to the external
auditors, but do not actually perform audit work.
Then on the IT side, you have your classic IT consultants and systems integrators that are operating in the
SOX arena, so firms like BearingPoint as well as IBM. In the fourth class that we identify are the outsourcers.
Again, IBM would fall under this class, as well as CSC and EDS. Here, these are the firms that are often in an
outsourced fashion managing some or many or in some cases all of the financial applications that fall under
SOX compliance.
The ironic part about the services, particularly on the tax audit side, is that these firms, which are very much
part of the solution, are also to a degree part of the problem. So many have made the argument that, if the
auditors had done a better job with Mr. Ebbers or Tyco or Enron, we would have fewer problems today. And
while the vast majority of the audit work that has been performed historically has been at least adequate, if
not good, it is a bit ironic that the firms now are seeing revenue leap dramatically as their role has been
significantly expanded, in terms of not only expanding the basic audit but also getting involved in SOX
compliance efforts.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
The challenge for users is to recognize where it is appropriate to use the external audit firm and where it is
not, because there are very specific stipulations within SOX as well as coming out of groups like the PCAOB,
which define where an auditors role is appropriate. So the key point here is to have a mechanism in place to
determine when it is appropriate to allow the external auditor to perform non-audit work around SOX
compliance. Obviously, these firms are the experts relative to process control, and often are experts in terms
of understanding your organization itself. But you need to be very careful about where they are deployed, and
as you move up the continuum, these activities become much more highly regulated and potentially much
more risky from the standpoint of whether or not it is appropriate for the auditor to perform them.
So the key piece here is to ensure that audit committee involvement is built into a process to determine where
the external auditor can be utilized outside of performing basic adaptation work around the normal yearly
audit or around SOX compliance. There are other types of external service providers that have relative
capabilities in this respect, but they may also have additional agendas in terms of selling IT-related services,
in terms of system implementation or customization. Certainly, we have heard from some of the outsourcers
how the best way to address SOX compliance is to outsource everything to them, and we feel that could be
potentially risky as well.
Figure 9 Service Developments and Trends
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
Transcript
Just to highlight some recent activities in this space, one that came out quite recently is IBM has announced a
relationship with KPMG, where KPMG is going to provide to IBM some of its control catalog, so basically
sample process models, which will then be embedded in a Lotus-based tool from IBM that organizations can
use to define appropriate process control and then document them and place them in repository appropriate
for review.
The key point here is that KPMG is the first of the audit firms to recognize that they are an audit firm and not
an ISV (independent software vendor). While all four of these main audit firms have tools that can be utilized
in SOX compliance, it is our position that they are very much tactical tools. These firms are not going to
support from a software vendor standpoint and a support and maintenance standpoint in the long term. So
KPMG is the first to step up and identify a partner in the form of IBM to really take over the management of
the software piece of these tools, while KPMG will provide the domain knowledge around process controls.
Deloitte is also looking at identifying a software partner, and we fully expect that all four of the major audit
firms will hook up with a software provider to maintain those tools that they were initially developing internally.
Deloitte has finally articulated its go-to-market message around the combined Deloitte, Deloitte Consulting
Group, with a strong emphasis on what it is calling integrated service offerings. These look at compliance
problems from multiple different perspectives regulatory risks and IT perspectives. They have some
offerings there relative to helping clients look at SOX compliance but also look at some of the broader
implications of leveraging SOX efforts for greater corporate benefit.
Finally, another key point was looking at the SOX wildcard relative to business process and IT sourcing. We
are not going to dwell too much on it here, but the key challenge for an organization is that, even if they have
outsourced a business process, they are still liable under SOX to ensure evidence of compliance. The
challenge is that most outsourcers today do not provide the adequate level of documentation that a client will
need to be able to sign off on SOX compliance or evidence that to their auditors. So there is commonly an
SAS 70 document, statement of accounting Standard 70 that outsourcers provide to a clients auditors, but
that document (which has been around historically) is not designed nor is it adequate for evidencing SOX
compliance. So any organization that has outsourced business processes or outsourced IT processes that fall
under SOX compliance, we urge you to immediately begin to work with your outsourcer and your auditor if
you have not already, to determine what degree the existing documentation is appropriate for SOX
compliance and what more needs to be done.
Finally, an overall recommendation is that, while the auditors can provide great benefits to these efforts, it is
ultimately the clients responsibility, and the client needs to take ownership of this. The auditors are there to
do a job, but management ultimately has to do its job relative to SOX compliance. And the auditors still are
having their own set of problems such as the bullet point on business process integrity. So the bottom line
here is that the clients need to ultimately take responsibility for SOX compliance regardless of the help the
auditors can provide.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
10
Transcript
Figure 10 Assessing SOX Maturity
Stan Lepeak: This is just a forward pointer to make all our end-user clients aware that META Group is in the
process of rolling out a SOX Maturity Model with an offering. If you are interested in learning more about this,
contact your account manager, and he or she can arrange a session with John Van Decker and myself or
Charlie Brett to talk about this. This is a forward pointer in that we are putting some structured deliverables
together to help organizations understand their level of maturity overall relative to SOX, their level in specific
section areas, and also to help lay out that road map we were discussing earlier, which will be followed both
to achieve SOX compliance and then to maintain that compliance over time.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
11
Transcript
Figure 11 The SOX Dimensions
John Van Decker: We may want to repeat that question after the next couple of figures so we can first define
what a SOX technology blueprint is. I had mentioned before that many vendors are positioning Section 404
tools as the SOX solution, but in essence, Sarbanes-Oxley has an impact on all of your applications that
provide some input and controls in your financial management process. I am not going to go into a lot of detail
in this figure. We also covered this at the last Trend Teleconference.
It is critical is that firms go through their applications, especially those that provide and are part of the financial
management control processes, and understand where and how the application can provide visibility and
transparency into the financial accounting process. They can also revisit and ensure that the applications
provide internal control. They can be linked to contracts, to invoices, to trade agreements, etc., and provide
the appropriate records retention capability, to be able to provide communication both internally and externally
as we get some Section 409 initiatives.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
12
Transcript
Figure 12 The SOX IT Blueprint: Section 404
Section 404 is for organizations to provide an annual assessment of internal controls. We see that IT
organizations should consider employing risk management applications, to help document the process and to
provide a periodic assessment of internal controls. I am seeing that more firms are looking to provide this on a
quarterly basis to help assist the auditor who will look at this on a more annual basis. These activities are also
linked to service providers initially, compliance and auditing vendors but I think the next phase will be
more grownup business applications, such as those provided by ERP vendors, as well as some business
process management and document management vendors.
I think they need to be linked into existing application infrastructures, so this will move then to be supported by
the systems integrators versus the compliance auditors. And the functionality around these Section 404 tools
is for documentations in this process modeling/program management so organizations can understand where
they are in their documentation assessor processes, as well as communication. I think the next phase for
these applications will be to leverage ERP applications, and we are already seeing from PeopleSoft and
Oracle applications that integrate and leverage some of the controls that are already inherent in the ERP
solutions.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
13
Transcript
Figure 13 The SOX IT Blueprint: Sections 302/906
This gets back to providing a business intelligence environment that can help consolidate financial information
and enable more frequent flash reporting, to be based on data marts, data warehousing, and OLAP tools as
well as reporting that leverages consistent metadata
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
14
Transcript
Figure 14 The SOX IT Blueprint: Section 409
Section 409 is built around concerns of disclosing to the public on a rapid and current basis any material
changes in terms of financial condition. This is going to require tools that can help identify the problem, so it
would be business intelligence, business performance management, financial modeling tools such as activitybased management, profitability management, to be able to generate compliance dashboards that can
identify thresholds that perhaps can bring in the current contract base and understand if there are any issues
with suppliers, etc., that could impact the firms financial condition. Ultimately, the tools should report outward
to some type of a portal process to communicate to investors as well as the US SEC.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
15
Transcript
Figure 15 SOX Technology Blueprint
I mentioned a number of business applications. I see that from an effort perspective, for an enterprise SOX
technology blueprint, 10% of the effort is going to be around the risk assessment tools that specifically focus
on internal controls for Section 404, and ultimately are used to provide some assurance around Sections 302
and 906. This is where the CFOs and the CEOs need to sign off on financials and confirm that the financial
statements are correct.
I think 60% of this, though, should be focused around transactional solutions. And that would be enterprise
resource planning (ERP) as well as best-of-breed solutions where the actual financial transactions are
generated and managed until they get to the general ledger. About 10% will be around content management
solutions. And 30% of the effort will be around creating an effective business intelligence/performance
management environment that can help generate compliance dashboards and help lift the organization in
more of the financial management processes, to help identify anomalies before they become material, so that
the firm can act on these inconsistencies and provide more of a consistent approach with financial reporting.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
16
Transcript
Figure 16 SOX Requirements: Records Management
Charlie Brett: For the next section, we are going to discuss the implications around the records management
aspects of Sarbanes-Oxley, specifically Section 802, which is one of the core sections of the act. And I would
like to state at the beginning that Section 802 should not be seen as a completely separate section that has
no impact or no tight relationship to the other sections. Indeed, it is quite the opposite. Section 802 should be
seen as the language that requires companies to manage the records and the processes and the
management of the documentation, the audit trail that is the product of, say, Sections 302 or 404 or any of the
other sections.
What do we mean by records is one of the bigger questions and concerns that are being raised by a lot of our
customers. Certainly, components of a records management system include the definition of what a business
record is. And I would point out here that there is a distinction between the business records that a company
generates in terms of its daily business for other regulatory requirements, such as for their tax records, or
books and records or other types of recorded content that is already incumbent upon them to contain.
A lot of the records under Section 802 are specifically related to the audit and review process. So the
documents that are generated and distilled, the conversations that are going on throughout the audit and
review process, are where the focus of this is. In a larger SOX framework, the components of a records
management strategy are evolving to include an enterprise repository where this is a centralized location kind
of storage facility for the propagation and the longer-term storage under the requirements for all the content
related to the audit and review process. Currently, this retention guideline is seven years, which has been
going through some differences of opinion and was recently clarified by the SEC that indeed seven years will
be the retention life cycle.
This can include data that comes from integrated workspaces or through process management. So if you
have an integrated workspace where you have a certain level of employee that is participating in the audit and
review process, and there is collaboration, there is authoring going on, this is the type of tool that you would
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
17
Transcript
use to start storing that content, as well as the process. This includes documenting and creating audit trails as
records of what has been going on through the audit and review process, who has authored certain types of
document, what documents have come in, what applications have created them, what users have created
them, etc.
So to sum it all up, the big questions are what a record is and what is expected of us. So the definition of a
record under SOX Section 802 is anything that is created, sent, or received in connection with the audit and
review process, including conclusions, opinions, analysis, or financial data related to the audit and review
process.
Figure 17 SOX and Records Retention
We will get into some of the Section 802 implications looking at some records management standards, and
possibly what and what not to apply to a records management policy under SOX. What is a record? What are
some storage issues that you should be considering? And very importantly, who is responsible in the
organization for creating records, and what is to be expected of them?
A key bottom line on this figure is that, under most of the sections of SOX, records retention and protection
are key elements. So for those of you that are familiar with records management, if you distill it down, Section
802 is really another records management mandate, not unlike many of the other records management
functions that you are already performing within your enterprise. The key is there are new types of content to
be introduced here something we think is extremely critical.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
18
Transcript
Figure 18 Technology Scenario
The technology scenario that we are seeing especially related to generating content, managing content,
collaborating on content, making content available in a contextual manner is being affected by compliance.
How can content infrastructures be leveraged? How can they be managed to act as a very solid framework
for Sarbanes-Oxley content? And I would add here that we are not making a distinction between physical and
electronic records.
The very strong trend in our marketplace in terms of content, collaboration, and records management is that
records management is indeed becoming a strategic part of companies enterprise content infrastructure.
Typically, this content under enterprise content management is broadly defined as unstructured content,
meaning this is image data, document data such as word documents, spreadsheets, etc. It includes e-mail. It
may include Web content or static output from ERP financial or mainframe systems. All this is generating a
very big top of mind type of scenario for what are we as a corporation doing for our records management. And
typically, Sarbanes-Oxley has been driving a lot of this, but if there is really any good news here, it is that your
organization most likely already has fairly well-qualified records management and IT staff who can be very
instrumental in looking at how we are mapping some of the new content and some of the new records through
the Sarbanes-Oxley process. So it is about the content in context and the collaboration, since there is a very
large part of collaboration through an audit and review process.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
19
Transcript
Figure 19 Standards and Regulations
There is in the marketplace a lot of alphabet soup going around, a lot of fear, uncertainty, and doubt (FUD).
There are a lot of compliance mandates out there, as you see on this figure. And we are seeing an increase in
helping our clients make sense of what we are really liable for. Are there really standards that we have to be
meeting under Sarbanes-Oxley? A lot of companies are familiar with SEC and NASD regulations around
books and records, around broker/dealers, or registered representative communications with customers.
Certain people are wrestling with new USA PATRIOT Act requirements, and folks in the healthcare industry
are struggling with HIPAA.
To get to the gist of records management standards or requirements under Sarbanes-Oxley, in the language
there is no specifically stated standard that must be adhered to. However, we would firmly suggest that the
DoD 5015.2 standard be taken under serious consideration as part of the standard for managing records.
Sarbanes-Oxley in Section 802 does not require this, but it certainly is seen as a best practice, and indeed is
kind of the de facto records management standard for corporate and commercial enterprises throughout the
US. So we urge taking a look at 5015.2 as the standard for your records management processes.
As I alluded to before, the content that is relevant and core to the Sarbanes-Oxley process will include paper
and physical records, will include electronic records, and will increasingly include transactional records such
as snapshots out of an ERP system or a financial system such as ledgers, subledgers, maybe coming out of
proof-of-delivery systems, maybe coming out of imaging systems where you can see invoices or bills of
lading. It will also include communications, specifically electronic communications in the form of e-mail and
instant messaging. This is something that the SEC has also recently clarified e-mail and instant message
communications are required under this section.
This is giving pause to many organizations out there, specifically as it relates to instant messaging. We urge
that folks looking at potentially deploying any type of infrastructure within the Sarbanes-Oxley process take a
hard look at how financial services firms treat instant messaging within their enterprise. I think you will find
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
20
Transcript
that many of these organizations have locked down or banned many types of instant messaging. Financial
services firms can show some leadership here because they have been faced with the same regulations
under the SEC Rule 17A4 for the management of this type of communications.
Key principles through any records management process, and specific to Sarbanes-Oxley, is the retention life
cycle, the management retention of a minimum of seven years of all the content that is related to and required
under the various SOX sections. Another is immutability. Immutability is just a fancy word for
unchangeableness the ability to lock down content so that it cannot be altered, destroyed, mutilated,
falsified, etc. This has, if you look at it, one of the key underlying components of why we are here now.
Records management, or the lack of records management, has become almost a household topic. Granted
that there has been a fair amount of fraud involved, but without any type of proper or standardized records
management procedures, that fraud is a lot more difficult to perpetrate.
Who has access? Who is the author? Who can retrieve? And audit trails who accessed? Who authored?
Who made changes? Who provided versioning and such? So distilling it down, Section 802 is fundamentally a
records management strategy.
Figure 20 Why Records Retention Now?
Why records retention now? Understanding how you are addressing your SOX-related content is critical. You
will be asked. And this is the type of answer you are going to need to provide to the CFO and the CEO to
ensure that they have the proper controls, transparency, and visibility to sign off that you are indeed
managing the electronic content, including the electronic communications, in a manner that meets Section
802 requirements.
Consider the existing standards, such as the DoD 5015.2 specification, or even the ISO 15489 standard, for
guidance. These are good starting points to learn what goes into a very valid and very stringent records
management strategy. Fully understand the existing market technology. How do the conversions of enterprise
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
21
Transcript
content management, records management, and electronic communications management tie together, and
where can you build a baseline and potentially single source from a single vendor. Additionally important
would be WORM storage or write once, read many. These are storage options that are not specifically
mandated by Sarbanes-Oxley in Section 802.
WORM storage specifically prohibits any alteration of content that is stored in these systems. So this may be
something from magnetic-based spinning disk WORM storage such as an EMC Centera or a Network
Appliance device, or maybe magneto-optical or ultradense optical that is WORM-certified. This is an
additional protection against any unauthorized mutilation, falsification, deletion, etc. Prepare to include the
transactional data, which may be extracts from ERP or financial systems, may be access to image systems,
any type of content that has been used to generate documentation for the audit and review process. And take
a serious look at how electronic communications may play a role here. SOX compliance requires complete,
secure, timely access to the content, managing the availability of that content, and ensuring the immutability
of that content.
Figure 21 Formal RM Program Elements
Here are some formal elements to keep in mind retention schedules for the different content, which is
something where your records management folks will be able to help you. Written policies and procedures are
extremely important how you document the policies and procedures on how you are managing the content
around Sarbanes-Oxley. Executive, legal, and IT approvals are the teams that you need to evaluate and
implement and sign off on the policy as records management is truly a corporate policy. Employee training is
critical their clear understanding of what is expected of them. What is a record? What is required to be
retained? What is not required to be retained? This is a very big issue that we are going to address in the next
section. And lastly, compliance audits must be used for testing and validating the system at least yearly to
maintain compliance and ensure that you are maintaining SOX compliance under Section 802.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
22
Transcript
Figure 22 Sarbanes-Oxley Overview: New Requirements
Jeff Selman: From a legal perspective, there is much that has not been changed by Sarbanes-Oxley, just as
there is much as we have discussed from a procedural standpoint that has been changed. But looking at this
at a conceptual level, the significant change that Sarbanes-Oxley has wrought on the legal landscape is that
there is much more disclosure that is required at a much faster pace than we have ever seen before. And as
result, it creates the possibility for much more risk and more liability for a larger number of players.
There is already a significant amount of change from a public disclosure standpoint that has taken place and
that will continue to take place. Similarly, there will be the requirement coming into place next year under
Section 404 to have internal controls over financial reporting that again must be certified, and that the
independent auditors will have to attest to the efficacy of.
In addition to the enhanced public disclosure, it is more disclosure and faster regime that Sarbanes-Oxley has
given to the world. We are already looking, beginning next year, a faster pace for which disclosure has to be
made, both by way of the periodic reports such as forms 10-Q and 10-K that get filed by companies that will
be on a quicker time frame than they have been historically.
In addition to the expanded disclosure and the faster time frames for disclosure, another significant impact of
Sarbanes-Oxley is the expansion of the number of players who are responsible for taking part in the
disclosure process taking it beyond the level of senior management up to the board level, to the members
of the audit committee, and to outside players such as the attorneys and the accountants. And from a legal
standpoint, that also means a spreading of the liability among a larger group of players. So what we see
Sarbanes-Oxley doing is creating new responsibilities for the audit committee, such as the requirement that
the audit committee now oversee the auditors and the financial reporting process as well as creating
procedures for whistle blowers, spreading new roles similarly to attorneys where attorneys are now required
when we have evidence of material fraud or breaches of fiduciary duty at the corporate level to report up
the ladder, potentially to the SEC.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
23
Transcript
We should note that it is not just Congress under SOX or the SEC that has gotten into the act here, but also
groups such as the New York Stock Exchange have undertaken efforts to come up with new roles that are
again aimed at getting out more disclosure on a faster time frame. So the bottom line on this figure is that
there is new stuff that is happening. From a legal perspective, however, there are no new causes of action to
speak of. There are new ways to be able to state causes of actions for things such as breaches of fiduciary
duty and violations of the existing securities statutes. And the reason why we can have new areas of stating
these things is there is so much more that has to be done by the various players that I have named.
Figure 23 Sarbanes-Oxley Overview: New Penalties
Despite the fact that there are no new causes of action that can be stated, there are new penalties that can
arise in the event of violations. For example, the CEO and the CFO are subject to penalties such as having to
forfeit their bonuses and profits from the sale of stock in the event that there is an accounting restatement for
the corporation resulting from misconduct. In addition the certifications that they have to make now do bring
with them criminal penalties in the event that they are false.
There are now criminal penalties in the event that there is a destruction or alteration of records during the
course of a pending federal investigation or bankruptcy. And to make all this easier for people to be able to
state claims, we have lengthened the time frame for the statute of limitations for securities fraud, to give
people a longer opportunity to be able to make determinations that either disclosures have not been made
that should have been made, or that the disclosures that have been made, for example with regard to the
efficacy of disclosure controls and internal controls, are not in fact accurate.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
24
Transcript
Figure 24 Compliance Overview
Looking at this from the 30,000-foot level, we see that Sarbanes-Oxley creates a system where we have to
have more disclosure in a faster time frame. To make that happen, we have to recognize that it is essential to
have good processes in place that will allow for disclosures that need to now be made. And failure to have
that, as I said, creates a situation where liability can arise whether it is the securities fraud because a
misstatement was made with regard to the disclosure controls, or due to the failure of the disclosure controls,
an omission of a material fact, or a breach of fiduciary duty or the duty of due care from the officers and
directors and the other players. As a result, when the disclosures do come out, there is a drop in the stock
price.
What does this mean? To have good disclosure, it is going to be absolutely essential to have good document
management processes. That includes both the ability to gather information on a documentary basis, to be
able to assess that information, and to attain the documents that are necessary to show that the procedures
were in fact followed. That latter point then points out that the document retention aspect is a critical part of
the document management process.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
25
Transcript
Figure 25 Document Retention Policies: Why You Need Them
The overarching theme for document retention always has been and should still remain that you retain those
documents that you need to have to be able to serve your operational or business purposes or needs as
well as those that you are going to be required to have from a legal perspective. But you should not be
retaining anything beyond that. So a documentation retention policy that says we save everything clearly is
not going to be a good document retention policy because it will not help meet the needs of being able to
show what you need to have from a compliance standpoint, or be able to implement from a compliance
standpoint to be able to make assessments of the information that you do have, since you will have too much
to go through.
Failure to put a policy in place can be disastrous in that you will not be able to make assessments of the
information if you are just gathering everything or gathering too little, and you will not be able to show that you
are following the processes that you need to be following. On the flip side, there is a corollary to this. In the
event of a governmental investigation or proceeding either by the SEC or the Department of Justice, the US
federal sentencing guidelines provide that leniency will be granted from a penalty standpoint to these events if
there is an effective compliance program in place.
Being able to have a good document management and document retention policy and being able to show that
you are following that policy are considered by the government to be evidence of an effective compliance
program that will allow for the granting of leniency in the event of a governmental proceeding.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
26
Transcript
Figure 26 Document Retention Obligations in Civil Litigation
Document retention is one of the obligations that a party has in the event of civil litigation. First, there is a
concept in the law called spoliation, and this is not something that is new but has been around for a long
time. The general rule is that, once you enter into litigation, there is an obligation of the parties to preserve the
records, to preserve all documents, and not to allow documents to be altered or destroyed. This gets picked
up as a concept in the Section 802 rules of SOX, but as I said, this is something that is not new, and has been
here for a very long time.
What we see courts undertaking when there is evidence of spoliation is that they have and will continue to
have broad discretion to sanction, including issuing monetary sanctions, evidentiary sanctions, or even endof-case litigation sanctions. Sarbanes-Oxley in Section 802 does however add something new, which is it
does make a new federal criminal penalty for document destruction in the anticipation of litigation being
brought from a governmental standpoint.
Finally, from a political standpoint as opposed to a legal standpoint, there is a lot of political pressure to bring
obstruction-of-justice charges based on document destruction. The expectation is that, as this is now the
politically in thing to do, this will continue for at least the near term.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
27
Transcript
Figure 27 Document Retention Policy Guidelines
I will pick up a couple of things with regard to document retention policy guidelines that we as lawyers would
regularly recommend to our clients. First, the important thing is to remember that the purpose of document
gathering and retention is to be able to mitigate liability and to be able to improve the disclosure accuracy by
being better able to assess the information that is being gathered. It is not to gather everything and keep
everything for as long as can be.
Another important point here is to remember that documents are not only paper records, but as we have
discussed, electronic records. And when undertaking to destroy documents, it is important that the document
destruction include the electronic records. Furthermore, the document retention policy should be based on
two things: the legitimate and unique business needs or operational needs of the company, and the legal
landscape and requirements. So in terms of putting together a document retention policy, a company should
focus specifically on those types of things, and think about what it is from their standpoint that they need to
have. So it is not necessarily a one-size-fits-all scenario.
Furthermore, the document retention policy should be making determinations as to what documents to keep
and what documents to destroy, based on the business purpose of the document, and not on the content,
whether it is good or bad.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
28
Transcript
Figure 28 Document Retention Policy Guidelines
The retention periods should be consistent with the industry norms, and should also be as required under
applicable law for those industries where there are actual legal requirements for keeping documents for
specified time frames. The document retention policy should also require clear procedures for contacting the
compliance officer of the company to the extent that there are questions, and there should be audits with
regard to ensuring compliance.
That point becomes particularly crucial to the extent that, from a Sarbanes-Oxley standpoint, you want to be
able to show that you have in fact complied with the various disclosure and internal control requirements that
you need to comply with. One final key point here is that any document retention policy needs to include what
I will call a stop function. In the event that there is foreseeable litigation, actual litigation, pending or about-tobegin governmental investigations, that there is a cessation of document destruction so that we do not run
into the spoliation problems that I have already described.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
29
Transcript
Figure 29 Beyond Compliance: Or the Joy of SOX
Stan Lepeak: We have gone through a lot today, and there is a lot involved with SOX compliance, with first
gaining compliance and maintaining it. But the point is to also keep in mind the bigger picture of going beyond
compliance, or achieving, as we like to say, the joy of SOX. You look at how you leverage these investments
that you have made, so when you have greater process visibility, operational efficiency, visibility into services,
better capabilities around sourcing, and a sense-and-respond organization, how do you take advantage of
that to improve your competitiveness relative to your peers? These SOX investments are not just the cost of
doing business they help to take your business to the next level.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
30
Transcript
Figure 30 Transformation Steps
John Van Decker: There are a couple of approaches that can be taken here. One would be tactically looking
at getting some of your applications up to speed to meet SOX compliance. But the other is to look at your
applications as a whole and across your whole set of business applications that are part of the financial
management process. Consider not only complying, but also moving to some best practice and some process
improvement. It is important that folks understand Sarbanes-Oxley, the impact to the business, and to start to
define and implement some more comprehensive Sarbanes-Oxley IT blueprints. Again, it is not just about
internal control documentation solutions. It is about visibility, transparency, financial controls, content
management, etc.
I think it is important that firms know how to effectively engage IT as well as IT service providers and
compliance efforts, and to start thinking about where they are on the maturity curve. They should look at
where they need to be, with the initial assessment around financial controls. Longer term, how can they
leverage this to become a more effective, efficient enterprise? I think it is also important that they understand
and digest a lot of the legal requirements and demands around records management that were discussed
today.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2048
31
Appendix B
Transcript 2069
13 January 2004
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript
Figure 1 2004+ Business Scenario Update
When you look at SOX initially, some called this a full-employment act for IT. It was viewed as the next big
boom in terms of spending by organizations. And while organizations are investing a lot in gaining SOX
compliance, it has not turned out to be the type of investment that necessarily has spurred the IT products
market. We will talk more about that going forward. But we see that organizations now are increasingly
shifting the focus as to how can they leverage SOX, versus viewing it just as an event that is going to cause
them to buy more IT stuff.
Additionally it is important to remember that SOX is not the only compliance mandate on most organizations
agendas. There are a variety of other mandates like HIPAA, Gramm-Leach-Bliley Act, and the USA PATRIOT
Act. We want to talk today about how you can coordinate and leverage these multiple efforts into concerted
compliance efforts. We will talk about the SOX information technology blueprint that we are developing at
META Group, again, looking at how you can ultimately achieve the joy of SOX and how you can leverage
these investments into something more.
Again, SOX and related compliance mandates are permanent elements in todays business environment.
They are not going away. The challenge is learning to live with them learning to love them, to the extent
possible. In the box on the right, you will see some of the specific bullets that we will be covering in the
balance of this presentation.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
Figure 2 The Fundamentals
Randy OHare: Let us start with Figure 2. To set the stage (and I presume everybody on this call has heard
something similar in the past, but it cannot be overstated), the Sarbanes-Oxley Act is the biggest thing to hit,
and the biggest change in, corporate America in the past 70 years, since the Securities Act was passed back
in the early 1930s. This is very big, it is new, and it carries with it all the difficulties, troubles, and tangential
issues that any major new legislation brings.
Even though all the final standards are not yet available and we will talk about that in a few minutes as to
where we are the fundamental concepts are not going to change. The fundamental big new things are that
management is required to actually sign, make an annual assertion, and sign an opinion, if you will, on their
own internal control compliance and the effectiveness of their internal controls over financial reporting. This
has never been done and never has been asked to be done in the past. This kicks in for all large companies,
which is the majority of public companies, for their first year ending after June 15, 2004.
So six months from now, or eight months, the first ones will have to be signed and filed. And all calendar-year
companies will have to by the end of this year (2004). There is a one-year delay for both foreign-based SEC
filers (called foreign private issuers) and for the smaller public companies that have float of over $75 million,
and some other technicalities for companies that just have outstanding debt and not equity. For those
companies, they get a one-year delay; 2005 is their first year and technically years that end after April 15,
2005.
The first thing is managers have to make this annual assessment and assertion and opinion on themselves.
Importantly and this is a major change the level of documentation of controls, processes, and systems
has to be greatly enhanced. I have said before there is not a company in America or the world that was
prepared for this in terms of the level of documentation that will be required. Then there is a great deal of
testing of those controls.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
External auditors now, also for the first time, have to give an opinion on the effectiveness of a companys
internal controls, and the effectiveness of managements process for management to make that assertion. It is
a dual-track (related but dual-track) opinion. Those opinions will be included in public filings and be a matter
available to the public. Another major fundamental involved in this, in order for management to make this
assertion regarding internal control, you could say it is in the eye of the beholder, and there certainly is a fair
amount of judgment involved. There is a requirement to have a framework that establishes criteria for
companies to measure against the effectiveness of those controls.
The most popular one is COSO, an acronym for something that was developed nine years ago: the
Committee of Sponsoring Organizations. This gives a definition of internal control and provides a framework
for evaluation. Something that has already been in play for a while after the Sarbanes-Oxley Act came into
being in July of 2002 was the requirement for management to include a CFO and CEO personal certification
into their quarterly filings. That has been ongoing, and that is a significantly different level of involvement. The
point is that CEOs and CFOs have to be engaged to take responsibility for the companys internal controls
in that case, something called disclosure controls and procedures that is, taking responsibility for any of the
information that is disseminated to the public through its 10-Q filings or its press releases.
The biggest change is the one yet to come, and that is the one that is called the 404 requirements, which is
what I have been talking about. It is the annual process, and 404 happens to be the section of the SarbanesOxley Act that refers to this annual process by management and the auditors.
Figure 3 Overview of COSO
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
Moving on to Figure 3, this provides a visual and an overview of the COSO framework for internal control.
COSO gives the definition of internal control, and it is defined as a process. It is a process it is a series of
elements that come together as a process to provide reasonable assurance in the achievement of objectives
in three areas. Those three areas are the effectiveness and efficiency of operations (the business operations
of the company), the reliability over financial reporting, and compliance with laws and regulations.
COSO indicates that there are five components of internal control that need to be in place and working
together to achieve those objectives. Internal control has those three areas that I just described. Those five
components are shown on the face of the cube on this figure, and it starts from the bottom up. Control
environment formulates the basis; it is the whole, the environment, the tone set at the top of the organization;
it is the culture and environment of the company. It includes things such as business conduct, ethics all
kinds of things that set the tone for the environment of whether the company is control-conscious or not.
The second component is risk assessment. To have a well-controlled environment, one of the first things you
have to do is make an assessment of your risks and identify where throughout the business, the risk is from
an operations standpoint, from a financial reporting standpoint, and from a compliance standpoint. What are
the areas of risk?
Control activities are the third component, and those are what most of us think of as controls. They are the
specific controls, policies, procedures, and checks and balances that are put in place to either prevent
problems or detect them.
Fourth are information and communication, which is the two-way exchange of information and guidance and
training throughout the organization so that people know what they are supposed to do and can carry out their
activities in a controlled fashion.
Monitoring is the fifth component, which is the system and includes perhaps the internal audit departments. It
is the system of monitoring the procedures and controls that are in place to ensure that they are in fact being
executed as planned.
It is important to note that COSO is a broad definition of internal control. As you can see, these three areas
operations, financial reporting, and compliance cover all aspects of a companys operations. What we are
talking about for the 404 requirement to assess the effectiveness of internal controls is focusing on the
internal controls in that middle segment of reliability of financial reporting. It is control over operating
effectiveness, and compliance with regulations that do not have an impact on the financial statement are not
included in Section 404 requirements.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
Figure 4 The 404 Attestation: The PCAOBs Proposed Standard
Moving on to Figure 4, this outlines some of the topics that are covered by the PCAOB draft standard. For
those that do not know, PCAOB stands for Public Company Accounting Oversight Board, a new government
body, monitored and controlled by the SEC. It was established by law under the Sarbanes-Oxley Act, and its
role is to oversee the auditing standards and the auditing process. The PCAOB works hand in hand with the
Securities and Exchange Commission on Sarbanes-Oxley Section 404 in establishing the rules,
requirements, and standards that both management and external auditors must follow to comply with this
process.
The PCAOB, affectionately called the peek-a-boo, was organized and established last April. Its first task was
to put out standards related to this 404 exercise. The SEC had decided that companies would have to report
under the 404 requirements on both management and external auditor opinion of their systems of internal
control, starting with year-end September 30, 2003, which already passed. Last summer, the SEC delayed
that to the current requirements I described earlier, generally starting in 2004. One of the reasons it delayed
that start date was because the PCAOB took several months to become operational, and the standards that
the PCAOB put out for the rules and guidance were not available, so it would be hard to execute and report
on something with no standards.
We are still fighting a battle with the clock because the PCAOB submitted its proposed, or draft standards, in
October, and the rules or requirements of due process required a 45-day comment period. Anybody who
wanted to individual companies, accounting firms, other trade organizations, etc. had through November
21 to submit comments on the draft standards. That period has now closed, and there were over 180 letters
submitted. The PCAOB is now in the process of digesting those comments and deliberating as to any
changes to be made to the draft standards before providing a final standard. And, unfortunately, there is no
drop-dead date for when it must have the final standards out; it is thought or hoped to be sometime this
month.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
Once the PCAOB has put out its final standards, the SEC must review and approve them, then post them on
the Federal Register for 30 days before they technically take place. I think the reality is that, when the PCAOB
comes out with its final standards, which we hope will be this month, that will give everyone a clear indication
as to what the final rules are. The draft standard is upwards of 135 pages, is fairly comprehensive with a good
deal of material and insight, and certainly provides much of the information that is needed for companies and
their auditors to charge ahead on this process.
Some highlights of topics covered by this draft standard are that it introduces the concept of an integrated
audit. It combines the historical financial statement audit that auditors have issued for years with this separate
but related and integrated new requirement that an opinion be issued purely on the effectiveness of the
internal control systems and processes within the company. It does recognize that internal controls are not
one-size-fits-all, so it does not tie the hands or give rigid requirements and examples of what everyone must
have. It does not have a standard template, which is both the good news and the bad news. It allows
judgment to be brought into the process within guidelines. Sometimes the lack of specific, tangible structure
requirements can cause uncertainty, but that is an ongoing debate. However, it does provide some flexibility.
It also outlines some of both managements responsibilities and the auditors responsibility. Technically the
PCAOBs jurisdiction is only over the auditing profession; that is its role. But since it works very closely with
the SEC, and the SEC technically makes the rules for companies to comply with, there is some bleeding and
blending and overlapping between the two. If you go through this PCAOB draft standard, it contains quite a bit
of guidance as to what managements responsibilities are.
It also establishes criteria for evaluating deficiencies and provides some definitions, including what is a
significant deficiency and what is a material weakness that companies and auditors must address. It deals
with auditor involvement in the quarterly process, earlier referred to as the 302 process that companies must
comply with on a quarterly basis. Auditors do not have much involvement, they just must know that there is
nothing inconsistent with managements approach on a quarterly basis from the annual. It also indicates a few
reminders of independence for example, companies cannot delegate or outsource their responsibility to
their external auditor. Companies must have formed their own point of view and carry out their own
procedures.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
Figure 5 The Path to Compliance Is Still Not Clear
Turning to Figure 5, I would say in the interim between the draft standards and the SEC having already done
its rule-making in this area last summer, there is a very large body of requirements available, both for
management and auditors. But in this interim between the finalization of the standards, acceptance of this
new world that corporate America is now living in clearly has occurred or is occurring. But the path to
compliance is still somewhat unclear in several areas.
As companies get into this requirement, there is a quickly growing realization that this effort is significant. It is
not something you can decide to do in March, gather up some resources, and then get this done in the
March/April time frame. A much longer timeline is required, along with a significant and comprehensive effort.
The pervasiveness of this act is also sinking in. All the processes in the company within certain parameters
must be documented. That is a major task in itself. Then, if those processes are identified, those controls will
achieve certain financial statement assertions that are designated in the standards and achieve the objectives
of internal control.
There is also a deepening understanding of the risk posed by technology in all this, particularly from the nonIT people in companies and in the world. There is not a company around that does not have a heavy reliance
on technology for processing its financial information, as well as the related security and controls embedded
in what used to be the data processing department, but now distributed throughout and embedded in all the
applications. The realization of the complexity is also sinking in.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
Figure 6 Moving Forward Means Addressing Areas That Are Problematic for Some
Turning to Figure 6, as I said before, this is all new. It provides many new issues and decisions to be made,
compounded by the fact that this is the first time anyone has gone through it. There are no benchmarks or
comparisons to compare against. A lot of the issues that must be dealt with are new and perhaps problematic
for some individuals. One area is documenting and evaluating the design of controls. The who, what, how,
when, and where questions are decisions that must be made. There is certainly guidance in the standards,
but as I said previously, there is also a fair amount of judgment and some flexibility as long as you arrive at
the same finish line.
There is not any flexibility from the standpoint of making it what I would call superficial it is clear in the
standards that a substantial amount of documentation throughout the process, from the initial documentation
of the processes through documentation of the entire process that management used to make their
assessment of the effectiveness of the controls. Documentation of all the testing, conclusions, and judgments
that were made all must be provided.
Mapping controls to financial statement assertions will be a massive exercise. It is something that typically
has not been done formally and documented. In a lot of these areas, there are a great deal of intuitive,
historical approaches where companies can tell you about their processes and controls but they cannot show
them. The SEC and the PCAOB are now requiring substantiation of these processes and controls.
There are issues regarding the impact of service providers, where there are outsourced processes, lots of
issues and questions regarding those controls. How much is enough? How do you gain comfort from them?
What is the vehicle? Anti-fraud programs are put into the pie with all the corporate problems and reporting
problems that have been out there. There is heightened awareness for anti-fraud programs which are now
baked into the Sarbanes-Oxley requirements.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
Transcript
Figure 7 Moving Forward: Addressing Areas That Are Problematic for Some
Turning to Figure 7, reporting the relative impacts to the audit committee and to outsiders is a new issue. A lot
of these areas (making judgments on weaknesses and quarterly certifications) require legal advice and input
legal judgments. And creating the whole internal control reporting process with all the documentation,
dashboards, compliance; these are all new issues and all problematic new requirements and judgments to be
made.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
10
Transcript
Figure 8 PwCs Recommended 404 Audit Readiness Approach
Let us look at Figure 8, which answers, from a high level, how are we going to ensure this readiness? How
are we going to ensure that we are ready, that we are going to make this deadline in the quality fashion? It
requires a phased approach, it requires a timeline, and it requires a comprehensive and diligent projectmanagement or project-support office aspect of this endeavor. It is a multitask, multitentacled process and
chore, and without sufficient project management and setting of timelines and following up, it can be a
disaster.
So one approach that we put out is a bit high level and simplistic, but it covers all the requirements.
Obviously, it is going to start out with the project and initiate it, and as I said earlier, assess the risks. Then a
major task is documenting the control and all the processes that feed into the financial statements and,
importantly, evaluating the effectiveness of that design. Do we have the controls designed to be in place that
we need to give us the comfort that our internal control system is effective?
And where we do not, you get into the third step, and you fix those. So you first evaluate the design, you fix
the gaps and the holes, and then you go back and re-evaluate and make sure you are at least designed
effectively. Then you have to launch into the testing phase, and you have to test to make sure that what you
are thinking is in place for controls actually are operating, and that the operating effectiveness is there. And
when you do tests and you find problems, then you go fix those. And you do not just fix that problem; you
identify the underlying cause, you fix the underlying cause, and then you move on.
And then at the end of that process is when you prepare your report. And shown on this figure is the
attestation and the report that is really for the auditor. That is the last physical step, but as the arrow
indicates at the top, that is involvement from the auditor throughout the process. What you do not want to do
is have management do its process in a vacuum, then have the auditor look at it and say it is not sufficient.
The suggestion is that the auditor is involved throughout, at a minimum as an oversight and a sounding board
to work with management to develop an effective process for going through this evaluation.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
11
Transcript
Figure 9 Audit Action Plan Timeline
Moving to Figure 9, this is a sample timeline that takes these steps and puts them in perspective. You can
look at this and assess where you think your company is, and there are many different ways to carve this out.
The previous figure had five or six phases, but there are many other ways and obviously a great deal of detail
below that. But usually this is an indication of where companies ought to be at this point in time if you were to
draw a line down as of January 13. And if you are a June 30 year-end, which obviously has a quicker
reporting requirement than a December 31 year-end, or somewhere between then and December, you have
to be on an accelerated timeline. If you are December 31, you can assess, based on this timeline, where you
are and whether you think you are on target or behind in getting this very significant and first-year effort
behind you and done in a quality fashion.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
12
Transcript
Figure 10 META Group End-User SOX Survey 10/03
Stan Lepeak: Turning to Figure 10, what we would like to do in the next couple of figures is share with you
some findings from recent META Group surveys. Along the same lines as the timelines we just looked at, the
goal is to let you know where you sit relative to your peers in terms of progressing toward SOX compliance,
as well as interpreting what the ultimate benefits are that you will achieve from gaining that compliance.
Figure 10 talks about some end-user polling. And I will go through these next couple of figures pretty quickly;
you can obviously read the numbers, and we do have Deltas written on this. One interesting note on Figure
10 is that 42% of companies that are not covered specifically under SOX mandates are still looking at
evaluating internal controls. So that highlights that the SOX umbrella is broader than just the classes of
companies based on market capitalization that are called out as having to respond to SOX. A large number of
additional companies are responding either because they are being forced to (for example, for bank
covenants or by suppliers) or because they recognize it is a good framework for managing internal controls. I
think over time we will see that number grow.
For those that are targeted by SOX, 35% are relying heavily on external auditors, but 41% are going it on their
own, from the standpoint of still using an auditor to assess actual SOX compliance but in terms of determining
how to get there, pursuing that in and of themselves. And most feel they are on track, some are struggling,
and many are still in the process of defining the blueprint. Probably most important of these findings was that
49% of organizations see SOX as a cost of doing business, but a number very close to that, 39%, feel that it
will improve competitiveness.
That really gets at leveraging SOX for more than just achieving baseline compliance. Other numbers that
came out of this were that only 5% of organizations felt that SOX compliance would make them less
competitive, and only 7% felt it was an unnecessary burden. So while there has been a lot of talk in the press
and among pundits that SOX is the sand in the wheels of the economic recovery, we do not see that reflected
in the organizations that are pursuing SOX compliance.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
13
Transcript
So the point is to understand your organizations relative maturity to its peers, and what we have illustrated on
the side of the figure is a new SOX maturity model that META Group has developed. We will talk more about
that in the upcoming figures.
Figure 11 META Group Vendor SOX Survey 11/03
Moving on to Figure 11, this is some polling we did of the sell side, of the vendor and service providers that
are selling goods and services into the SOX market. Here the story is a little bit different. The vast majority of
these vendors polled (and vendors would be product vendors [software and hardware] as well as service
providers) thought SOX would improve their sales year over year. But most had, to date, not yet seen that,
and this was as of just two months ago. Many challenges are being faced by these firms attempting to sell
SOX products, more so than services. It has really been more of a struggle for the product and software
vendors than for service providers, particularly audit firms.
But there are a lot of challenges in terms of mapping offerings, gaining adequate visibility, and defining value
propositions. We have highlighted some of those key challenges in the box on the right. The key is that if you
are someone selling SOX products, particularly software, you need to make sure that what you are selling is
targeted at what clients need. It cannot be a rewarmed offering in a SOX wrapper. It needs to be something
that out of the gate will help clients achieve SOX compliance. We will talk about what products might do that.
But from the perspective of the end-user organization, this highlights that the majority of firms today have
most or all the IT stuff they need for SOX compliance. It is more about how you utilize that stuff to do some of
the things that Randy detailed in the previous figure.
So we are reiterating that we do not feel that a significant investment is required in IT software or hardware
today. Over time, that might be the case, but today it is really a function of applying the best practices along
the lines of what Randy was just describing to achieve minimal SOX compliance, then looking to leverage that
over time.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
14
Transcript
Figure 12 What Are the Top Preferences for SOX Solutions?
Moving on to Figure 12, we will talk about what are some of the top preferences. This came out of some
polling we did earlier in the year, in terms of what organizations are looking at for solving the SOX challenge.
And what is very obvious is there is no one single solution. It ranges from a very, very low number of firms
that were going to use this as the lever and the requirement to swap out a legacy ERP system, up to firms
that were looking at implementing some dashboard technology to help with visibility and reporting and
process controls.
The key point is there are a variety of elements in the SOX IT blueprint, and we will detail those more in the
upcoming figures. But again, most organizations feel they have most of the tools they need, at least for
minimal compliance, and when they looking at building out an IT blueprint, multiple IT elements will fit into that
blueprint.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
15
Transcript
Figure 13 SOX Investment Timeline
Moving to Figure 13, we will lay out what we see as the SOX investment timeline. What we have illustrated
across the top are some key points in terms of the SOX evolution from the deadline being pushed a little
under a year ago, to the scoping that occurred throughout the balance of last year, to where organizations
now are investing in some of the tactical tools they will need for compliance, primarily 404 tools that can help
with process mapping, reporting, and creating an environment where that reporting can be evidenced back to
the auditor.
We see that the second half of this year is going to be a time when organizations take a breather. Obviously,
if your first deadline is not until the end of the year, your breather will be the first half of 2005. But the point is
that after the initial compliance deadlines are met, organizations are going to start to regroup and look at what
are the longer-term investment requirements? What do we need to invest in to do SOX better or easier the
next time around? What do we need to look at in terms of leveraging some of the investments we have made
in process, visibility, or transparency into our processes? How do we begin to leverage that?
The other piece of that is it is going to take some time when you start to look, for example, at ERP or financial
management system solutions. It takes time for those vendors to truly embed SOX-relevant capabilities into
those products. These are massive applications, and enhancing them to, for example, do a better job at
workflow, reporting, consolidation, and the like is a long-term effort, both to build in those capabilities, and
then obviously those capabilities need to be rolled out in a normal upgrade cycle that is palatable to the client.
We certainly see that it is going to be minimally into 2005, if not a little later, before clients start to upgrade to
new generations of their core enterprise systems. And that could also be CRM or supply chain systems to the
extent that those applications also need to embed SOX capabilities. We are looking at well over a year before
most organizations start to make those changes.
True process transformation (reviewing, re-enhancing, and rebuilding processes in the systems from the
ground up to support and leverage SOX) is a couple of years out. The arrows on the bottom indicate the
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
16
Transcript
relative size of some of the investments that organizations are making, so business and audit services are
something firms have been investing in, looking for outside help, advice, and counsel, and that will continue to
be the case. IT services will start to pick up a little bit later as firms start to invest in new enterprise systems,
either for transaction processing or for content management and document management and collaboration,
another key area.
With the ERP/FMS kick really not starting to happen until later this year, this is laying out, again, not in
scientific terms or specific market size numbers, the general timeline for the investments. So from the
standpoint of a vendor, address accordingly, but from a user standpoint, again recognize that for the most
part, you probably already have a lot of what you need in terms of software. The question is what you need to
change strategically and long term as SOX becomes part of the fabric of not only your business processes,
but also your underlying IT systems.
Figure 14 SOX Dimensions
Figure 14 calls up how do you look at SOX holistically from the business, and in particular, from the
information technology standpoint? A variety of elements need to be introduced into your core IT systems to
support SOX visibility and transparency not only into your internal systems, but also into those systems
that touch your customers and your business partners. That is where it becomes apparent that SOX is not just
about financial management systems, it is also about customer relationship management, supply chain
sourcing and procurement, and all those other systems that extend outside your organization to touch
customers and partners, and through those touch points create financial transactions and other elements that
fall under SOX control.
Financial controls and record retention are a big piece, particularly when you start to look at Section 802: the
ability to communicate changes both internally as well as to other constituents, such as board members,
auditors, shareholders, and external regulators. It is imperative to build systems that can support your overall
risk-management compliance and governance framework, with the key piece being fraud prevention.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
17
Transcript
When you look at all the elements that need to be introduced, obviously there are multiple pieces. There is
your enterprise software, there is your business risk management and audit services providers, and there are
your IT services providers. What that creates is a holistic SOX information technology blueprint. As
organizations look strategically, moving beyond short-term compliance, this needs to be the road map for
building up those IT capabilities.
Figure 15 SOX IT Blueprint
Moving on to Figure 15, we are looking at what META Group has defined as a SOX IT blueprint. We are
looking at the blueprint from the standpoint of the software that will be required to ultimately support SOX.
There is a lot more detail that we have written on this, and, in particular, John Van Decker has written several
Deltas that dig into the next level of detail of this.
What this calls out are four classes of products where we feel will be the relative percentages, the criticality,
or the amount of SOX compliance that will be reflected in these products capabilities. If you look at your 404
risk assessment tools as well as 302 and 906, they are going to comprise about 10% of the effort. The vast
majority of the effort, in terms of supporting SOX compliance, will come from transactional solutions, ERP,
financial management systems (either off-the-shelf or homegrown). And what is required is that they enable
better configuration, workflow, and a lot of instant consolidation as well over time.
Enterprise content management is playing a key role, especially with Section 802. The other dominant
software component will be your business intelligence, business performance management, and portal
products that support efforts to cross multiple sections of SOX.
Obviously, this does not get deeply into infrastructure, and there are infrastructure investments that will be
required to do this. And this does not touch at all on security. We want to highlight, particularly with security,
that we are not at all de-emphasizing that piece, or de-emphasizing the technology that will support security
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
18
Transcript
and security best practices relative to SOX. Rather, that is a whole story in and of itself, and rather than not
address it adequately, we are putting that as a placeholder.
The key is that your organization needs to have a version of a SOX IT blueprint in place today, and you need
to use that to start building out your specific SOX road map from the IT perspective.
Figure 16 SOX Maturity Levels 1Q04
Figure 16 starts to detail the SOX maturity model that we have been developing at META Group. Again, there
is much more we can discuss offline, and we have written more on this as well. But this is going to be one of
our key offerings this year to help our end-user clients achieve and evidence their SOX efforts. What we have
developed is a six-stage maturity model starting from exploration through ongoing optimization and support of
SOX efforts. That is across SOX as a whole as well as calling out four key section areas: 404, 409, 302/906,
and 208.
What we have highlighted is where we estimate the market is at today, with the bulk of the organization in
project execution, and that is where we hope everyone is very shortly. Even if you are not required to do this
until the end of the year, there is a lot of work to be done. And some organizations are starting to wrap things
up and finalize that, with the key element being Level 5, the ongoing optimization and support. We encourage
anyone interested to contact us offline to walk through more of the elements that are in these different stages,
the key inflection points to move from one stage to the next, and to determine how we can assist your
organization in assessing where you are today and what steps you must undertake to move to the next level.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
19
Transcript
Figure 17 SOX Implications on Outsourcing
Turning to Figure 17, one area that we see has been overlooked relative to SOX compliance is how to
address SOX compliance when you have outsourced covered business processes. That could be not only
business processes, but also the underlying IT systems and applications that support those processes. As
you are aware, virtually all organizations currently have outsourced some part of their IT operations and one
or more business functions in some cases, maybe entire business processes. We are also well aware that
there are many very large IT and business services firms out there that are strongly pushing their business
process, business transformation, and functional business outsourcing services on clients.
The key element though is that when you look at SOX, SOX does not differentiate between processes that a
client insources versus those it outsources. This means that any user organization needs to attest to
outsourced process compliance in the same way as it would if that process were not outsourced. That
introduces a degree of complexity in that: a) processes that are not in-house are being managed by a third
party; and b) the client typically does not have the visibility into those processes as it would if they were held
internally. For that matter, in many cases, the outsourcer does not, either.
This was an issue before SOX came to the fore. We were increasingly hearing dissatisfaction from clients as
to the level of visibility into outsourced processes, and SOX has just highlighted that concern. It has created
an issue where users are challenged in getting the degree of assuredness relative to SOX compliance for
these outsourced processes that they can attest to. Historically, you had SAS-70, or Statement of Accounting
Standards 70, audits that were utilized to look at controls in place around outsourced processes. The problem
is that those SAS-70 audits were not designed with SOX in mind; they existed long before SOX.
And the other big problem, also evidenced by some of the things Randy spoke of earlier, is that there has
been no regulator clarification as to what is required to prove outsourced process compliance. The PCAOB is
as we speak looking into this. It is getting feedback from a variety of interested constituencies, but it is not
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
20
Transcript
likely that it will issue a finding until later this year, which will be too late for many organizations. We do not
expect the deadline for SOX compliance to be pushed as it was earlier due to lack of clarification.
A key issue for any organization that has any outsourced processes that are touched by SOX is getting
consensus among its auditor, its board, its executives, and those tasked with meeting SOX compliance about
what is enough relative to SOX compliance. Going forward, keep a close eye on what pronouncements come
out from groups like PCAOB, because they could potentially significantly change the reporting requirement,
management, and the overhead associated with process outsourcing.
Figure 18 When Critical Controls Are Part of Outsourced Processes
Randy OHare: With Figure 18, I would like to reinforce the point that Stan made. Sarbanes-Oxley does not
distinguish between an internally controlled process and outsourced process, to the extent that it affects
information that is in the financial statements, which is most of those processes. So management does have
that responsibility to address the controls over outsourced processes, just like internal processes.
As Stan indicated, typically not for this purpose, but typically when there have been situations or a need to get
some comfort on the adequacy of the controls that are involved in the processing that is done in these
outsourced processes, there has been a mechanism called the SAS-70 exam. And there are certain
requirements to get those done, and there have been basically two types. There was one that just focused on
the design of the controls, and then a second type which was both the design and also covered tests of the
operating effectiveness. This aspect fits right in with what I had described earlier for the definition of internal
control and the requirement in Sarbanes-Oxley to focus both on the effectiveness of the design of the controls
and their operating effectiveness.
For starters, one would say a Type 1 SAS-70 exam does not do any good for Sarbanes-Oxley. A Type 2
could potentially, and probably will, be beneficial (in many cases, satisfactory and sufficient) to cover the
controls of those outsourced processes. But it does raise several issues, and one of the issues is timing. Even
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
21
Transcript
before that, I should preface it by saying the request for the SAS-70 exams in the past and reports has been
on a case-by-case basis, depending on what the users needs were. The need for this type of review and
report is going to be significantly increased, because now virtually all processes that are outsourced that
could potentially have any significant impact on a users financial statement have to be covered in one way,
shape, or form. And the SAS-70 approach is certainly thought to be the most efficient at this point.
So the volume of these is going to increase, and there are issues related to the timing of when the SAS-70
report is issued versus when it is needed, and what period is covered by the various users. Typically, there
would be one SAS-70 report for a myriad of users, and each of those users might have different needs. So
there probably is going to be some modification required to the approach used for these SAS-70 exams. A
company with outsourced processes (which is most companies) should be talking to its service provider as to
how it is going to get the requisite coverage and comfort over the controls in those processes.
Figure 19 Preparing for Recurring Annual Evaluation
Moving to Figure 19, now we are going to move on to the question of, after this first year of compliance with
Sarbanes-Oxley, what do we do and what do companies want to do but are only thinking about in terms of
achieving additional benefits that they could bake into their normal operations? For most companies, the first
time through is going to be a struggle just to get to the finish line and to achieve compliance with the
requirements. Some time after this first year, companies are going to be thinking about issues like how do we
optimize the level of our internal control and our processes? How do we take it to the next level? How do we
build in effectiveness and efficiencies?
One of the benefits of this requirement of having to look at all processes and the controls that are in place that
can be realized in Year 1 is that as you are going through the processes and looking at all the controls, many
companies are going to find that in many areas they are overcontrolled. They have a whole bunch of
redundant controls to achieve the same thing, and they probably do not need all that. So there are some
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
22
Transcript
near-term efficiencies that can be built in, but companies are also going to be looking to how they can build in
some longer-term, permanent efficiencies and benefits.
And what kind of mechanism, systems (IT-enabled, automated systems) can we have that will allow us to
factor in changes on an ongoing basis? Everything is changing all the time, and every time there is a change
in the business, there is a change in the process or systems, and that needs to be factored in, updated, and
incorporated into this ongoing, real-time, dashboard-based type of approach, to optimizing internal control. A
lot of companies are feeling that Sarbanes-Oxley this year is the baseline. As Stan said earlier, it is here to
stay. So the best companies are going to be addressing their 404 compliance in the context of how to achieve
an enterprisewide kind of governance, risk and control process, and the systems that go along with it.
Figure 20 Optimization and Ongoing Support
Stan Lepeak: Moving to Figure 20, and just to echo some of the comments that Randy just made about what
do we do next once we get beyond these initial compliance deadlines, certainly it is considering how SOX
touches virtually all aspects of the business and all aspects of the underlying IT systems. Any system that
touches financial transactions or can impact that will ultimately be affected. That is to the point of
enterprisewide not only governance strategy, but IT strategy relative to Sarbanes-Oxley compliance.
The greater visibility that organizations will have into services, the greater visibility into outsourced processes.
How can an organization leverage these changes to become more competitive? You are going to gain these
benefits as part of going through SOX, but organizations that are most insightful and most aggressive will be
thinking already about how to leverage them to create what we at META Group call the sense-and-respond
set of capabilities, and a sense-and-respond organization.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
23
Transcript
As part of all that, you must coordinate and integrate SOX efforts and supporting systems with all the other
compliance mandated efforts you are pursuing. Again, it is another reason to look at better alignment across
the organization between the different constituencies as well as between those tasked with business process
and those tasked with supporting IT systems and applications.
Figure 21 Bottom Line
Just to reiterate: Understand the requirements, understand the basics, and understand the baseline and some
of the basic principles around compliance that Randy detailed. Understand the expectations and the position
of executive management of all the relative constituents, including the external auditor. Understand their
perspectives and their needs relative to SOX compliance.
Understand where you are. Obviously there are some specific deadlines, there are certain things that the
auditor will define as compliant or not, but it is very important that you as the user understand where you are,
and work with your external auditors to the extent that is appropriate. Understand what progress is being
made and where you are within this effort, because you cannot understand what more needs to be done
unless you understand where you are today. IT and the IT group is critical not only to SOX, but to all
organizationwide compliance efforts.
Ultimately, develop a mindset and a strategy, and then the tactics to look at leveraging SOX for greater gain.
Achieve and evidence the basic requirements and goals of SOX, but really look at and think about how this
does in fact make you a more nimble, capable, and competitive organization. So organizations must prioritize
gaining SOX compliance; leading organizations will support the benefits that it brings.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2004 META Group, Inc. All rights reserved.
Transcript 2069
24
Appendix C
Transcript 2052
6 November 2003
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript
Figure 1 where we see Mr. Bernie Ebbers posing for his recently snapped mug shot highlights the
importance of SOX legislation to your clients as well as ours. The goal here is to help your clients practice
safe SOX and avoid some of the pitfalls that have come upon Bernie and others. Most recently, as of
yesterday, the indicted former CEO of HealthSouth is now facing 85 counts against him, several of which are
a result of not adhering to SOX requirements. The bottom line is that this is a very serious issue for end-user
clients, and we all want to do what we can to help them.
Depending on your perception and perspective, SOX is seen as a scourge or a necessary evil or, some
say, a full employment act for IT, which might be music to the ears of some on this call. But, in reality, we see
it as both an immense challenge for our end-user clients and also something where, through the benefits
achieved in SOX, organizations can make some significant residual improvements to their operating
processes and, hence, their competitiveness.
The key is to approach this holistically by examining the risk dimension, the IT dimension, and the business
process dimension, and helping clients develop a holistic strategy and a holistic solution blueprint toward their
SOX challenges. It should also be recognized that this is not just a short-term endeavor, like some kind of
Y2K that goes away. Rather, it is laying the groundwork for how organizations are going to have to comply
with these and other regulations for the foreseeable future.
Figure 2 SOX Is on Everyones Agenda
John Van Decker: Moving to Figure 2, one thing Stan has mentioned is that this is like a Y2K project, but it is
really a Y2K project without a January 1 and it does not go away. So what firms need are tools that can help
them provide an assessment of where they are and what their internal controls are around financial
management processes. It is on everyones agenda, meaning there are many secondary implications.
Although officially the act is for publicly traded companies that have a public float of $75 million or greater, we
are seeing that there is a huge secondary impact on private companies.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
META Group just published a research Delta discussing the various categories of private companies that
need to care about Sarbanes-Oxley. Numerous private companies are calling us and asking us how to
prepare for SOX. In fact, I had a discussion with a vendor yesterday that sells a Section 404 tool, and one of
its recent sales was to a large, private company that was considering go public. The thought here is that, to
prepare for going public or being acquired, it is very important for a firm to be able to demonstrate that it has
financial controls in place. So we will start seeing more private firms sign up for SOX services as well as SOXtype products.
In terms of types of companies, firms that perhaps are part of a larger company supply chain or sales channel
may be told that they need to comply with Sarbanes-Oxley by the larger company. Another thing that is
important is that most private companies have board members that are engaged in Sarbanes-Oxley activities
in other firms or in publicly traded firms. So, there is a huge secondary impact, and overall the bar is being
raised. We are starting to talk with financial services firms that, as a requirement for obtaining funding, are
going to require a firm to actually have good financial controls in place and be able to demonstrate it.
In general, Sarbanes-Oxley will impact financial management expectations for all companies, and I think it is
important to note that, as you are selling to companies, you also have a message for the private company.
The inquiry load is becoming fairly consistent for us from private companies around Sarbanes-Oxley.
Figure 3 But SOX Isnt Everything!
Turning to Figure 3, it is very important to remember that while SOX is a critical imperative, it is not the only
imperative on the users plate now. What is illustrated in this figure is the laundry list of other regulatory
mandates that end-user organizations are facing, and an alphabet soup of different acronyms that
organizations are working their way through. Other things come into play, such as the USA PATRIOT Act,
which certainly is a big deal for healthcare and insurance organizations; Basel II in the banking sector; and
various regulations coming out of the European Union. And then you have a whole range of different
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
approaches and tools that organizations are grappling to understand as far as addressing these things, such
as COBIT and SAS 70 relative to outsourcing.
The point is, when you are considering help your clients structure an approach to succeeding at SOX is to
recognize that is not the only thing on their agenda. So the degree to which you can help them leverage SOX
investments elsewhere, all the better. But also recognize that while this is critical imperative, there will be
other things that will be distracting them from an attention as well as an investment standpoint. So we are not
implying that you all should become experts in all these areas, but you should recognize where there are
opportunities for overlap and leverage. Also recognize where these other initiatives may be competing with
the attention of those considering achieve success with SOX.
Figure 4 Critical Issues
John Van Decker: We would like to discuss the critical issues that will be covered in the remainder of the
teleconference and give you an update on Sarbanes-Oxley. META Group has been involved in a number of
surveys around Sarbanes-Oxley, spending patterns, who is sponsoring Sarbanes-Oxley projects, etc. We will
give you an update on that. We have published some information on a SOX IT blueprint, and what business
applications can be leveraged for Sarbanes-Oxley compliance. And it is not just Section 404 tools it really
reaches back into ERP and to legacy solutions as well as business intelligence.
We are going to map some of the vendors that are in these various applications areas. The only thing I regret
is that we can not discuss every vendor, and I am sure that there are several vendors on the phone that we
will not mention. Let me apologize for that at the outset. I am going to talk about SOX spending timelines and
when we see organizations start making investments. I think it is a little early for firms to revamp their whole
business intelligence infrastructure, but we are speaking with clients that are considering making some
improvements in their applications. Then we are going to end with some conclusions on how you can best
position your firm to talk with clients about Sarbanes-Oxley opportunities.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
Figure 5 On October 28, 2003, META Group Clients Said
Moving on to Figure 5, which is from a teleconference we had last week and probably one of the most highly
attended teleconferences META Group has had. We presented much of this material, the IT blueprint for
support Sarbanes-Oxley, and a great deal around the current state of Sarbanes-Oxley and the client inquiries
we are receiving. There are some key points that I would like to bring to your attention. Forty-two percent of
non-SOX-targeted companies and these are private companies said they plan to evaluate internal
controls. Again, this is not a primary focus of the act, but provides a huge secondary impact in that almost all
companies are beginning to start thinking about whether they have the appropriate internal controls in place.
For publicly traded firms that are targeted with SOX, 35% say they are relying on a compliance vendor to do a
lot of the work, provide services around business processes, and help evaluate business processes. But it
was interesting that 41% said they were planning on doing it alone. Clearly, this is not consistent with the way
we advise our clients because I think very few clients have the expertise to go this alone. But I think it is
something the folks on the phone that provide compliance focus services should be aware of and perhaps
that is a hurdle you are going to need to overcome or firms that think they can go at this alone.
This was an interesting statistic: 71% said they are on track to meet the required deadline. But what is not in
this figure is that only 8% had said they have begun to move to an IT blueprint, beyond just 404 tools. They
are also looking at how they are going to position their ERP and business intelligence applications to better
support Sarbanes-Oxley. Twenty-one percent said they are going to struggle to make those deadlines.
Fifty-nine percent are in the process of defining a technology blueprint, but they are in the very early stages.
Let me correct myself 8% said they have a technology blueprint in place that will be acceptable. Forty-nine
percent said Sarbanes-Oxley is a necessary evil, but 39% believe it will also improve the enterprise. And I
think that is a very important point to bring to your clients attention. A lot of Sarbanes-Oxley requirements are
also good business sense, and can bring the firm to more of a best-practice paradigm.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
Figure 6 July 7, 2003: META Group SOX Survey Says
Stan Lepeak: In Figure 6, we look at survey results from some work we did a little bit earlier in the year. The
questions are a bit different, but they are also telling, despite the fact that these results are a couple months
old. One of the key findings from this earlier survey is that 88% of organizations view compliance as a global
initiative. Despite the fact that this has primarily been focused on US-based companies, it is really global
initiative for companies that are based out of the US, as well as for global organizations. That echoes some of
Johns comments earlier about the fact that this is not just for large public companies based in North America.
A second key point is that the CFO is typically leading the SOX initiative. It was well above 50%, followed by
the internal audit group. The implications are that this is a different audience than many IT vendors are
typically used to selling into. People rarely sold anything into internal audit except external audit services. And
the CFOs organization involved playing a role in vendor vetting and IT investments, but typically did it only for
select types of investments or got involved more at the contractual stage.
What that implies is that the business case needs to be strong and the business case needs to be slightly
different when you are selling into these audiences. There must be a strong emphasis on the business value
of the service derived and on building real, bulletproof ROIs not dancing-number ROIs that might fool a few
IT people. I think it implies that the selling process is going to be more complex and more rigorous. By the
same token, once you can gain the trust and allegiance of some of these decision makers, particularly in the
CFOs group, you build alliances with very strong advocates within the organization.
Echoing some of the numbers from the more recent survey, in terms of turning outside for help, the bulk of
firms are going toward their external audit partners 59% in this survey, and that was echoed in some of the
recent work. What it points to is that while IT service providers will play a role in SOX compliance, it will
primarily be a longer-term role. It will focus more on product implementation or application customization, and
not climbing for an advisory role, despite the fact that at least some IT services firms do have good domain
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
knowledge around SOX by virtue of the fact that they have very solid financial management systems
practices.
I think the IT services vendor needs to recognize that the typical user is not going to turn to it for advice and
counsel on SOX compliance overall, but will be considering it for more technically oriented solutions and
feedback.
Figure 7 Top Preferences for SOX Solutions
John Van Decker: I would like to take us on to the next Figure, because a number of clients are in the midst
of their Section 404 documentation, understanding risk and providing an assessment of where they are with
financial controls. I am getting a sense that most of our clients are going through that and identifying areas of
deficiency and where they can potentially improvement their business application.
This is a result of a survey that I was involved in with Business Finance magazine and PeopleSoft. It was one
of the most highly attended Webinars for Business Finance. It seems that putting out information on
Sarbanes-Oxley draws many end-user organizations because they are trying to make sense out of this, and
trying to understand how to better leverage IT. So we asked them what their three top preferences were for
Sarbanes-Oxley. I thought it was very interesting how some folks are considering consolidating ERP
instances, which would mean additional licenses and additional services to be sold in support of that.
Replace legacy ERP solutions, 2%, upgrade to the latest version of your current ERP solution for buyers. So
let us say that you are operating on an older version of Oracle going up to the current release so you can take
advantage of workflow and more of the leading technologies that would be in the new releases of ERP
solutions. I am not going to go through each of these, but it is important to note that many companies already
own a lot of the software for Sarbanes-Oxley, particularly around transactional processes. They need to
consider going back and turning on existing functionality, or functionality already in the product that perhaps
they have not enabled, such as workflow, to affect the authorization processes.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
And I want to point out that 15% are considering business performance management and business
intelligence solutions, and another 15% will be considering business intelligence solutions to help them
develop compliance-type dashboards to help identify anomalies before they become booked.
Figure 8 Convergence to Corporate Governance
Moving on to Figure 8, earlier Stan mentioned that organizations are not only challenged with SarbanesOxley, but also a number of other regulatory concerns. What we are seeing is that, over time, there will be a
migration from firms examining each of these point acts or point legislations to more of one that brings
together many areas of compliance within the organization, and under the umbrella of corporate government.
For many firms, Sarbanes-Oxley is the initial step toward examining corporate governance across the
organization.
For example, they are looking at bringing together all areas of risk and the management of risk: business risk,
regulatory compliance risk, and performance management. How is the organization going to measure itself?
How is it going to manage key enterprise goals and objectives? Initially, SOX is in the hands of the CFO, but
the CFO really should be focused on adding value in the organization and partnering with the business areas
to help them make some critical business decisions. The CFO will, of course, always care about SOX, but I
do see that this will eventually be moved to the office of risk management. Or let us say a C level in charge
of corporate governance within any enterprise.
SOX will be the first step to driving the enterprise toward corporate governance, and at this point it is
advisable to market your solutions to the CFO as well as the IT group, and help IT educate itself on how it
should partner with the CFO to help the organization achieve SOX compliance.
Stan Lepeak: Just to add one point on this Figure, Sarbanes-Oxley presents a great opportunity for the IT
group and for the CIO to become much more closely aligned with the CFO and the organization, and as a
byproduct of that, typically raise the visibility and stature of the CIO and his or her group. I know from talking
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
to some of you on the line with an IT advisory practice that you have active work underway in terms of helping
the CIO as perhaps the traditional client to gain the capabilities, knowledge, and wherewithal to move closer
to the CFOs organization. We feel that is an excellent path to take and an excellent opportunity.
From the services and advisory standpoint, any assistance that can be derived and delivered to help align the
IT organization and the finance organization should make you very well received within both camps.
Figure 9 PCAOB Pumps Up SOX Compliance
Moving on to Figure 9, I want to talk a little bit about the Public Company Accounting Oversight Board
(PCAOB), which some affectionately call peek-a-boo. This is a non-profit group not a government entity
that has been tasked with setting some of the boundaries as to how big a stick some SOX regulators have.
It recently came out with a series of rulings that, if you have not read, I would suggest all of you take a look at.
It is not very exciting reading, so do not do it right before bedtime unless youre an insomniac.
But what it starts to call out, for example, is what do external auditors need to do? What can they rely on or
not rely on in terms of work that the client has done documenting controls and assessing compliance? What it
does is put some teeth into oversight groups, and teeth into the external auditors capabilities to go in and
basically poke around the client organization. They can determine to what degree the client organization has
actually performed accurate testing. To what degree can auditors rely on client testing, or do auditors need to
go and perform some of that testing on their own?
It also reiterates some issues around outsourced business processes and the fact that those processes, from
a SOX compliance standpoint, are no different from an internal process. And it highlights that the auditor
should not rely on typical client testing relative to the compliance of an outsourced process, and in many
cases should not rely on historical documentation and audit efforts such as an SAS 70 document at least
as they are often structured currently. The key with the PCAOB, as a seller of goods and services, is that you
should keep an eye on some of the boundaries this group is putting in place that is, determining to what
degree the SOX regulators have teeth, and as a result, to what degree SOX is clearly an imperative for users.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
Transcript
We have always stated strongly that this is an imperative, but coming out of the summer we did see that
some started to feel that perhaps SOX did not have teeth, and perhaps some of the enforcement would lag.
The PCAOB has put those issues to rest and reiterated that this is a big deal for user organizations, and they
do face serious threats if they are non-compliant. So keep an eye on this group, because it can start to put
some strength around regulatory efforts and drive client compliant vendors.
Figure 10 The SOX IT Blueprint: Section 404
John Van Decker: With the next few figures, we would like to talk about some of the key Sarbanes-Oxley
sections, and the business applications that align to those sections. In reality, all enterprise applications that
are involved in the financial management process support the compliance toward each of these sections.
However, what we have done, in an attempt to simplify and help steer our clients toward the appropriate
solution and what they should be thinking about for each section, is that we have segmented it. I just want to
start with the caveat that there is quite a bit of overlap.
Section 404 is where most firms are involved right now. That is, they are involved in documenting internal
controls being able to provide an assessment of how they are mitigating risk and how they are performing
to those internal controls. What is required by SOX is that there be an annual assessment, in which an
external auditor has to attest that the company is following the internal controls.
The solutions we see that can support this documentation effort are risk management tools. What
organizations are using them for is to document the financial management process. Many are going to quite a
low level of detail in support of this. Once it is documented, it needs to be understood where risks are, and a
periodic assessment of how the organization is performing to those internal controls needs to be provided.
What I am seeing is perhaps a standard, though there is no case law and no examples yet because Section
404 does not go into effect until June 15. Organizations are considering provide a quarterly assessment of
how they map and how they are performing to those internal controls. Initially, the service providers firms are
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
10
Transcript
looking to for help with 404 tools are compliance vendors such as Protiviti, Jefferson Wells, and auditing
organizations that have compliance consulting practices.
Many firms are going with complementary tools that are brought to the table by those vendors. But, over time,
I think this will mature into a real business application space where firms will be considering a Web-based
solution with a central database that is accessible to those that participate in the 404 assessment process on
an ongoing basis. So, initially, the compliance vendors and the auditing vendors will be the ones that are used
to bringing these solutions into the organization. However, the next phase will be systems integrators, since
many of these solutions will integrate with ERP and draw control information and assessment results out of
the ERP solution.
The functionality that these 404 tools cover is the documentation of internal controls. And they may use
business process modeling, or provide a repository for an organization to document their controls, such as in
Visio, Word documents, etc. They have a program management component in that, at any given time, you
can track where you are in the documentation process, as well as the assessment of how you are performing
to the internal controls.
In the next phase that I see, firms will be looking for more ERP integration, and I think solutions that provide
integration into ERP will be favored, including Oracle, SAP, and PeopleSoft vendors that are providing a
404 tool that is integrated into the ERP solution.
Figure 11 The SOX IT Blueprint: Section 302/906
Moving on to Figure 11, these sections cover the requirement for the CFO and the CEO to sign off on the
results, saying that yes, these are the results, they are free from fraud, etc., and that there are internal
controls in place to ensure the results are correct. What is interesting is that this requirement was in place last
year, but in many of the conversations I have had with CFOs, they kept their fingers crossed. Without a full
documentation and assessment of internal controls, it was difficult to be 100% sure that the results were
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
11
Transcript
correct. I am not saying that people knowingly signed off on bad results, but we did not have a 404 process in
place yet, and most firms will not have that until June.
But applications that specifically can be leveraged to improve compliance with 302 and 906 are clearly
business intelligence solutions and business performance management solutions tools that can help
consolidate ERP activity, consolidate information from perhaps a multi-ERP environment (which, by the way,
is often the rule rather than the exception), leverage data marks and data warehousing, and have extended
reporting and OLAP capability. By the way, this is not just on a monthly basis, but one should be able to take
a look at the results throughout the month and have multiple users both inside finance and business areas
look at frequent flash reporting.
I think transactional solutions and, in this case, organizations have this already need to be reworked and
perhaps reconfigured. I deal with companies that have not enabled formal purchase orders in their purchasing
solution and do not have three-way match, so there are many efforts involving better and smarter
configuration. In addition, data audit solutions such as ACL will be leveraged and can help a client understand
how data is bridged from one solution to the next, how data moves, and whether it is transformed accurately.
Figure 12 The SOX IT Blueprint: Section 409
Moving on to Figure 12, this section requires a firm to disclose to the public, on a rapid and current basis,
material changes to the firms financial condition. What organizations will need are tools to help identify
accounting issues and errors, and they need business intelligence and business performance management
tools to provide that insight, that visibility. I think financial modeling solutions can also help. They may
leverage activity-based management and profit management solutions to help them identify if they are not
going to meet results and with a degree of certainty, and that should be communicated to the public.
Compliant dashboards, which I mentioned before, as well as internally focused portals will help route and
identify issues, and externally focused portals will communicate to investors about these changes. So, 409
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
12
Transcript
will require firms to effectively leverage their business intelligence and content solutions, specifically to
provide a repository of issues. Various document trails will be able to centralize content and ensure that
records are retained for the appropriate period.
Figure 13 SOX Requirements: Record Management
Stan Lepeak: In Figure 13, we are talking about SOX requirements relative to records management and
records retention. This really gets at Section 802, which mandates that organizations ensure authentic and
mutable records and their retention. So while records management plays a role relative to capturing, storing,
and managing compliance-related materials to evidence SOX compliance, there is also a whole section that
gets into records management in and of itself for the organization.
If you examine where organizations initially are being challenged over their SOX capabilities, it is in Section
404, which is where the HealthSouth CEO ran into problems. But also relative is Section 802, which gets into
inappropriate destruction of records or lack of policies to address the ongoing management of those records. I
am sure many of you have been having this discussion with META Groups record management guru Charlie
Brett, and we encourage you to continue with that.
But to get into this briefly today, the three main elements of a records management strategy are the technical
element of an enterprise repository, integrated workspaces, and process management. If you look at how or
why records management becomes different relative to SOX, it is in the process management element. This
is another case where virtually all organizations have some sort of investment in records management or
content management and document management systems and repositories, but it is really function of how
those are applied differently. How can they be employed to meet and evidence SOX compliance?
The key message here is that it is not appropriate just to go to market with a records management solution.
Rather, it is going to market with a records management solution and with some domain knowledge that
either you possess internally or have developed through a partnership to help clients understand how to apply
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
13
Transcript
this technology. What are the process management models and mechanisms they need to put into place? We
see this as an opportunity for a records management firm to start to pair up with various organizations
certainly the external audit firms and the risk firms that understand some of the process models. This is also
an area where SOX process alignment starts to get into legal territory.
There are certainly many legal dimensions to SOX compliance, but generally we do not see the IT folks
hanging out with the legal counsel folks that often. But I think when it comes to records management, that is
one area where legal dimensions need to be addressed. If you are a purveyor of records management
solutions, it would make sense to ensure that you have the domain knowledge around the legal requirements
for records management with SOX. Also consider targeting within the organization their legal counsel and
others who can appreciate the additional domain knowledge of records retention that you could bring to bear.
Figure 14 SOX Technology Blueprint
Figure 14 is a bit of a review, so I am not going to spend too much time on this one. It is a review of the
business applications in support of the various Sarbanes-Oxley sections. But again, I think it is important to
note that a Sarbanes-Oxley solution is not just 404 tools. It comprises your ERP processes, your content
management processes, and your business intelligence. It is how you are leveraging all these applications to
support financial controls and financial management. It is taking a look at the components of a SarbanesOxley solution.
It is about 10% of risk assessment tools, to provide an understanding of internal controls as we mentioned
before. About 60% of the effort will be associated with ERP best-of-breed tools, to provide better control over
financial processes, content management solutions to support both 409 as well as Section 802. And we see it
from an effort perspective, about 30% business intelligent performance management of portals to provide that
visibility and transparency that is required for Sarbanes-Oxley.
And I would like to refer you to a series of research Deltas that all start with The Joy of SOX. I am sure that
when Mr. Sarbanes and Mr. Oxley came up with their act, they did not think analysts would be conjugating
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
14
Transcript
their names into SOX, but we do and sometimes we have fun with it. There is a series of research Deltas
available to our clients which, if you would like to read through, will help you get a sense of what a total
Sarbanes-Oxley solution is. What should an IT organization be doing to better position the business
applications portfolio for this?
Figure 15 The SOX Dimensions
Moving on to Figure 15, we believe solutions used for Sarbanes-Oxley and financial management processes
need to have several critical dimensions. They must possess visibility and transparency so firms can have a
view into the activity coming out of that business application. They need to ensure financial controls. Can they
support authorization processes? Are they workflow enabled so the system can ensure that the
authorization/approval process is functioning correctly? Records retention is key so that organizations can go
back and understand the documents, the invoices, and the contracts that support the transactional financial
management activity.
Communication is key. Again, that is done through some type of a workflow process or a portal process to be
able to identify issues and bring them to the appropriate attention. Risk management is key, as is fraud
prevention, to be able to have ongoing views of data in the activities to understand anomalies. Users will need
to evaluate each of their applications to ensure that the previously mentioned dimensions are supported in the
applications that are used for financial management.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
15
Transcript
Figure 16 SOX IT Blueprint: Vendor Mapping
John Van Decker: Moving on to Figure 16, we attempted to map vendors to the different parts of a SOX IT
technology blueprint. Again, this is not intended to be all-inclusive, and by merely doing something like this I
am afraid I may annoy some of the vendors on the call today if they are not listed, but that does not mean we
do not love you.
From a document records management perspective for risk assessment tools, which again is 10%, we are
seeing solutions from Documentum, Hummingbird, Optika, and Open Text. We are seeing solutions from the
business process program management vendors Fuego, Movaris, and Primavera. The Big Four are providing
tools for organizations to assess their risk. What is not mentioned here, and I do not want to fail to mention it,
are the solutions that are coming from the ERP vendors Oracle, PeopleSoft, and SAP. Oracle has brought a
tool to market; it was the first ERP vendor to do that, and PeopleSoft and SAP now have tools.
From transactional solutions, clearly the ERP vendors PeopleSoft, Oracle, SAP, Lawson, and Microsoft all
play in the financial management area, as do many best-of-breed vendors such as Concur, Ariba, Softrax,
and iMany. Again, in terms of content records management, we are seeing these vendors start to position
their solutions in support of Sarbanes-Oxley for the records management requirements IBM, Documentum,
Open Text, Hummingbird, Stellent, Mobius, and FileNet.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
16
Transcript
Figure 17 SOX IT Blueprint: Vendor Mapping (cont.)
The business intelligence and business performance management vendors all have an important message
around providing visibility and transparency in financial management activity (Cognos, SAS, MicroStrategy,
Hyperion, PeopleSoft, Geac, which had acquired Comshare, SAP, SEM, Oracle, Longview, and portal
vendors that can help get the transparency and get more folks involved in the financial management process
through portals, Plumtree, PeopleSoft, SAP, Cartesis, etc.).
Ultimately, all IT applications and infrastructure must be shaken to a SOX IT blueprint, and we are seeing
many organizations start to put together their perspectives on the overall cost of SOX. I believe it is going to
create a lot of spending in business applications areas, and we will go through a timeline in a couple of
figures.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
17
Transcript
Figure 18 Business/IT Services SOX Checklist
Stan Lepeak: Moving on to Figure 18, we are going to talk a little bit about the business and IT services
dimension of SOX compliance. As John indicated, we are starting to see a groundswell of pending
investments relative to products both software as well as infrastructure. And wherever there are products,
there certainly are services firms close behind, or in some cases leading the charge. But services relative to
SOX are a bit broader in that a key piece of SOX is business services particularly risk management and
assessment and external audit services.
It is somewhat ironic if you look at how we came to have the SOX requirement. In some cases, the auditors
did not do quite as good a job as they could have at places like Enron. As a result, some audit firms,
particularly Andersen, no longer exist. There were ramifications of what were perceived as inadequacies
relative to its audit work, and it is important to highlight that was certainly the exception in Andersen rather
than the norm. But the result was that the whole firm suffered.
However, audit firms currently play a critical role relative to SOX compliance. They are the firms that sign off
on whether their clients are, in fact, compliant. In addition, given some of the recent dictates from the PCAOB,
the auditors have great leeway in determining how compliant is compliant, and how good the clients efforts
are. Again, it is a bit ironic that, if you look at auditor revenues, they are booming. Deloitte recently announced
record revenues, and it is not just in SOX-related work that these auditors are performing well. It is also in the
traditional audit work that they do that has become much deeper and more intimate, which is good. So it is
okay that they are making some money on this.
But the point to product firms is that you need to work closely with and make these external audit firms, as
well as some of the risk management firms like Protiviti, your friend. You need to understand what they are
advising their clients to do or not do. You also need to work with them to gain some of the domain knowledge
and expertise that they possess relative to what constitutes compliance and what is enough. Then, when you
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
18
Transcript
develop your broader story around how your technologies should be applied, you are doing so in a way that
synchs up with the advice these clients are receiving from their external advisory firms.
Even if you are an IT services firm, it makes sense to consider partnering with these audit firms in that again,
IT services need to be complemented and extended by the process and domain knowledge relative to specific
SOX compliance issues. Just as we see a need and a requirement for some product firms to work with legal
experts, I think there is also a requirement to consider developing partnerships and relationships with those
performing the audit and services work. But it should be understood that there are very stringent regulations
as to what these firms can and cannot provide to their clients.
It should also be recognized that, ultimately even if you are not an audit firm other types of services
firms are going to be pulled under this regulatory umbrella. There is going to be no way that you can
implement a financial management system, modify it to meet SOX compliance, or in an outsourcing scenario,
manage a clients financial systems and not be caught under this regulatory umbrella. From that standpoint, it
is important to recognize that other services firms are going to be caught in similar though perhaps not as
stringent regulations.
Figure 19 Service Provider Landscape
Moving on to Figure 19, we will talk about some specific recent developments. As John mentioned, audit firms
are often some of the first to provide tools to their clients, particularly for 404 work. We are starting to see the
audit firms exiting the role of ISV. Most recently, KPMG announced a deal with IBM. KPMG is going to be
porting over some of its process control models to IBM, which will build them into a Lotus Notes environment.
This is basically productizing, as an ISV should, what was once KPMGs internal homegrown tool. And we
certainly expect that the other Big Four vendors Deloitte, E&Y, and PwC sooner rather than later will
announce alliances with third-party ISV firms to take over management of their product, limiting the auditors
role to being just the domain expert.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
19
Transcript
This is good, but it also means that there is a transition opportunity as clients move from a homegrown auditor
tool to a third-party tool. Also, and I am sure these discussions are already in the works, there are
opportunities for those with tools to partner up with these audit firms and the risk management firms to create
a joint offering. Deloitte is making a lot of progress in this respect in terms of developing their integrated
service offerings, which are a byproduct of having not spun out Deloitte consulting. Now they have this hybrid
set of capabilities that they can bring to bear, such as bringing risk and IT-related domain expertise in terms of
helping clients with Sarbanes-Oxley. And while they will not allow us to say how much, their SOX practice, if
you can imagine that, is booming as well.
We have mentioned other key players, such as Protiviti and Jefferson Wells. Another interesting firm with
which auditors in particular should be developing some working relationships is SAS 70 Solutions. This is the
group that performs the majority of the SAS 70 audits of outsourced business processes in the marketplace
now. This is the old Andersen consulting risk management contingency that now does well above 50% of the
SAS audits. It is looking at defining the appropriate scope, and defining but also advising its clients on the
appropriate scope for the SAS 70 audit to meet SOX compliance.
Other key players here, IBM and BearingPoint, are doing a lot of good work as well. There is also a hole here
with the offshore firms that really are going to be impacted by SOX compliance, particularly as they get into
business process outsourcing. But to date, they have not had a good story as to how they are addressing this
on behalf of their clients. The key bottom line issue is that a SOX needs to be holistic. There are business
dimensions, IT dimensions, and obviously product and infrastructure dimensions. We encourage those of you
selling this to take the holistic view in terms of what your clients need.
Figure 20 Putting a Cost to SOX
In Figure 20, we get into a little bit around putting a cost to SOX. We encourage all of you to talk in more
detail with John and me about this. This is a very critical yet complex solution situation, and it really depends
on what you are selling. Is it a taxable solution or a point solution? Is it a suite? Or is it selling a long-term
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
20
Transcript
perspective and partnership relative to helping clients achieve SOX solutions? A couple of points to bear in
mind are that there are some short-term investments that clients need to recognize they have to make. But no
one is taking the approach that we are going to throw money around on this.
Many organizations recognize, and rightly so, that they have many of the tools already. What they need is to
apply them better. So it is a process issue, not a product issue. They do not necessarily need to buy one of
each. They have learned a lot from overinvesting in Y2K, in some cases certainly overinvesting in e-business,
and in many cases overinvesting in some of the complexities around ERP. Be aware that you need to build a
solid business case relative to the type of solution that you are providing.
Figure 21 SOX Investment Timeline
That gets us into Figure 21, where we lay out an investment timeline based on what we are seeing from our
end-user clients. We have laid out this timeline from 1H03 through the 2H05. Initially, when the SOX deadline
was pushed out, the 404 deadline for most firms was pushed from 2003 to 2004. Clients gave a sigh of relief,
put their feet up for a couple of weeks, and then got back at it. But primarily what they have been doing since
that point is scoping their technology requirements. And most of the work that has been done has either been
through investment and point solutions, or more specifically, in investing and help from their external auditors
and other services firms. So there have not been many product sales to date. Clients are doing a lot of good
documentation work, which does not necessarily require much in the way of products, and they also are
scoping out their technical needs.
We are starting to see that toward the end of 4Q03 and into 1Q04 is where there are going to be investments.
Initially, it is going to be around the content and collaboration products, Business intelligence, business
performance management portals, and then some of the point solutions that are required to meet those
tactical compliance goals. I would say that if you do not have a solution base by now that is targeted at
tactical compliance, you are too late. And I think what you need to start to look at is what is going to happen
after June 2004.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
21
Transcript
We expect a lull as firms regroup, but then we will start to see the more serious investments and ERP
upgrades adding the capabilities that will be delivered through those products over the course of the year.
Again, this is a multiyear process to go through that upgrade cycle. We start to see that organizations will be
looking more at strategic compliance dimensions, which could be deploying more broadly some of the
capabilities they deliver to achieve tactical compliance. That is also where the businesses will start to kick in
for the IT service providers that will be more involved with the implementation of the broader enterprisewide
solutions.
Again, this is not an exact chart, but I think the key points to note are tactical compliance, the investment
being made there, and the investments that will be made through the next quarter. Beyond that, it is a very
strategic play that is looking at enterprise solutions and some business process domain expertise.
John Van Decker: There is one point I wanted to add, in that I think Sarbanes-Oxley and the need to have
global financial management process will breathe life into many best-of-breed vendors. Since firms may have
multiple ERP solutions, they may consider consolidating, but I do think that if you look at expense
management, for instance, there could be a good opportunity for organizations to standardize across a multiERP environment with best-of-breed tools. I think Sarbanes-Oxley will breathe life into many of these best-ofbreed vendors in providing better financial management solutions those that have visibility and
transparency, financial controls, and the other dimensions we discussed earlier.
Figure 22 Rock-Hard SOX Solutions: IT Alone Is Not Enough
We are going to start concluding this teleconference. It just so happens we are going to do it over five figures.
It is probably more observations, and it also is a summary of many of the items we discussed. Clearly, if you
provide financial management applications or you provide solutions that may originate financial transactions,
it is important to be SOX-fluent. It is important to understand what Sarbanes-Oxley is, the pain points
organizations are going through, how you can address Sarbanes-Oxley compliance, and how you map to
those dimensions that we discussed earlier.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
22
Transcript
I think it is also important to note that, for many firms, there is a laundry list of things to do. Most firms will not
have the budget to do them all. Communicating value and your Sarbanes-Oxley position, as well as how
organizations can leverage those tools, is key and something you need to ensure that your sales forces can
adequately address. It is important to find a services vendor to partner with, particularly if you are a product
vendor and you are selling software. Maybe you want to have one or multiple services vendors that can also
be educated on the message and help clients bring these solutions in to add value.
Firms are going through their 404 processes, and in many cases, you will be competing with perhaps an
expense management vendor or with a contract management vendor to bring the solution in. It is important to
understand how you map to those critical dimensions. The cost of Sarbanes-Oxley may be huge, depending
on how it is leveraged. We are seeing many wish lists being developed by Global 2000 companies. They are
this not only as an opportunity to become SOX compliant, but also to become more efficient, effective
enterprises with better competitive advantage.
So, if a vendor provides a SOX-niche value proposition, it is important that you communicate it. I believe
some of it may appear as a stretch, but if you can provide value and better financial controls, then I think you
should be telling your prospects about that. I think it is important to monitor competitor communications but
focus on unique value propositions. Do not come at it just from a me too perspective, but from how you can
help the organization achieve compliance if it brings the solution in, and at the same time become a more
effective firm.
Figure 23 Beyond Compliance: The Joy of SOX
Stan Lepeak: In Figure 23, as part of being SOX-fluent, it is important that, even if you are selling a tactical
solution, you recognize that clients increasingly are becoming aware that there is more than just the
compliance dimension of SOX. SOX cannot just be viewed as the cost of doing business. Organizations must
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
23
Transcript
go beyond compliance to really, truly achieve the joy of SOX. This means you are leveraging the investments
that you are making for ultimate competitive differentiation and strategic gain.
This is evidenced in the survey we did last week. There are very few firms when it comes down to it, despite
what we hear in the press from the pundits and some of the legislators that SOX is bad and the course that
is throwing sand in the gears of commerce. Most user organizations recognize that, ultimately, they will be
better, more nimble firms when they come out of this. They also recognize that, ultimately, they will be able to
leverage the investment, and in some cases, leverage the excuse for the investment in greater strategic gain.
Obviously, an organization has to gain compliance short term, and that is where a tactical solution might
come in.
That compliance needs to be maintained over time, which is a function of technology as well as process.
Ultimately, that compliance needs to be leveraged. As a byproduct of SOX, organizations are going to have
greater process visibility. They are going to have the potential to have greater operational efficiencies. They
are going to have much greater visibility into their services spend and the quality of the services they are
procuring. They are going to develop greater sourcing expertise to buy and manage goods, and particularly
services. There will be significantly greater scrutinization around audit services, services from auditors, and
outsourcing services.
They are going to be developing what we have been calling here at META Group the capabilities to become
sense-and-respond organizations. Your messages need to be in sync with that. And even if you are not
playing a big part in the strategic role, if you do not have a strategic story, if you can not sit in strategically,
you are going to be viewed either as a throwaway or a tactical point solution that is really not worth the clients
investment. Again, this does not mean you need to become McKinsey-esque strategic wizards. Rather, you
need to look at the strategic dimension of SOX and where you fit in. As with many things, SOX will not go
away like Y2K did. On the contrary, SOX will get better with age.
Figure 24 Transformation Steps
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
24
Transcript
John Van Decker: Moving on to Figure 24, I am not going to go through each of the transformation steps in
detail since this is a review. I think it is important that you have a SOX message. Now is the time to get it on
the table and get it in the SOX IT project queue. And you should be able to communicate not just the ability to
support Sarbanes-Oxley, but also to show an ROI and how these solutions can help the firm evolve to be
more efficient. I think it is also important to recognize that SOX compliance is a way of life. It is ongoing not
just a quick fix. You may want to consider some tactical approaches but look at more of the strategic
dimensions of SOX compliance.
Figure 25 META Groups Deep Dive Into the SOX Pool
Stan Lepeak: In Figure 25, we will give you a little preview of what we will be working on here at META
Group during the coming year. As you can guess, at least with John and me and Charlie Brett and some
others, it will certainly be heavily weighted toward SOX compliance. In terms of taking the deep dive into the
SOX pool, we are certainly going to continue to provide leading research on SOX compliance and best
practices.
We are going to be focusing very intently on the end-user audience, but in particular how that audience
expands to move beyond the IT organization to incorporate legal, the CFOs organization, and the enterprise
risk management offices that are being put together, and to extend out to the supply chain and the
procurement organization. So we will be looking at defining the holistic SOX solutions that we have been
talking about here today.
A key part of that will be some very good research we will be performing in particular, a SOX multiclient
study that we know some of you have signed on board for. We still have a few slots open on that, so if anyone
is interested, give John or me a call. Also, we have the results for some earlier work John was doing on
business performance management, and we have an enterprise analytic study underway. So, other pieces of
research are going to contribute to filling out the SOX profile of what people will need to buy when, and how
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
25
Transcript
much they will cost. In addition, SOX is going to be one of the main track teams at METAmorphosis next year.
And in April 2004 there is going to be an entire conference dedicated to risk management and compliance, of
which SOX will obviously play a big part. John is the co-chair of that event.
John Van Decker: I have one more point I would like to mention. We are not taking a build it and they will
come attitude, or writing a research Delta and then expecting that people will start moving and mobilizing
around Sarbanes-Oxley. All of our research is being driven by our end-user organization clients demand. So
Sarbanes-Oxley will continue to be a hot inquiry area for us, and that is why we are responding with this
multifaceted approach to research.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript 2052
26