VideoIt wasn't supposed to be like this, but IT has emerged as an unexpectedly vexing aspect of Sarbanes-Oxley compliance. According to a recent CFO IT survey, almost all companies reporting weaknesses or deficiencies under Sarbox have found IT to be at least part of the problem, if not the sole source. Worse, many CFOs feel that regulators have not done a good job of explaining what companies must do to satisfy Section 404 requirements for internal controls from an IT perspective. They also say the auditors charged with giving or withholding a thumbs-up don't understand the IT issues well enough to render an accurate judgment (see "Survey Says").
"In some sense I'm surprised, but in another sense I'm not," says Steve Hill, a partner in the risk advisory services practice at KPMG. "IT issues account for 20 percent of the key-controls portfolio at a typical company, which is almost twice as many as the next two areas combined." That is, IT is so pervasive at most companies that any examination of internal controls is bound to turn into a de facto audit of IT.
Indeed, a majority of survey respondents said there is no clear line between what constitutes financial versus IT controls. That's one reason why the Institute of Internal Auditors has inaugurated a new series of Global Technology Audit Guides that includes one that focuses on IT controls. While not intended as a Sarbox manual per se, the guide does provide useful baseline knowledge and some specific tools for understanding and implementing IT controls, according to Jay R. Taylor, general director for IT Audit at General Motors. (The guide is available at www.theiia.org.)
At this point, any guidance is welcome. "No one had a reference point," says William Chiasson, CFO at Leapfrog Inc., a maker of children's educational products. "It's been an uphill battle for auditors and everyone else." Leapfrog's first audit uncovered material weaknesses in accounts receivable, inventory, and IT. Rob Moon, the company's CIO, says software from Logical Apps and Oracle's Internal Control Manager product should help the company resolve its problems, particularly regarding segregation of duties and access rights. And he says that in some sense, Sarbox has had a silver lining. "It can prevent fraud and conflicts of interest, and it is a prime motivator to simplify, simplify, simplify," explains Moon.
But that won't happen overnight. Chiasson believes that year two of Sarbox compliance will be even more demanding than year one. "In the first year, we described our systems," he says. "Now we have to update and fix them, which is more work." KPMG's Hill says, "Sarbox can accelerate business, much as Six Sigma and IT itself did. Compliance can become a new lens through which to evaluate your company."
So far, few companies like what they see. But if it is any consolation, last month the Government Accountability Office found that the SEC's own internal controls suffered from several material weaknesses, including IT.
The Check Is for the E-Mail
Depending on who is defining the market, companies are already spending $4 billion a year on technologies that fight E-mail threats (including viruses, spam, and phishing) or will reach that level within four years. While the numbers from analyst firms may vary, most agree that along with a continued rise in spending will come a shift in corporate priorities, away from a reliance on multiple best-of-breed products (that each target a specific E-mail threat) and toward suites of products or a managed service that can address the many ways that E-mail can spell trouble.
Radicati Group estimates that 52 billion spam messages and 900 million viruses will be mailed each day in 2005, so there is clearly plenty of work for E-mail security products and services to do. Both Radicati and In-Stat say that a shift is under way toward E-mail "appliances," a combination hardware/software device specifically engineered to tackle E-mail security problems. But In-Stat says that 30% of current decision-makers are unsure whether their next purchases will be software, appliances, or hosted services.
Not surprisingly, In-Stat ranked reliability as the top factor influencing purchasing decisions; Radicati reports that manageability and scalability are also at the top of buyers' lists of requirements.
Sphere of Commitment
Companies want to negotiate good deals with their IT vendors, it's true, but many also say they want to rely on a smaller number of vendors that can act as true business partners. Those two goals are often in conflict, leading to fractured, unproductive relationships. These are among the findings of McKinsey consultants Baljit S. Dail and Andrew S. West, who studied nearly two dozen companies. Among the firms in question, 20% regarded cost as the top priority in vendor relationships, while 70% cited a desire for stronger partnerships with a smaller number of preferred suppliers. Of those 70%, however, only 30% believe they actually do have the kind of vendor relationships they'd like.
Reader Comments» Post a comment