IT channel takeaway: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released some concrete guidelines on how to implement Sarbanes-Oxley. Channel professionals may find this useful in documenting, testing and implementing compliance technologies for SMBs.
With Luc Brandts, founder and CTO of BWise, a compliance and risk management software provider. BWise's new template-based product, EZ Control, is complementary to the new guidelines for small businesses and Sarbanes-Oxley compliance recently released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Question: What prompted COSO to release its new compliance guidelines for small businesses?
Brandts: There are two reasons for that. One very good reason is COSO received a request from the SEC (Securities and Exchange Commission) to help smaller companies do that, and the other is a well known and much heard demand for more guidance as to what [small businesses] need to do. A lot of larger companies have internal resources to help them or have the money to hire consultants to help them out. Smaller companies wouldn't have that amount of knowledge available, amount of resources available, so it's a very good thing that COSO stepped in and gave some more clarity on how to implement COSO in a Sarbanes-Oxley environment. There were a zillion different interpretations and implementations of COSO, many of which were way too detailed, which also led to the complaint of many smaller companies that they were spending way too much money on implementing Sarbanes-Oxley.
Question: Can you give us a brief overview of what the guidelines are, what they do?
Brandts: The guidelines contain a number of principles that you should implement as a company. In these principles, it's not only very high-level information [advising you to] look at integrity, authorization, risk assessment; it's also very explicit as well. There's some very concrete guidance on what to do, how to implement Sarbanes-Oxley. That is especially helpful because a lot of the companies were implementing controls, controls, controls, and adding additional controls, which would then hamper their ability to do business. It gave Sarbanes-Oxley a very bad name and also gave COSO a very bad name. But if you take it one step back and say, "What do we need to do as a publicly traded company?" COSO gave some guidelines on [the steps you need to take] if you want to manage your risk and be in compliance. They help you, in a very concrete way, to do all kinds of things, like how to deal with integrity and ethical values, how to organize your board of directors, what's your management philosophy and operating style, etc. And that's not only for smaller companies. From my own experiences I know that there are larger companies that can greatly benefit from this approach as well.
Question: How do compliance solutions fit into the guidelines? Do the guidelines recommend specific types of technology that would be helpful to smaller businesses?
Brandts: On a very, very high level. What technology like ours does is to help companies implement methodologies like COSO's in a general fashion. . . it helps them to take the first step so that they are not inventing controls all by themselves. Our technology helps them to document, helps them to test, helps them to be compliant, helps them to report, helps them to follow up on issues, helps them to assess risk and all these things. . . Now, with our template, not only are these capabilities in place, but also the business context: What are my risks? What are the controls that I need? How do I assess my integrity and ethical values?... It's much more a ready to use, easier to implement solution for a company.
This 3 Questions originally appeared in a weekly report from IT Business Channel.
This was first published in October 2006