Although Sarbanes-Oxley (SOX) rules and requirements have been in place for more than seven years now, customers
may still need assistance from solution providers to achieve and maintain compliance.
Many companies and solution providers have begun to view SOX compliance a little differently over the past couple of years. In the past, trying to define SOX-related issues meant unclear definitions and approaches across all aspects of the business, which created huge burdens on a company. Now, it's generally accepted that SOX initiatives just focus around financial reporting and accounting processes. Much of this change in approach can be attributed to the financial industry being upended a little over a year ago, which in turn caused economic turmoil across the country.
But has this economic distress caused companies to let SOX-related processes fall off of their plates completely? Jackie Gilbert, vice president of products and marketing for SailPoint Technologies Inc., thinks that despite customers' regard -- or lack thereof -- for SOX compliance practices, the regulation should still be on solution providers' and customers' radars.
No matter the condition of the current economy, the importance of SOX compliance remains as great as ever. There's a heightened awareness around risk management and transparency in light of the recent financial system problems and subsequent government bailouts.
One challenge that solution providers can tackle is overcoming customers' notions that being compliant with SOX means having Sarbanes-Oxley internal controls in place to pass a one-time audit. This mindset does not take into account that continuous monitoring and auditing throughout the year is a necessary component in order to maintain compliance. It should always be stressed to customers that the real key to SOX compliance is the continuous monitoring of controls, such as those put in place to enforce access management and segregation of duties.
How solution providers can help customers keep up with SOX compliance requirements
In addition to preaching the importance of SOX compliance, solution providers should help customers realize that in order to be compliant, they will need to have consistently strong Sarbanes Oxley-approved internal controls in place.
With that in mind, one point of focus for solution providers should be products that automatically document, maintain and provide the necessary audit trail for changes in infrastructure configuration. Another important consideration is implementing segregation of duties controls and enforcing them within access management. Those are valuable and important goals for businesses, regardless of whether there ever was a SOX requirement forcing their hand, even in the current economy. It's just that now, moving forward with these initiatives will aid in SOX compliance, as well. SOX compliance can be thought of as a secondary benefit to adopting those core principles.
To help customers further reduce costs, emphasize an automated approach. This saves significant time and money by building predictability and repeatability into compliance tasks, business process rules and workflows. Most importantly, building an automated approach gives organizations a scalable and sustainable process for effectively responding to compliance requirements now and in the future.
Furthermore, it's worthwhile to revisit customers' existing SOX processes that could have been hastily created just to meet the requirement. Deciding which tasks or processes to automate and how to do it is often times unique to each organization, but a solutions provider can easily focus on implementing automated identity and access management or access certification solutions that meet SOX requirements.
I've seen entirely paper-based access certification processes that had been put in place, which required hundreds of pages to be printed out, data to be manually collected in a once-a-year flat file upload, and direct reports to be mailed out to each of the approximately 1300 managers with direct reports. Those managers then had to go through their stack of papers with a red pen, checking off which access was to be removed or considered incorrect, and then mail the reports back. An unbelievable amount of time and money was saved by automating that process with a Web-based interface to those now centrally stored access reports.
Automating and improving processes like that is the key to strengthening and streamlining those Sarbanes Oxley internal controls for the future while reducing the ongoing total cost of maintenance for your customers. That just might open the door to new business, as well.
About the author:
Eric Rosenzweig is a senior consultant with Solstice Consulting Llc in Chicago, IL. He has over seven years of experience delivering projects specializing in information security and access management, compliance, business process and application development. He can be reached at firstname.lastname@example.org.