sarbanes oxley

A document retention program that works

Thu, 29 May 2008 06:59:59 -0400

The 2002 Sarbanes-Oxley securities law has meant that CIOs must formalize document retention policies and keep up to date with a growing volume of information. The result has been a constant to struggle to create policies, get cooperation from end users and manage the technology. Members of the CIO Executive Council recently came up with some basic tips on how to handle this situation.

They include properly defining "document'' to include information of all types--electronic or paper, historical or transient business records; clearly stating who and what function is the relevant retention authority for the most widely used categories of documents; and indicating the specific duration of retaining different types of documents.

To get more advice:
- see this CIO.com article

The high cost of SOX just went down

Thu, 07 Feb 2008 06:59:59 -0500

Companies are spending a ton of money complying with the Sarbanes-Oxley law, and that probably includes your firm. Just listen to the numbers. In 2007, American businesses spent $6 billion on SOX, as the federal regulation is commonly called. And while it has leveled off a bit, it still takes a big bite out of a company's budget.

The law was passed in 2002 in reaction to enormous corporate transgressions taking place such as the Enron meltdown. It made company executives liable if erroneous financial statements were filed. The regulations putting SOX into effect made CEOs vulnerable if they did not ensure the integrity of the systems that process their data. That was a high bar to jump for any CEO!

The Public Company Accounting Oversight Board (PCAOB), which was charged by Congress to enforce accounting regulations, has watched how accounting firms have run up huge fees as companies try to comply with the law that requires auditors to tie compliance directly to its impact on financial reporting. "If you can't link something to the financial statements, it's out of scope." explains Sharon Virag, the PCAOB's technical policy implementation director. "We used to hear people talk about the financial-transaction flows through this system, so the system is brought into scope. Now, you only need to focus on the parts that apply to the risk."

The change lifts the burden from the CEO and puts it on the back of the auditor. "For the first time, auditors are not going to be allowed a blank check for compliance," says Connie Whitecotton, vice president and chief risk and compliance officer at Alfa Insurance, a $700 million insurance company in Montgomery, Ala. She says the key to SOX is understanding risk and adequate controls. "We've got to understand it to contain the auditors," she said. And it all might mean that there's a little more money in your budget. Let us know if this is any sort of relief to you.

For more on SOX:
- See this Baseline Magazine article

Boards begin to pay attention to CIOs

Mon, 01 Oct 2007 06:59:59 -0400

With Sarbanes-Oxley and financial scandals in the news on a regular basis now, independent director boards are increasingly curious about how CIOs are running their shops and spending precious resources. According to Jack Capers, a partner in the Atlanta office of law firm King & Spalding and a member of the firm's Mergers & Acquisitions Practice Group, directors now see the IT department not just as a repository of key data and process insight, but also as a key resource for risk management. As a result, there has been a new trend in seeking CIO participation in boardroom discussions. It's a trend that is likely to continue. "I believe there will be an increase in communication with the CIO," Capers tells CIO Update. So, how can you prepare for the call upstairs? Board members generally appreciate less technical explanations. When speaking to the board, always tie technology to the business and engage in discussions rather than presentations. Most importantly, before going in front of the board, rehearse and make certain that your presentations are fast-paced and informative. This is not the time to wing it, say the experts.

For more advice on how to present to the board:
- see the article in CIO Update

ALSO NOTED: ERP is a legacy system; Top execs want mobile Internet

Tue, 08 May 2007 20:01:38 -0400

> Call a spade a spade: ERP is a legacy system. Blog

> Top execs crave Internet on the move. Article

> States pushing through IT consolidation. Article

> Sarbanes-Oxley advice for smaller public companies. Column

> A new Trojan Horse is impersonating Windows reactivation and anti-piracy messages. Article

> Directors now favor internal candidates for CEO positions. Article

> Microsoft to release DNS security patch. Article

> The state of Ubuntu 7.04 is strong. Review

> Steps to tracking data copies. Article

And Finally… Getting IT bullies to behave. Article

Compliance: More of an art than a science

Mon, 09 Apr 2007 20:01:38 -0400

Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science, and is frequently a matter that requires negotiation. It's also more of an exercise in risk management than governance. Often, doing the right thing means doing what's right for the bottom line, not necessarily what's right in terms of regulations or even what's right for the customer. It's about trying to remain profitable while satisfying compliance requirements, and it's a delicate balancing act. When business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible, or to ignore the governing laws and regulations completely. Complying with Sarbanes-Oxley is particularly confusing, and that frequently leads to non-compliance. Complying with privacy laws such as the Gramm-Leach-Bliley Act and HIPAA also are complex, and both leave a lot of room for interpretation. It's critical to document why your organization is approaching compliance with specific laws in specific ways. If you can show that you have read the pertinent regulations, can demonstrate that this is your interpretation of what the regulation says, and can show an intent to protect the data, you are more protected than those who haven't taken those steps. Do your homework so that you know if you're making the right trade-offs.

Read more about compliance:
- read the article at CIO

ALSO:
- read this on the intersection of risk and compliance
- this on flexible compliance
- and this on compliance taking a leap forward

Don't skimp on data management

Wed, 21 Feb 2007 19:01:38 -0500

Not spending enough time, effort or money on enterprise data management can lead to increased risk and decreased competitive advantage, especially in financial firms. Without effective data management, companies often have dozens of different databases with redundant information--much of it wrong--and dozens of applications that use data from as many as 15 third-party providers. Failing to dedicated the resources to fix this mess can leave financial firms non-compliant with Sarbanes-Oxley and other federal data retention and compliance statutes, while also exposing companies to increased financial and operational risk. Investing in effective technology to clean up enterprise data stores will yield big dividends.

Learn more about developing an effective enterprise data management strategy:
- read the article at Wall Street & Technology

Flexible compliance saves time and money

Tue, 23 Jan 2007 19:01:38 -0500

While most organizations today have systems in place to ensure compliance with Sarbanes-Oxley, HIPAA and other applicable regulations, few have designed these systems to accommodate frequent change and to support multiple regulations and standards under one compliance process. An effective compliance system includes adequate assessment, remediation and reporting/monitoring for all compliance regulations while accommodating new requirements easily. One way to create this data-driven approach is by implementing a compliance management tool.

For more on flexible compliance:
- read this article at Line56

How NYSE is dealing with SOX

Wed, 10 Jan 2007 19:01:39 -0500

The NY Stock Exchange has a huge project ahead of it now that it has become a publicly traded entity. Due to that change, it will now have to meet the Sarbanes-Oxley (SOX) requirements and as a result, will have to boost already strong data protection measures. As the tech leaders explain, there is no one singular tech tool that will do the job, nor will a simple strategy, given the number of points that data touches both within and outside of the organization. The work requires a "comprehensive defense in-depth mechanism," as well as processes and technology to boost auditing and accountability.

For more on the NYSE SOX approach:
- read the story at Wall Street & Technology

HP scandal likely a common scenario

Sun, 08 Oct 2006 20:01:39 -0400

While the HP scandal is still in full throttle, with recent indictments and its former chairwoman going national on 60 Minutes this past weekend to tell her side of the story, the big news may be that many companies handle confidential investigations in a similar fashion. As one legal expert notes, today's companies should be worried if there's a similar scenario happening within their own businesses and should be investigating exactly how their subcontractors approach data collection and investigative tactics. New federal laws, such as Sarbanes-Oxley, have only prompted more internal investigations in the effort to meet regulatory mandates on providing corporate financial data and accounting processes.

For more on the need to assess investigative strategies:
- check out the TechWeb article

SPOTLIGHT: 4 years later and compliance is taking hold

Sun, 30 Jul 2006 20:01:34 -0400

Can you believe it's just been four years since the infamous Sarbanes-Oxley legislation was passed and compliance to new regulatory mandates hit the tech radar? While it may seen that Sarbox has been around forever, things are looking up in terms of business compliance and risk levels. The experiences gained is starting to pay off with less resources being spent on compliance efforts and improved efficiencies in making compliance a workable business goal. Article