13-Steps to
Prepare for the Sarbanes-Oxley Deadline
By Debbie Christofferson
CISSP, CISM, www-sapphire-security.com
IT managers are not legally obligated to the new Sarbanes-Oxley law,
but to hold on to their jobs, they better own and row the boat.
Broad and far-reaching, the purpose of Sarbanes-Oxley rules is to protect
investors and guarantee the accuracy of financials. Much bigger
than it appears at first blush, the law requires a first pass at compliance
by November 15 for Section 404, which applies to IT.
Sarbanes-Oxley boils down to a set of U.S. Government regulations.
Financial accountability is forced on public companies capitalized at
$75 million or more through their CEO and CFO. It depends heavily on
controls and documentation. Even in long-regulated businesses,
a lot of work is required.
Simply applying the law to U.S. public companies is not enough.
It spills over into your offices doing business in other countries and
to your partners and outsourced services. If you plan to go public
later, or even if you think you might, early action today will save
you mega bucks and headaches tomorrow.
Focus on these 13 steps to design a solid foundation that helps you
hit the deck running:
1. Identify an owner for the IT compliance program:
• Create the focus you need and build in management checkpoints
for accountability, support, problem resolution, and prioritization.
• But remember, the buck stops at the top – senior
executives hold responsibility and must stay in the loop.
2. Tie your IT compliance program and efforts into your
organization’s Sarbanes-Oxley compliance processes:
• Separate efforts must be merged to avoid overlap, under
lap, redundancies, and to leverage resources and outcomes.
• IT enables most of your financials and is therefore critical
to Sarbanes-Oxley. You better be seated at the table.
3. Build a management body that oversees the program at
a high level, and include responsible representatives from key organizations:
• Connect IT, Legal, Audit and any other related stakeholders
motivated to succeed by definition of their job function.
• Establish check points and regular meetings, and a format
to escalate and report on progress.
• Link into any existing body already at work.
4. Kick-off a task force or project team to lead the program:
• Choose a strong dedicated leader as the coordination
point for compliance work.
• Assign a management sponsor from the management body that
will champion this team’s efforts at the next level up, open doors
and remove barriers.
• Select team representatives with the authority to get the
job done.
• Base membership on their understanding of the business,
the IT infrastructure, and how both support the organization’s
finances and operation.
• Use outside resources if you need to, but maintain internal
senior management responsibility.
5. Include security right up front:
• Security is a key component for controls of any systems,
and without security, all bets are off for the integrity of system controls.
• Consider leading your team with a strong security manager
who can influence and communicate to gain results across multiple functions
and geographies.
6. Write and communicate a project plan, and regularly
report progress to all stakeholders:
• This increases visibility and leverages progress
to maintain momentum and establish clear priorities and focus.
• It keeps everybody on the same page.
• Better communication builds stronger results.
7. Document the processes that support your financial systems:
• This defines your starting point and helps identify
and prioritize what work is needed.
• Makes it easy for an outsider to walk through your financial
transactions. Include outsourced systems and support.
• Walk through the process and document the weaknesses and
where improvements are needed.
• Do not soft soap the results.
8. Address system controls that support accurate and timely
data for management use:
• These contain control over access, authorization,
availability, and an ability to audit systems and processes.
• Plan for disasters within availability.
• Separate duties, control ID management, and how privileges
are passed out and revoked.
9. Self-audit your financial applications and the IT and
security infrastructure supporting them:
• Create a checklist based on COSO or COBIT standards.
• Take a look at where you are today, identify the gaps,
and create an action plan to address them over the next year.
• Document the result for your management.
• Phase your approach if you need to in one, two, and three
year plans and stay on top of it.
• Do a google search for the standard terms if you need references.
COBIT is located at www.isaca.org.
10. Record and track areas where you are non-compliant
and follow-up on remediation:
• Use the list as a way to maintain progress and
use it to start all your project team meetings.
• Create a plan to address areas that are out of compliance.
• Assign an owner and keep a running list of the items for
resolution.
11. Involve your internal and external auditors early:
• Early involvement leverages time and resources best.
• Make sure you understand their expectations and how your
organization can support them, and how you will work together.
• Ask for guidance in testing your controls and processes.
• Matrix your program manager role to the internal audit
function.
12. Prioritize your work based on risk:
• Draft a plan for the year and get started.
• Base your priorities on specific risks to Sarbanes-Oxley
and what you need to tackle first to close the biggest holes.
• Pick off low-hanging fruit that can be achieved with little
effort or resources, especially when they yield big results.
• Little steps add up to big ones, so don’t overlook
smaller opportunities.
13. Communicate in business terms, not IT tech-talk:
• Relate your communication to the business, not specifically
to IT or security.
• Make it clear what you mean, and use business language,
not IT terms.
• Limit your discussion of technology solutions.
• Compliance and security are not solely products of technology.
• Keep all communication focused on the business.
• Keep your employees in the loop.
Sarbanes-Oxley will not be solved with just these steps or in your first
year. As a continuing process of improvement, it will take two
or three years to really establish the structure you need. Gas
will not be the only thing guzzling – this pig will drive IT spending
for a while.
Make the most of the imposed overhead. Outcomes will align IT
to the business, leverage IT competitive advantage, and integrate and
simplify processes and systems. In the end, your operation will
be stronger, but carrying a stiff price.
Not where you need to be yet? Act now, and run fast to gain momentum.
We’re not playing house. Stiff requirements connect with
stiff penalties. You don’t want to raise your company as
a test case.
Debbie is a security management expert who helps organizations identify
and manage their risks through speaking, writing and strategic consulting.
Ask for a copy of a template checklist “Auditing Sarbanes-Oxley
for IT & Security Managers”.
Send an e-mail titled “SOX List” to DebbieChristofferson@earthlink.net.
Copyright 2004 www.sapphire-security.com.
|
ESC
Home Page |
© 2006 Enterprise Systems Consulting, Inc. all rights reserved.
Copyright
& Legal Disclaimer
|