In-Depth

IBM Moves Into Regulatory Compliance Arena

New services and technology offerings from Big Blue help companies comply with Sarbanes-Oxley and other complex regulations.

• By Stephen Swoyer
• 12/18/2003

IBM Corp. last week jumped into this fray, announcing a set of Sarbanes-Oxley-related services and technology offerings. Big Blue also introduced products and services designed to ensure compliance with other regulatory requirements, including USA Patriot Act, Securities and Exchange Commission (SEC), New York Stock Exchange (NYSE), and Nasdaq (NASD) requirements.

IBM’s interest is understandable: Research firm AMR Research estimates that companies will spend as much as $2.5 billion on Sarbanes-Oxley compliance in 2003. In addition, AMR says more than 60 percent of companies are also looking for external compliance assistance in the form of audit firms or consultants.

To help frame its new product and services introductions, Big Blue touted a survey by IBM Business Consulting Services (BCS), which found that one in 10 CFOs and financial executives believe their internal controls are compliant with Section 404 of the Sarbanes-Oxley Act, less than eight months before the compliance deadline. Although the majority of CFOs believe their companies will be Sarbanes-Oxley-compliant by the June 15th deadline, IBM says there’s an opportunity to help them get there.

“I think that for the most part, some people are way ahead of the game, while others feel like they’re going to get there,” confirms Steve McLaurin, a partner and certified information systems auditor with BCS. “Some of them are probably waiting to the last minute, others are using that time not just to get the documentation in place, but also to improve some of the processes along the way. The focus that you’re finding a lot of the companies take is how to get through the compliance [by the deadline].”

After the first deadline for Sarbanes-Oxley compliance passes, McLaurin speculates, many of these organizations will want to restructure their systems and business processes to achieve greater efficiencies. Companies that are ahead of the compliance game are doing that now, he says.

IBM is introducing a variety of compliance-oriented technology offerings, starting first and foremost with a services component that’s offered in tandem with accounting and professional services giant KPMG. This latter offering consists of a catalog of Sarbanes-Oxley-oriented controls. “One of the things [KPMG is] bringing to the table is a controls catalogue, so if a company hasn’t started to figure out the controls it needs for its systems, it provides a starting place to look,” McLaurin explains, adding a caveat: “We’re not saying that if you put these controls in and you will get compliant. This provides a list of controls that [companies] can choose from.”

Big Blue announced a dedicated controls offering of its own—Lotus Workplace for Business Controls and Reporting—a product designed to help manage processes, controls, and information related to Sarbanes-Oxley compliance. McLaurin says the Lotus offering can provide a foundation for a company's financial reporting processes and brings an organized approach to gathering information about internal controls. It includes a “Control Assessment Template” and embeds capabilities from IBM’s WebSphere Portal and DB2 Content Manager products. McLaurin says IBM will provide this offering as a hosted service for companies that require it: “If the client doesn’t want to put that technology in [on site], we can host it for them. We can do that in a secure manner, so they don’t have to worry about it.”

Other offerings include:

• IBM Anti-Money Laundering Service helps companies comply with the USA Patriot Act of 2001, which requires that companies establish programs to "prevent and detect" money laundering. This service also has some overlap with Sections 404 and 409 of Sarbanes-Oxley, which require that companies implement improved monitoring to detect and protect against internal fraud. The service is sold as a hosted offering designed to replace what has traditionally been a manually intensive process.

• IBM Email Archive and Records Management Service helps companies meet SEC, NYSE, and NASD regulations. Under the terms of this service, IBM will provide financial services companies with on-demand e-mail archiving and records management as part of a hosted utility service for inbound/outbound e-mail, internal e-mail, and instant messages.

• IBM DB2 Content Manager for Data Retention Compliance combines IBM’s DB2 Content Manager, DB2 Records Manager, and DB2 CommonStore services (along with third-party software from iLumin) to help companies meet SEC and NASD regulations. The offering provides data archiving and retention capabilities.

• IBM Tivoli Storage Manager for Data Retention lets companies implement non-rewriteable, non-erasable storage controls to prevent deletion or alteration of data stored using IBM Tivoli Storage Manager.

• IBM’s TotalStorage Enterprise Tape Drive 3592 tape media and drives will feature Write Once Read Many (WORM) media technology, ensuring data that's written can’t be overwritten.

• IBM Asset Disposition Data Disposal - Disk Wipe Services makes sure that sensitive information (such as financial or medical records) is not left on disk drives. IBM says these services are rigorous enough to meet Department of Defense standards and can be tailored to meet customer-specific requirements.

In spite of the IBM-centric focus of the technologies that Big Blue announced, McLaurin says companies that don’t have a significant investment in IBM technologies can also benefit. “Obviously these solutions are built on IBM platforms, but even the Lotus Workplace for Business Controls, uses a WebSphere Portal and DB2 Content Manager, which are not exclusive IBM [technologies],” he says. “In terms of the technology that we use here, we’re open to the fact that they don’t have to be totally an IBM Blue shop to take advantage of these offerings.”

He’s careful to stress, however, that IBM is not in the business of certifying customers for compliance with Sarbanes-Oxley and other regulatory requirements. “We help companies with the arms and legs [of compliance issues], we can’t say these are the controls that will make you compliant. But we can help them do the things that they need to do, such as documentation of internal controls,” he notes.

Editor's Note: This story originally appeared in Enterprise Strategies.