In-Depth

Q&A: The Future of Security, Control, and SOX Compliance

Sarbanes-Oxley compliance started chaotically. By its second year, however, many organizations were investigating how automated controls could help them see SOX not as an annual cost but as a way to reduce business risk. What’s in store for year three?

• By Mathew Schwartz
• 12/13/2005

Sarbanes-Oxley compliance started off chaotically. By year two, however, many organizations were investigating how automated controls could help them see SOX not as an annual, repeating cost, but as a way to reduce business risk.

So what’s in store for the third year of SOX compliance? To find out, we speak with Douglas Laird, the senior vice president of marketing at Virsa Inc., which develops compliance and controls software.

What’s the short history to date of Sarbanes-Oxley?

Year one was a mad scramble: people were just in an all-out sprint to get compliant, there wasn’t a very systematic approach. … The next step people took was … [implementing] the automation and testing of controls to make sure risk doesn’t actually enter your systems.

What this adds up to for year three is, if you talk to people like General Mills, Cadbury Schweppes, T-Mobile, or even most recently General Motors, they’re looking to pull this together into a single platform as much as possible.

What’s the current state of Sarbanes-Oxley automation?

We work with Kimberly-Clark, and they’ve automated 4,000 controls. Some people have gotten very good at it. It costs seven times as much to maintain a manual control as it does an automated control, so the key is to automate as much as you possibly can. Not everything can be automated, but if you look at financial systems, most things—90 percent—can be automated.

Most people’s key business processes are expressed in their applications; they’re in software. So the enforcement of those controls should be automated in software.

On which risks should companies focus their automated controls?

If you look at material weaknesses that have been reported, most are around financial systems—[yet] you see a lot of compliance around stuff that has nothing to do with that. Around IT controls [for example], some companies focus on [whether their] systems are capable of coming back if there’s a flood. … There are all sorts of IT controls [that] don’t reflect the business conditions that were what originally created SOX.

What’s the current availability of a “single compliance platform”?

Basically, the compliance effort is just scattered. It’s representative of the enterprise application landscape about five or six years ago, where everyone was buying applications and trying to knit them together. … But the more systems you use, the more fragmented your approach, and the less accurate it is. And you create more problems. …

Our sense is, companies don’t want to run 10 systems to run compliance. They want a single system integrated into their architecture, and it just kind of runs as part of their IT infrastructure, and eventually these controls will be embedded into their business controls. But that implies everyone has deployed a service-oriented architecture.

How close are we to having compliance platforms?

Right now [compliance functions are being handled by] about three different applications. But once that comes together, we’ll solve between 70 and 80 percent of what we think is compliance today. … The consolidation we’re starting to see is, some of the smaller companies are just starting to fail. The second trend is, there is a significant amount of activity around key players in the business—partnering, acquisitions. … I think it would be safe to say that everyone has their eye on the same ball, of becoming the compliance platform, and it’s driven by the need for simplicity.

So what trends should we expect for the third year of SOX compliance?

One key area is there are a lot of concerns around access control. But one very emerging category, where we’re starting to see a lot more attention from the auditors and interested [parties], is around things like process controls—like order to cash, procurement, closing. … There are very few software controls to automate that. …

Where are such process controls used?

They’re for any key business processes, such as provisioning, giving people access, and then de-provisioning them. For example, [one] typical process is around [not allowing someone] to be able to create and pay a fictitious vendor.

Now there are a lot of things you need to check to make sure that fraud doesn’t occur, such as not allowing duplicate invoices. You’d be surprised how often duplicate invoices get processed—it’s unbelievable. There are a number of flags you need to have in place, but the problem is, if you don’t have the right software in there, then people can actually go in, flip the controls, pay the duplicate invoice, then flip them back.

Weren’t ERP systems supposed to secure these things?

I think putting in place proper-level business controls was, in many cases, missing in many of these financial systems. If you look at what happened around ERP deployments in the late 1990s and early 2000s, many weren’t successful. The monster became implementing these things quickly and showing success, and [two] of the things that got thrown out the window to accelerate success were controls and security … until SOX.

What are some typical automated controls you’re now seeing now?

Well, you might set a threshold over inventory … to determine, is someone stealing product? Or you might have a control around … purchase requirements. A game a lot of people play is that a purchase requirement can only be a certain size, and then it gets a different level of scrutiny. So if you’re running a marketing budget of $30 million, and any requisition over $30,000 gets more scrutiny … then [you might] write a lot of invoices to the same people for $30,000.

We had done consulting for a large manufacturer, and they figured out there was a huge amount of waste at one plant; their process controller identified that something was wrong. They found out there was a group inside the company that was taking [products] and just selling them from inside the company. So this is the upside to implementing controls.

Related Article:

Sarbanes-Oxley: Enterprises Turning to Automation
http://esj.com/Security/article.aspx?EditorialsID=1518