Security and SOX: Are CIOs Missing the Boat?
Many CIOs arrived late to Sarbanes-Oxley efforts
Are CIOs sufficiently involved in their companies’ compliance efforts?
When it comes to Sarbanes-Oxley (SOX) compliance, at least, many compliance and security experts contend CIOs are actually insufficiently involved, and often supplanted by chief financial officers (CFOs). That doesn’t bode well for companies’ other compliance efforts.
According to Michael Rasmussen, the vice president for risk and compliance research at Forrester Research, “I do agree that the CIOs haven’t stepped up to bat, and they could have more influence and direction in Sarbanes-Oxley.” That’s especially true since companies increasingly implement automated IT controls—ideally, overseen by CIOs—to ensure compliance.
Did CIOs simply miss the boat on SOX? “I can’t disagree, just based on the number of individuals I’ve talked to in publicly traded companies, as well as from my experience at the SEC,” says Chrisan Herrod of Scalable Software, executive consultant for compliance solutions, and the former chief security officer of the U.S. Securities and Exchange Commission (SEC).
What accounts for this state of affairs? Simply put, “The CFO stepped up and said, ‘I’m the chief officer who’s designated to go to jail here, so I’ll be taking charge of the SOX effort, thank you very much,’” notes Charles Le Grand, the CEO and founder of CHL Global Associates.
Legislators, of course, initially crafted SOX to combat perceived business problems and a handful of high-profile financial reporting irregularities. “It was because there were bad actors in companies that manipulated the processes; it wasn’t thought about so much as an IT problem,” recalls Herrod. “When it was finally coupled with IT—because all your financial systems run on applications which are part of your networked environment—people also realized it was also about technology, and the CIOs were brought in, but at the end of the game.”
CIOs’ Involvement Increasing
With SOX compliance efforts maturing, are more CIOs getting involved? “Yes, slowly,” notes Rasmussen.
Their involvement parallels the increasing use of automated controls to help ensure compliance. “If people tried to put a quick solution in place, they did it by using manual controls—in other words throwing bodies at it. In the first year of SOX, that’s certainly how people got through it—by having people, for example, reading all the security logs. But that’s not sustainable,” notes Murray Mazer, co-founder and vice president of corporate development for Lumigent Technologies Inc.
By contrast, automated controls help ensure compliance in a more sustainable, demonstrable, and economical manner, and thus more companies are adopting them. “I’m hearing and seeing people become absolutely more aware within organizations that IT controls—specifically IT security controls—are going to be extremely important, and that these controls have to be put in place and constantly tested and monitored. That definitely brings CIOs into the equation,” says Herrod. As a result, “I think you’re going to see a drastic improvement in collaboration in the C-levels.”
For example, she says, she knows of one mid-size public company located in Florida that discovered it had a SOX compliance problem last year. “It learned a lot of painful lessons, and was trying to hire somebody specifically dedicated to IT compliance, under the auspices of the chief operating officer, with a dotted line to the CEO.”
Such reporting-structure distinctions are essential; be wary of who gets to helm any given compliance effort. For example, “those that are promoting the CIO to be the director of SOX, I’m against that, because it is about financial integrity and accounting, and financial statements,” says Rasmussen.
In fact, in many organizations, the auditors report to the CFO, typically because their auditors have always helped assess financial integrity, which is under the CFO’s purview. Yet that reporting structure doesn’t work so well when monitoring for today’s regulatory violations, says John Lazarine, the global IT audit director of Raytheon. “You’ll see a lot of audit departments where the head of auditing reports to the CFO, but that’s not a good practice to have, because then the CFO controls the budget, promotions, and could have a lot of control over what is looked at, and where research is conducted,” he says. “I can understand logically why you’d do that, but from an independence standpoint, it’s not right.”
To whom should auditors report? At Raytheon, for example, “We report directly to the chairman, with a dual reporting relationship to the chairman of the auditing committee,” he says. “It’s important that we are independent. Remember, an internal auditor exposed the whole Enron situation.”
Another impetus to keep auditors independent: you don’t know where they might identify a problem, and ultimately if the problem has to do with business processes or technology controls. For example, even when companies employ automated IT controls, “the technology has to fit within a credible business process,” notes Mazer. “If the process is flawed, technology can’t solve the problem.”
Auditors and IT
Furthermore, when a problem does involve an IT control, IT staff may have difficulty resolving underlying business problems. That’s where independent auditors can play an important role. For example, when Lazarine discovers a business process that needs improving, he may present his findings to the relevant Raytheon executive, though he’s taken the same approach throughout almost 20 years of being an auditor. “To be honest, I’ve taken similar conversations to all levels of the C-suite people—CIOs, CEOs, the chairman,” he says.
Often, he says, auditors will find something and propose a solution, and “when you talk to the IT people, they say you’re exactly right, that’s what we have to do, but they don’t necessarily have the channels in place to bring these things up.”