Sarbanes-Oxley: Year Two and Beyond

Barry Miracle, Senior Manager in BearingPoint?s Global Security Service practice, answers CXO?s questions.

BMUS.What risk management issues are facing companies today?
BM. In 2004, Sarbanes-Oxley (SOX) compliance clearly became the risk management focus for many IT organizations and it continues to be today. Two years ago I would have said privacy issues were dominant. A few years before that, we would have been talking about hackers gaining access to our infrastructure and data. Of course, everyone recognizes that privacy and system security are still important issues, but the focus on legislative and regulatory risk resulting from SOX has been at the expense of other business risks, which can have a more direct impact on your customers and your business. In a sense, SOX has caused us to take our eye off the ball. Are we prepared for hackers? Do we have the virtual and physical safeguards we need to protect customer information? These issues really can?t take a backseat.

BMUS. Year one SOX compliance was more challenging and costly than expected.What do you predict for the future?
BM. People were shocked by how expensive and difficult first-year compliance was. But the big concern today is how to sustain compliance going forward. Year one efforts for most companies centered on how to supply the pieces of paper that would prove they had complied. Unfortunately, because of the unexpectedly large amount of resources required for year one, little attention could be paid to what happens after that. Few people asked: ?How am I going to do this again next year?? More importantly, there?s been little recognition that SOX compliance needs to be a year-round activity. Instead of relying on periodic audits to find material weaknesses and correct them, companies should strive to install the processes, governance, automated systems and workflows that create sustainable compliance through the natural course of business. These processes should be institutionalized.

BMUS. So clearly companies can take steps to create sustainable compliance within their organization, but what about the suppliers, partners and others that the company must share sensitive data with?
BM. That?s an interesting problem as businesses become more interconnected. For us to be compliant, our partners have to be compliant too. Yet a large company really can?t force SOX compliance on suppliers. As a result, companies typically create their own certification process for suppliers, conduct spot audits and tell them what they must do to be compliant and remain a vendor in good standing. Ultimately, it?s about business control: ?Do this or we will have to find a new vendor.? A better approach is to set expectations upfront in the relationship. Companies should spell out the products, technologies and processes that partners need to put in place to lower compliance risk to an acceptable level. Not many companies are doing that today.

BMUS.What can companies do to lower risk in the identity and access management area?
BM. Before SOX, companies employed identity management primarily to enhance customer experience and streamline processes and infrastructure. Now, for compliance, it?s become important to know who has access to what information and whether they actually accessed and read the information. An identity and access management system centralizes that process, creating a point where all the access control and information for SOX compliance resides. The other thing such systems do is allow handling of large user populations in an efficient, scalable way by assigning roles to people. Then, instead of having to scan records to determine who had access to a database, you can look at which roles had access. Also, when it?s time to end access, instead of having to change every user record in the database, you can simply change the permissions given to the roles and the permission goes away for everyone.

BMUS. Are most companies approaching identity and access management correctly?
BM. There are opportunities for improvement. Identity and access management has three major functions: user management, access management and federated identity. Federated identity allows a system to work with other systems, so clearly most companies have addressed it. Most have also implemented some sort of access management. Now, because of SOX, they?re having to work on user management, which they had only minimally done when they did the access management piece. Before companies continue to put together their identity management and access solution, they should step back and take a strategic look, because this is an important piece of infrastructure. Identify your key business drivers and let them determine how you create processes, workflows and governance, as well as select and configure products.