Rosen Sharma President and CEO Solidcore Systems

A similar trend towards self-service can be seen in the world of IT as well. As organizations begin paying more attention to the Information Technology Infrastructure Library (ITIL) framework, they are beginning to view IT as an organization that provides service to the rest of the business. IT organizations have created self-service portals where employees can access information, order equipment, and file help-desk requests -- all things that over the past two decades had required users to interact heavily with IT staff. Today, employees don't have to wait, and the burden on the IT staff has been significantly reduced.

So what about providing Sarbanes-Oxley (SOX) compliance reporting as a service from IT to the auditors? Is it even possible, and if so, what would it look like, and what benefit would it have? To be clear, just like airport check-in procedures, not all aspects of SOX can be made self-service. For example, you still need someone to check-in the bags. However, a majority of the process around SOX compliance can be made self-service, and in particular, section 404 that deals with executive management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company can be automated to a large extent.

Don't crank-up SOX like a Model T car The key to a successful compliance program is to recognize that SOX does not simply require adequate controls be established - it requires the annual review of the effectiveness of those controls. It is not a one-time event, but an ongoing process that needs to be sustained over time.

The corporations that view the compliance provisions of section 404 as a burdensome legislative mandate may not be making the necessary investments for a sustained compliance program. Organizations must view compliance as a means to establish and maintain good process through well-defined internal controls, and more specifically the automation of those controls. The organizations that realize this are more likely to have a successful long-term compliance program.

The conventional approach to establishing and maintaining IT controls is to exhaustively document IT processes and policies, and increase the frequency of review. This manual approach is costly, inefficient and error-prone. A sustainable compliance program must automate the verification and enforcement of IT controls in a manner that causes low operational overhead and decreases the documentation burden on audit personnel.

Is the Change Control Gap getting you down? The primary issue faced by IT departments in meeting their compliance requirements today lies in the difficulty of controlling IT systems. Most companies have some form of change approval process, whether formally captured in a workflow system, or informally captured via email exchanges. However, a gap exists between the changes documented through the formal process and actual change activity on the infrastructure.

Consider a situation where an annual audit is coming up. People on the staff of the CIO know that because of SOX, they will need to provide auditors with answers to tough questions about who modified certain data, when, and for what purpose. To gather this information, the IT staff must reconcile every change on a system with its intended purpose and authorization. Additionally, they must be able to demonstrate the change process was followed and that every exception to the process is accounted for in a manner satisfactory to the audit team.

Obtaining this level of detail typically requires examining the access policies and change management processes already in place. However, this is not satisfactory without adequate mechanisms to verify that the change processes were followed. This brings us back to the crux of the issue - a gap between the change process and actual change activity on the infrastructure. It is this gap, which can be referred to as the "change control gap," that causes the exhaustive manual effort typically exerted in meeting compliance requirements. If organizations bridge this gap, self-service compliance audits can become a reality.

Requirements for a self-service framework Meeting the IT requirements for compliance is an onerous task. The information required to verify IT controls is unavoidably large, exists in many different forms and is often scattered widely across a complex IT infrastructure. Reconciliation across these information sources is a largely manual, tedious, error-prone and expensive process. In general, it is very difficult for IT personnel to use such scattered information to construct documentation demonstrating the capability to detect policy violations.

For example, leaders in SOX compliance practices include large financial services companies in which every fiscal quarter, dozens of people suspend their usual job duties for several days in order to collect data and create documentation in the "quarterly compliance fire drill."

In order to achieve a self-service control framework, the organization must have automated and comprehensive documentation tied to the change process. Demonstrating to auditors that adequate IT controls are in place requires gaining visibility into the change process, establishing accountability for changes, and selectively enforcing limits on how systems may be changed. In other words, a company's IT controls should at a minimum, address the following requirements:

1) Visibility, by providing extensive logging capabilities that track all relevant program and data changes, as well as categorize and report on the changes in a useful and actionable manner;

2) Accountability, by reconciling every change with its authorization and purpose to verify that policies have been followed, and reporting on exceptions to the change process; and

3) Change policy enforcement to enforce these policies selectively where appropriate to prevent breaches from occurring.

Automating compliance with change control Imagine a portal where the auditor could select from a menu of controls the ones that are relevant to the organization. The auditor could also identify the environments into which these controls need to be applied, and select the frequency of validation of the control. Finally, the auditor could define how exception and compliance reports should be generated. With a few clicks of the mouse, and auditor could complete the controls definition. The interface might vary on a case-by-case basis, but the benefits and cost reduction happens behind the interface where things are automated.

Next-generation change control technology is the key to achieving this level of automation. Change control technology improves IT service availability and compliance by closing the change control gap between IT service management and the IT infrastructure. It gives customers the ability to automate the validation of controls, thereby eliminating the expensive, time consuming and error-prone manual processes that consume IT resources. The technology uses real-time change detection capabilities along with automated, highly-accurate change reconciliation to provide an automated way of validating changes against authorizations. Out-of-process changes, such as emergency fixes, can be automatically documented and reconciled for easier audit-ability.

Companies I have recently been working with are beginning to use change control for Sarbanes-Oxley auditing, and have realized significant benefits both in terms of reduced risk, as well as reduced cost. These benefits are typically divided into two phases.

The first phase consists primarily of automating the large number of manual controls currently in the framework. Audit requirements can be demonstrated on-demand with a self-service audit portal consisting of the required reporting and documentation. Based on my experience working with customers, this phase can increase the automated key controls from roughly 25% to 65%.

The second phase of benefits comes from rationalizing and reducing the control set, based on demonstrating to auditors that control capabilities are built into the fabric of the environment. Determining which controls can be eliminated from the framework requires discussions and approval from the organization's internal and external audit team. In my experience, I have seen organizations yield roughly a 35% reduction in the number of controls required for SOX compliance.

Today, too many companies are spending up to 30% of their IT time documenting for SOX compliance, or they are paying three or four consultants to do the work at a cost of more than $500,000 a year. In addition to the cost, most IT folks hate the drudgery of producing these reports. In most cases, leveraging change control technology to automate most of the SOX compliance effort can yield a recovery of the investment in less than six months. The organization will benefit from significantly less manual effort required to comply with SOX audits, a reduction in frequency of testing due to demonstrable automation, a reduction in number of controls due to process enforcement capabilities, and a reduction in risk due to completeness of coverage.