Bryan Cote Sr. Product Manager Ecora Software

Ensuring compliance with Sarbanes-Oxley is a critical business and IT objective for public companies across the U.S. And with good reason.The risks of non-compliance are real—from significant financial penalties to the possibility of damage to an organization’s reputation.

After all, failing a Sarbanes-Oxley audit can mean ineffective and inefficient internal processes and controls. Serious concerns about the accuracy, reliability, and accountability of corporate disclosures can threaten investor confidence.

So, given the obvious importance of compliance, why are organizations still failing SOX audits?

Organizations fail SOX audits for a number of reasons: chief among them are an event-driven approach to compliance and a lack of documented control procedures that results in controls that are operationally ineffective and poorly designed.

It is essential that compliance control initiatives are strategic, integrated business processes and not one-time “projects” or events. In fact, the foundation of a sustainable Sarbanes-Oxley compliance program begins with organizations taking a risk-based approach to validating internal controls over financial statement reporting. Additionally, the overall SOX compliance program must include ongoing risk management, as well as regular evaluation of the effectiveness of IT controls and compliance initiatives to ensure that standards are being met and risk of inaccurate financial statement information is mitigated.

This is why visibility into the infrastructure is so important. A risk-based approach to SOX compliance requires the documentation of key IT and application controls and the identification of critical systems, in addition to an inventory of the entire environment. According to Gartner, fifty to eighty percent of unplanned downtime, and the unavailability of financial systems is caused by people and process issues that result in unstable configuration changes. A recent Enterprise Management Association report concurs, indicating that more than eighty percent of IT infrastructure problems are the direct result of change, which is another key focus area that external auditors rely on for their attestation. Without visibility into the organization, and specifically, visibility at the configuration level, it is impossible to know whether an organization is compliant or deficient or even identify the gaps between the two. To ensure continuous compliance, it is essential to ensure visibility at a very granular level.

Following the Leaders
Organizations with a track record of successfully meeting SOX and other compliance audit objectives have one simple goal: to ensure cost-effective, sustainable compliance strategy. To achieve this goal, most have identified ten key steps for creating a sustainable IT compliance program. All ten keys embrace the concept of compliance as a continuous process and focus on achieving greater infrastructure visibility and validating that controls are in place to assure accuracy of financial statement reporting .

1. Automate, automate, automate. Automation is the first step to ensuring sustainable IT compliance. By eliminating the “human” element of compliance, organizations can ensure consistency and preparedness, regardless of when an audit takes place. In fact, systemic reports, compiled automatically, are the most likely to be accepted as auditable evidence and satisfy audit requirements.

In addition, meeting the requirements of Sarbanes-Oxley mandates manually forces your IT staff to be directed away from business-critical activities and most external auditors will place a lesser reliance on your controls and testing strategy By automating mundane, compliance-related tasks, you’ll reduce the workload and expense of manual identification, tracking, and reporting of IT controls, and you’ll have an opportunity to reallocate compliance resources back to key IT initiatives. Additionally, auditors will place a higher level of reliance on systemic reports that are derived from SOX significant systems. According to the IT Policy Compliance Group in their recent research report, “Taking Action to Protect Sensitive Data,” organizations with the fewest compliance problems spent nine percent more to automate audit functions, while spending eleven percent less on contractors and outside services.

2. Evaluate and adjust. Compliance must be process driven—proactive rather than reactive. And, as with any business process, the effectiveness of IT controls and compliance initiatives must be evaluated regularly, so that you can adjust to changing business and audit requirements. One of the reasons organizations fail compliance audits is that IT systems are not adjusted as business processes change. Aligning business and IT processes will ensure the efficiency and cost-effectiveness of the compliance process.

3. Self assess. Once IT controls are established, regular, proactive self-assessment of key control processes allows you to stay on track, and to pinpoint problems as soon as they arise. This can reduce mean time to resolution, ensuring business services remain available and saving valuable resources. In addition, with regular self-assessment, you can validate compliance status before an audit has begun.

4. View compliance as an opportunity. Instead of panicking about compliance requirements or an upcoming audit, view both as an opportunity to improve core IT and operational processes, as well as a way to effect positive change in your environment. Leverage compliance requirements to make IT controls and IT operations more efficient and effective. Look at an audit as an opportunity to validate security controls and to pinpoint vulnerabilities in your infrastructure—which, if unidentified, could leave your organization vulnerable to a security breach and have costly audit consequences.

At the same time, the compliance process should also be an opportunity to build a relationship with your Sarbanes-Oxley auditor. With an open line of communication, you and your team will understand clearly from the outset the expectations and objectives of the audit. Involving your auditor early in the process can provide valuable information as you establish IT controls and establish related business processes.

5. Be practical. While you should always remain focused on an optimum outcome to any compliance process or audit, it is more efficient and cost-effective to use a practical, methodical approach. While it is always exciting to get an “A+,” for example, sometimes a “B” or “C” is enough. Striving to get an A+ on the audit may leave other business and security issues unresolved.

6. Understand what interacts with regulated data and the business effect. Today’s IT organization is fully integrated within the business, and organizations are looking to improve business performance while reducing compliance costs. To achieve this goal, you must be conscious of the relationship between IT and overall business requirements to ensure that IT remains aligned with business goals.

7. Manage your controls. Because of the IT department’s need to be is so closely integrated with business needs, there is a direct relationship between IT controls and business processes. You should constantly evaluate which controls are material to business systems and anticipate change. In any organization, there will likely be compliance gaps. What is important is to be able to focus on those gaps that could turn into a material weakness or cause an auditor to determine that an organization is not in compliance with a requirement.

Change management is the key to success for the entire compliance process. IT controls evolve every time a change occurs in the infrastructure—whenever new hardware or applications are deployed or updated, any time personnel changes are made, or some other change. Auditors regularly evaluate the effectiveness of IT control and change management processes. When you can control and manage change on a continuous basis, you gain the visibility necessary to ensure your infrastructures are secure, compliant, and effective.

At the same time, to ensure successful audits, you should document all controls and then minimize them to a list that is manageable and easy to understand. These controls should align with audit objectives and encompass only those that are critical to maintaining compliance. Once controls are established, regular, proactive self-assessment of IT control processes can help organizations pinpoint problems as soon as they arise.

8. Leverage tools with other benefits. To maximize your IT investments, choose automated solutions that address the requirements of multiple IT projects rather than just a particular compliance need, and then combine automation with effective IT processes.

9. Use metrics to test controls. Find tools that provide visibility into your critical IT controls. It may sound cliché, but if you can’t measure it, you can’t manage it.

10. Don’t reinvent the wheel. There are dozens of compliance requirements, and the number of requirements is increasing. By adopting frameworks like COBIT/COSO and ISO17799 to establish your benchmarks, you can leverage the processes and controls to satisfy multiple compliance requirements. Building a solid framework to solve different requirements across business “silos” will help you drive down the cost of compliance.

Importantly, a sustainable IT compliance program—and the associated IT controls and change management processes—can lead to additional benefits that should not be overlooked, including a more secure environment, improved operational efficiency, and increased system performance.

A Sustainable, Automated IT Compliance Program
The answer for organizations who have been cited for multiple control deficiencies on their compliance audits or are expending to many financial and personnel resources to meet compliance requirements is a sustainable, automated IT compliance program. With this approach, organizations can deliver the kind of auditable evidence auditors required to assure the auditor of the reliability of internal control processes. At the same time, compliance can continue to be validated over time by taking a systematic approach to ensuring compliance on the IT infrastructure.