Making Compliance Part of

By Deborah Gage  |  Posted 2006-06-06 Print this article Print

Here's how business is tackling three of the biggest I.T. compliance challenges.

the Business">


  • Company: Panasonic USA
  • Business: American subsidiary of $81 billion Japanese electronics maker Matsushita
  • Regulation: Sarbanes-Oxley
  • Software solution: ProSight Portfolios; ProSight, Portland, Ore.

    Even companies that have been allowed to defer compliance with Sarbanes-Oxley can't count on the companies that have gone before them as any guide. "Sarbanes-Oxley is a bigger box than anyone imagined," says Robert Schwartz, Panasonic USA's chief information officer and a 30-year-plus veteran of the technology industry.

    As part of a foreign company—the Japanese electronics giant Matsushita—Panasonic USA is not required to comply with Sarbanes-Oxley until 2007. But Schwartz is also integrating Panasonic's compliance work into a long-term project to outsource information technology at the company to minimize the law's competition for resources.

    In 2005, IBM took over Panasonic's infrastructure, software development, help desk and PC repair; the lines of business at Panasonic now manage specific information-technology projects, including electronic commerce, supply chain and financial management. IBM executes those projects, and Panasonic tracks progress with a tool from ProSight, which allows the company to graphically capture and measure where it is spending money to help it analyze what else is happening in the company.

    ProSight is Web-based and manages projects on top of a SQL Server or Oracle database. It interfaces with other applications through enterprise application integration or Web services. Prices vary. Competitors include Microsoft, CA and Mercury Interactive, according to the company.

    But though Panasonic built support for Sarbanes-Oxley compliance into its contract with IBM—anticipating the need, for example, to review all security IDs in SAP so employees' roles are segregated—Schwartz says his company still underestimated the level of effort involved to comply with the law. Seeing ProSight's reports on where resources were going helped Schwartz decide to defer a project to create a common way to handle orders and credit until later in the fiscal year. "You can imagine what a financial organization has to do relative to SOX and still run a business," he says.

    Schwartz's long-term goal—beyond compliance—is to get more value out of Panasonic's information technology after years of post-bubble cost-cutting. "You can only take so much cost out without impacting the business," he says. He is supervising a redesign of Panasonic's supply chain to make it more efficient, which will also benefit retailers like Best Buy and Circuit City.

    In fact, companies that take complexity out of their information-technology departments—by consolidating vendors, software applications and databases—wind up spending 36% less on compliance than their peers, according to The Hackett Group.

    "We long ago walked away from being technologists to being businessmen," Schwartz says. "That's the expectation of any CIO today."

    Keeping regulation top of mind can also help a company anticipate future regulation. Matsushita is carefully watching Panasonic's outsourcing project, he says, with the idea of making it global, thus deriving even more value from information technology.

    Compliance with the current round of mandates will get easier because requirements will converge and companies will learn to consolidate their efforts, says Marv Goldschmitt, vice president of business development for Tizor, a startup in Maynard, Mass. Tizor sells an appliance that monitors transactions for several mandates, including Sarbanes-Oxley, HIPAA and Payment Card Industry security requirements, by relying on mirrored copies of customers' data.

    While employees responsible for complying with different mandates often work in different parts of an organization, Goldschmitt says, "They're all interested in critical information accessed—when, why and by whom. How is a credit card security code different from a patient number in a hospital?"

  • <1234
    Senior Writer
    Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.


    Submit a Comment

    Loading Comments...
    eWeek eWeek

    Have the latest technology news and resources emailed to you everyday.