I.T. Governance: Overcoming the Triple Threat

By Deborah Gage  |  Posted 2006-06-06
Mention the word "compliance" in a roomful of executives these days, and you're likely to hear a chorus of groans and sighs.

In addition to Sarbanes-Oxley—the law attacking corporate fraud that Congress passed in 2002—organizations are grappling with the Payment Card Industry (PCI) security requirements for credit card data; the Health Insurance Portability and Accountability Act (HIPAA) requirements for private and secure health-care data; requirements from the Food and Drug Administration to keep terrorists from tampering with supply chains for food and pharmaceuticals; and numerous other federal, state and international regulations, many passed after the Sept. 11 attacks.

"Regulation will continue, and it will be more intrusive, not less," says John Garvey, a partner at auditor Pricewaterhouse Coopers. That's because in democracies, he says, elected officials will not stop insisting that consumers and investors be protected from the risks of modern life.

Some companies are turning to information technology to help them comply with Sarbanes-Oxley and other mandates.

Software products are helping them keep track of employees' roles and responsibilities, changes in their business processes, and whether compliance is contributing to the business at large.

In 2006, 40% of companies plan to spend money for information technology to comply with Sarbanes-Oxley, according to an AMR Research survey of 332 corporations. Sarbanes-Oxley came in first on spending, ahead of 15 other mandates, including document retention, manufacturing process approval, and various privacy and security rules.

And some companies that use software to help them comply with regulatory mandates cite unexpected benefits to their organizations.

At Sky Financial Group, a regional financial holding company in Bowling Green, Ohio, there is a stronger corporate culture more aware of internal controls, according to Donald Hileman, senior vice president of finance.

At Blackboard, which creates and sells software for online education in Washington, D.C., there is more organized communication between the business and information-technology sides of the company, says senior vice president of information technology John Lambeth.

Still, software is not a panacea.

For one thing, information technology has not slowed the rise in spending for compliance—at least not for Sarbanes-Oxley, which requires companies to certify that their financial statements are true. Between 2003 and 2005, the median cost of complying with the anti-fraud law rose 27%, from 0.074% to 0.094% of overall revenue, according to The Hackett Group, an Atlanta-based consulting company specializing in business efficiency.

In addition, standards for information-technology compliance—such as COBIT (Control Objectives for Information and related Technology) and ITIL (Information Technology Infrastructure Library)—are still getting established.

Research firm Gartner says that spending for compliance is scattered across 18 types of products, although they do cluster into three categories—process management, content management, and application access and control. Process management is where companies tend to look first for information technology, although Gartner expects spending to rise in the other two areas in 2006 and 2007.

But there are no "silver bullet" compliance products for companies, says John Hagerty, a vice president at AMR Research. He advises companies against relying on any information-technology product for compliance until they understand their business processes.

"Have a frank conversation with your auditor about expectations, then design your plan and do a lot of work on spreadsheets first," he says. Technology should support the processes, not the other way around.

To better understand how technology has helped businesses deal with regulatory mandates, Baseline interviewed more than 15 companies, consultants, auditors, analysts and vendors, and found three obstacles that most had in common.

Here's how three companies in particular are meeting those challenges.

Next page: Getting Employees in Line


  • Company: Sky Financial Group
  • Business: A $1.04 billion financial holding company
  • Regulation: Sarbanes-Oxley
  • Software solution: OpenPages SOX Express, from OpenPages, Waltham, Mass.

    The Sky Financial Group is no stranger to regulation. A $1.04 billion financial holding company headquartered in Bowling Green, Ohio, it operates regional banks, ATMs and insurance agencies throughout the Midwest.

    But complying with Sarbanes-Oxley has been different than complying with other mandates, says senior vice president of finance Donald Hileman. The law reaches more deeply into the organization than any other mandate, and it has forced the company to make sure that everybody involved understands how to comply.

    Sky Financial's auditors were familiar with Sarbanes-Oxley's idea of internal controls from using a risk management framework created by COSO, a commission sponsored by five U.S. accounting organizations that was formed in 1985 to clean up fraudulent financial reporting. The company was able to use that knowledge to help create controls for the new law, Hileman says. But teaching employees about testing and documenting those controls—creating repeatable, auditable processes so that every loan had the right approval signature, for example—involved extra steps.

    For example, one test of a Sarbanes-Oxley control is that a loan has to be signed for by an appropriate supervisor. If auditors pull out a sample of 25 loan transactions and one signature is missing, those signatures can't be used to support the integrity of financial statements.

    "Documenting test plans [for controls] was a challenge," Hileman says. "We had to make sure the tests were doing what they were intended to accomplish."

    During Sky Financial's first year with Sarbanes-Oxley, auditors worked manually to test business process controls and document test plans. Then the company started automating that work, using management software called SOX Express from OpenPages in Waltham, Mass.

    The software, which monitors Sky Financial's test plans and test results, has now been running for two annual financial cycles, Hileman says, and it does help employees document controls to make sure the processes that support compliance don't change from quarter to quarter.

    OpenPages is a former content management vendor that repositioned its products for Sarbanes-Oxley in 2002. It is upgrading, renaming and repositioning SOX Express again this month to appeal to companies that need to comply with regulations globally, a spokeswoman says. Its software is built on Java and integrates with other applications through a Web services Application Programming Interface. It manages documents, monitors workflow and issues reports. Prices vary. Competitors include IBM, Stellent and Paisley Consulting, but there are no leaders in the field, according to research firm Gartner. So far, Gartner says, compliance technology "remains very much a work in progress."

    Having good communication with auditors has been important in getting the company's processes automated, Hileman says. Such relationships can be hard to develop, because Sarbanes-Oxley requires separation between auditors and their clients to avoid gigantic fraud cases like Enron, where auditors were complicit in the fraud. For example, auditors aren't allowed to design controls, although the Public Company Accounting Oversight Board, which inspects public companies for compliance, decided last year that it was OK for auditors to consult with companies on controls.

    To keep its auditors well informed and save time, Sky Financial created a walled-off area of its computer system so they can review controls whenever they wish. The system keeps an audit trail of their activities, Hileman points out, and Sky Financial ends up spending less time explaining things to auditors.

    Next page: Keeping Job Functions Separate


  • Company: Blackboard
  • Business: A $135.7 million maker of online education software
  • Regulation: Sarbanes-Oxley and PCI
  • Software solution: Tripwire Enterprise, from Tripwire, Portland, Ore.

    With all of the protections against fraud created by Sarbanes-Oxley, the law is vague on the details of how companies should comply. One of the murkier areas is within the information-technology departments of smaller companies, according to Robert Mosely, a director at The Hackett Group, because employees there may do several jobs whose roles conflict.

    Under Sarbanes-Oxley, for example, the person who develops code should not be the same person who submits it to production, even if that person is both a developer and an administrator of an information-technology system and can do both jobs. The law requires segregation of duties—the person who submits a bill can't be the same person who writes the company check to cover it, and so on.

    Blackboard, a developer of online education software, monitors the roles of its employees with software from Tripwire called Tripwire Enterprise. The Web-based software captures a baseline of server and desktop file systems, database structures, directory servers and network device configurations, and compares changes against that baseline. It can work remotely or through agents that customers install locally on devices they want monitored. Prices vary. Competitors are numerous and include IBM, Hewlett-Packard, BMC Software and open-source vendors, according to the company and developers.

    John Lambeth, Blackboard's senior vice president of information technology, says that when the business side wants code, employees submit an electronic request, which must be approved by the business owner, to Tripwire. The request triggers an alert, which creates a ticket in Blackboard's ticketing system describing the order. Auditors must be able to reconcile that ticket with a second ticket, which is created when a technician sends the code into production. It functions as a Sarbanes-Oxley control, showing that the change was requested and was not carried out by the requestor. Any changes to the database are handled in the same way.

    Blackboard also has to comply with Payment Card Industry regulations, since the company processes transactions for students who buy merchandise with student IDs; Tripwire helps with that as well. PCI secures and restricts access to credit card data, so Blackboard's development staff is only allowed access to places where Tripwire can monitor what they're doing.

    "We've locked down our environment," Lambeth says. "We've made it very difficult for a network or development engineer to change a system or router or firewall setting without triggering an alert that they'd have responsibility to close."

    Another trick in complying with Sarbanes-Oxley is to figure out which controls are relevant to the law and your business (Hint: They are not always the same). Blackboard is one of a few companies that uses COBIT, the controls framework published by the IT Governance Institute, to figure this out. Fewer than half of the companies surveyed by Gartner use COBIT.

    An example of a control that is not relevant to Sarbanes-Oxley is a corporate online travel service, Lambeth says. It may generate expenses and get reflected in the company's results, but it does not play a direct role in the creation of the company's financial statements. So, why bother to test a control for it?

    Next page: Making Compliance Part of the Business

    the Business">


  • Company: Panasonic USA
  • Business: American subsidiary of $81 billion Japanese electronics maker Matsushita
  • Regulation: Sarbanes-Oxley
  • Software solution: ProSight Portfolios; ProSight, Portland, Ore.

    Even companies that have been allowed to defer compliance with Sarbanes-Oxley can't count on the companies that have gone before them as any guide. "Sarbanes-Oxley is a bigger box than anyone imagined," says Robert Schwartz, Panasonic USA's chief information officer and a 30-year-plus veteran of the technology industry.

    As part of a foreign company—the Japanese electronics giant Matsushita—Panasonic USA is not required to comply with Sarbanes-Oxley until 2007. But Schwartz is also integrating Panasonic's compliance work into a long-term project to outsource information technology at the company to minimize the law's competition for resources.

    In 2005, IBM took over Panasonic's infrastructure, software development, help desk and PC repair; the lines of business at Panasonic now manage specific information-technology projects, including electronic commerce, supply chain and financial management. IBM executes those projects, and Panasonic tracks progress with a tool from ProSight, which allows the company to graphically capture and measure where it is spending money to help it analyze what else is happening in the company.

    ProSight is Web-based and manages projects on top of a SQL Server or Oracle database. It interfaces with other applications through enterprise application integration or Web services. Prices vary. Competitors include Microsoft, CA and Mercury Interactive, according to the company.

    But though Panasonic built support for Sarbanes-Oxley compliance into its contract with IBM—anticipating the need, for example, to review all security IDs in SAP so employees' roles are segregated—Schwartz says his company still underestimated the level of effort involved to comply with the law. Seeing ProSight's reports on where resources were going helped Schwartz decide to defer a project to create a common way to handle orders and credit until later in the fiscal year. "You can imagine what a financial organization has to do relative to SOX and still run a business," he says.

    Schwartz's long-term goal—beyond compliance—is to get more value out of Panasonic's information technology after years of post-bubble cost-cutting. "You can only take so much cost out without impacting the business," he says. He is supervising a redesign of Panasonic's supply chain to make it more efficient, which will also benefit retailers like Best Buy and Circuit City.

    In fact, companies that take complexity out of their information-technology departments—by consolidating vendors, software applications and databases—wind up spending 36% less on compliance than their peers, according to The Hackett Group.

    "We long ago walked away from being technologists to being businessmen," Schwartz says. "That's the expectation of any CIO today."

    Keeping regulation top of mind can also help a company anticipate future regulation. Matsushita is carefully watching Panasonic's outsourcing project, he says, with the idea of making it global, thus deriving even more value from information technology.

    Compliance with the current round of mandates will get easier because requirements will converge and companies will learn to consolidate their efforts, says Marv Goldschmitt, vice president of business development for Tizor, a startup in Maynard, Mass. Tizor sells an appliance that monitors transactions for several mandates, including Sarbanes-Oxley, HIPAA and Payment Card Industry security requirements, by relying on mirrored copies of customers' data.

    While employees responsible for complying with different mandates often work in different parts of an organization, Goldschmitt says, "They're all interested in critical information accessed—when, why and by whom. How is a credit card security code different from a patient number in a hospital?"