Compliance is about more than Sarbanes Oxley these days but the phrase "SOX in a Box" still speaks to the software business' tendency towards hype and promises that can't be kept. In his audio interview with Dan Farber, Trent Henry puts forward a good way to view technology. It's certainly one that fits CA's philosophy of Compliance = ROI. Here's Trent:
"Sox in a Box" was a tongue-in-cheek way of hitting vendors over the head for claiming way too much functionality in their products. When we really analyze what these solutions can do, they tend to be only a very small part of the compliance equation for an organization. The important thing to do is to establish an architectural approach. Understanding the regulatory requirments and control objectives that are established by your audit team you can begin to look at a two- to three-year planning horizon for the implementation of technologies that will implement those controls and then over time effectively the entire ship will be steered to a compliant set of technologies.
That last line is crucial to CA's philosophy. When you implement the right level of compliance, you bring all your business processes into alignment with best practices. But this doesn't mean buying Sox in a Box; it means implementing technology into an architecture.
Technology isn't the panacea but when properly applied within the proper architectural approach, technology removes human error, and creates automation and repeatability in the audit and testing processes, which are really bringing down costs. The costs aren't just with compliance efforts but even an improvement of fundamental business processes or protection of information.
It really starts with risk management. It's keeping with the COSO framework that's recommended for risk management in the organization, understanding the types of threats and vulnerabilities, and then deriving an architectural plan that responds to risks.
Compliance efforts are fundamental to your corporation's future. Not only is the freedom of your chief executives at stake but also your ability to manage risks, resolve problems early on, and really to compete with companies who fully understand their business processes, all of this comes down to how you implement compliance. Obviously, you can't enable all that by signing a software contract.
Don't just go out and buy all the technology your vendor says you need. You need to stop and run a really well-managed project with a strong assessment component. And really understand what is the risk management framework you're operating under, and what are the minimum set of controls needed to achieve that?
Don't let your auditors have a checklist mindset when they come into the organization. Because that can often get us scurrying to do things that aren't required for our organization. For instance, the PCOAB (Public Company Accounting Oversight Board) earlier acknowledged that many audit firms were simply preparing checklists of controls they thought were required, and had a bit of an expectation that you jump through hoops. What you really need to do is sit down and ask for a mature auditor, explain your control framework, explain your architecture, and then have them assess what's already in place. And sometimes you have to push and assess their motives of why they're asking for the set of controls they're asking for.
Thanks Trent, for a cogent explanation of how Compliance = ROI.