iSeries ISVs Make Big Investments in Regulatory Compliance

by Mary Lou Roberts

You're probably read enough stories by now on the giant gray--nothing black and white about it--Sarbanes Oxley (SOX) elephant in the compliance corner. Whether you're sitting in a Fortune 1000 company or in a mid-tier private corporation, you've presumably already gotten the message that SOX compliance, mandatory for you or not, is just plain good business practice. Depending on your industry, you've also been wading deep in HIPAA (healthcare), Gramm-Leach-Bliley (financial institutions), 21CFR Part 11 (Food and Drug Administration), Basel II (credit card industry), environmental protection laws and standards, and more.

And let's not forget tax code changes, RFID mandates, ISO 9001 and ISO 14000, SEI/CMM, change control management, UCCnet compliance, and even tracking and reporting on contractual compliance and service-level agreements. The list grows daily as companies struggle to comply with the increasing pressure from within (the bosses are getting nervous) and without (thanks very much, Enron and Global Crossing and Tyco and WorldCom and all you financial companies that have tapes falling off trucks or that are mistakenly selling personal data to identity thieves).

What's a poor, resource-limited IT shop to do to keep up with all this? Are the only choices dedicating budget and staff to meeting compliance requirements, or keeping our fingers crossed that non-compliance (or non-verified compliance) will not bite us and dedicate ourselves instead to doing real business?

Laura DiDio, senior analyst for application infrastructure and software platforms at Yankee Group, reports that the percentage of businesses that are cognizant of the new regulations and their potential and actual impact on the corporation is in the minority. Yankee Group survey data indicates that fewer than 10 percent of corporations are "well prepared" to deal with compliance issues. "Companies that fall into the category of 'somewhat prepared' or 'not at all prepared,' which constitute nearly 50 percent of all businesses, are in for a rude awakening if they do not begin to seriously address internal compliance issues as mandated by the host of new regulatory mandates. The increases to the IT department's overall TCO could range from 10 to 30 percent."

The issue is huge. Steve Finnes, IBM's iSeries business continuity product manager, believes we've only seen the tip of the iceberg. "There's more to come. Many companies are still trying to understand where they are, or even to establish a baseline. Only then will they understand how much they still have to do. Many people say that they want to be compliant, but they still may not even be aware of what they know."

To some extent, of course, it depends on the product and the industry focus; however, most iSeries ISVs report that SOX is the biggest driver of customer activity in the compliance arena. "SOX compliance is the single biggest challenge for our customers, whether or not they are public companies themselves," says Steve Gapp, president and CEO of SoftLanding Systems. "Affected business include small subsidiaries of larger companies, businesses that are implementing best practices in anticipation of going public, and those that are trading partners of public companies."

In response to the question of which reporting requirements create the biggest challenges for iSeries shops, John Vanderwall, CEO and co-founder of SkyView Partners, quips: "I'm not trying to be cute, but the answer is: the ones that don't directly speak of data security, starting with SOX. Why? Because there is no standard to follow. It's really left to the interpretation of the auditor. It's much easier to follow something like the payment card industry's security requirements [known as PCI, and not to be confused with server buses] because they are well documented so organizations have an idea of what's expected of them. SOX is a nightmare because it is literally up to the auditor as to what documentation may or may not be required--and we've seen it vary with each audit."

John Earl, chief technology officer for the PowerTech Group, reports his observation that "SOX seems to be the number one reporting requirement." This is backed up by a survey the company took of its customers a few months ago, which found that 86 percent of those questioned reported that SOX was the regulation/standard that had the greatest impact on their work. Part of the problem, says Earl, is that there seem to be as many interpretations of SOX as there are auditors. "The section of SOX (404) that is relevant to IT simply says that management will sign a letter attesting that there are 'adequate internal controls' and that management will get an independent attestation from an outside auditor," he explains. And as for how much time independent software vendors are spending on SOX and related compliance issues, it is surely growing. "Ten to fifteen years ago, that number was zero," explains Earl. "Today, it varies by developer and product, but I would estimate that the average amount of time developers is spending on compliance is between 25 and 50 percent."

That is a pretty hefty workload, to be sure. However, the biggest pain points may well depend on your industry. Daniel Magid, president of Aldon, asserts that SOX compliance is nothing compared to implementing and keeping up with the Visa/Mastercard requirements. So compliance is a relative burden.

As examples, Ardi Batmanghelidj, president of Innovatum, points out that in FDA-regulated industries, there is a concept called software validation. Steps toward having a validated system start as early as the documented creation of user specifications, which lead to functional specifications which lead to programming specifications which lead to test cases and written evidence of successful completion of these tests. Each requirement is uniquely numbered, and we generate a traceability matrix that ties all of the different numbers together. Pharmaceutical companies then may elect to audit our procedures to confirm adherence to the compliance requirements. Each audit can take two to three days. We are seeing similar trends in non-FDA industries with significant growth in overhead for documentation and approval processes."

However, while the compliance crush may be hard on the users, the vendors love it, says John Siniscal, president of LANSA. "It creates new opportunities for the ISVs. It's a compelling event that forces companies to do something."

That must be true, because there's virtually no end to the product offerings and tools available to iSeries shops to help in all areas of compliance, including project management, security, software change management, reporting, and more. iSeries shops are searching the vendor market for tools that are helping them to automate compliance processes and give them a means of gaining efficiency over manual controls. And there's lots on the market for them to choose from.

Simon O'Sullivan, director of sales at Maximum Availability, reports that compliance issues are now driving the iSeries high availability and disaster recovery markets--with a long way to go and grow. "Compliance issues are forcing iSeries shops to have disaster recovery plans in place," he says. "Still, over 80 percent of iSeries sites do not have a viable DR plan."

Yvonne Schumacher, services technical consultant for Help/Systems, points out that documentation alone is often a challenge for IT. "It has always been very important for IT to generate reliable and accurate financial data. However, to guarantee the consistency and accuracy, IT is also responsible for the documentation of controls and procedures for the information systems within the organization that generate the data. This includes documentation for controls that may identify data integrity problems such as security breeches, software application installations and maintenance, and information system changes. Change management documentation has, therefore, added another time-consuming layer to the list of IT responsibilities. Archiving requirements for this documentation has added an additional challenge as well."

How are iSeries shops responding to these challenges of compliance and reporting? "Frankly, most aren't," says Paul Culin, director of professional services for Bsafe Information Systems. "Before these new initiatives, most shops were audited once a year, many times by people who weren't very conversant with the iSeries. The auditors used a template with some compulsory reports, and simply gave the report list to the shop to run on a regular basis. Much of the old mindset is still quite pervasive, and I sincerely doubt that much will change until auditors come up to speed on what is truly necessary for compliance."

"iSeries customers, like all companies, have to be more methodical today than in the past when it comes to the way they go about their work," says Bill Langston, director of marketing for New Generation Software. "Our customers are more carefully documenting their processes and tightening up security to ensure they can respond effectively to compliance and regulatory mandates."

Companies that are in heavily regulated industries--banking, healthcare, pharmaceuticals, for example--may actually have an advantage in the trek to achieving and maintaining compliance. Edward Reynolds, vice president of product development for Manhattan Associates, points out that those companies "have been dealing with regulations long before SOX." As a result, they have already put in place some of the tools and processes that help to manage compliance.

Despite the plethora of tools available on the market, Steve Rosen, vice president of marketing for EXTOL, reports that some iSeries shops are "taking the hard road, writing custom code. I give them lots of information about why this is a poor way to gain advantage, but it keeps the techies employed writing and maintaining code."

All this is expensive, it's true. There is a significant cost in staff, equipment (including more storage to hold all that data you need to retain and analyze), software, and in many cases, external consultants. For players in industries like healthcare and banking, much of the investment was made years ago; the cost today is maintaining and tightening the controls.

Click to continue reading the next page of this story >>>