Better IT Management Practices Result from Compliancy Issues
June 7, 2004 Dan Burger
Are you feeling the heat from regulatory compliance mandates? Although Sarbanes-Oxley (SOX), which applies to internal controls for financial reporting by publicly held companies, gathers the most headlines, there are numerous other regulations pressing companies to rethink their business processes and re-examine the technologies that embody these processes. In most cases, the IT staff is right in the thick of these compliance woes since compliance usually comes through IT systems and is not an optional. “More than one Gartner client has called Sarbanes-Oxley a “blessing in disguise,” says analyst French Caldwell. During his presentation at the Gartner Symposium in San Diego earlier this year, Caldwell said that SOX is forcing companies to re-examine fundamental processes and redesign them based on input from all the important stakeholders. “Sarbanes-Oxley can be used as a springboard to greater efficiency, better documented IT and business interfaces, and a host of other benefits. Smart enterprises will use this opportunity to meet the letter of the law and go beyond it to become more effective competitors.” Deadlines for compliance are looming large for many organizations and the measurements that determine whether technology has actually benefited organizations will be applied throughout 2005 and on into 2006 before there’s a consensus on whether the technology applied to compliance was successful or not. We’ll hear about the penalties for non-compliance sooner rather than later as fines and the public embarrassment of not completing the projects in time sting some companies. As this all plays out, many people are wondering whether we are revisiting the Y2K commotion, which, generally speaking, resulted in returns on IT investments that were disappointing. Or is this a horse of different color? “Sarbanes-Oxley has brought to light the importance of implementing controlled processes over IT,” says Sandy King, a product manager at SoftLanding, one of the leading change management software companies in the IBM iSeries market. King says there are notable efficiencies to gain in the workflow management processes delivered in change management software. “For every dollar spent, a company will gain more than that back in IT efficiencies,” she claims. “This is not a one-time compliance issue that goes away after the first year, as opposed to Y2K. These companies complying with Sarbanes-Oxley mandates will be audited annually.” Yet because of the urgency in dealing with compliancy issues, comparisons to Y2K are continually made. Leading up to the millennial conversion, IT departments were under a great deal of stress to complete projects on time. The IT industry had a huge increase in spending in preparation for Y2K, notes Dan Magid, president of Aldon, another of the leading change management software companies in the iSeries market, “but it was to solve a problem that had no additional benefit other than to get through the year 2000.” Comparing the compliancy issues of today to Y2K, Magid says: “The current emphasis will continue into the future because it provides a large benefit to the organization (undertaking the compliancy project). IT is becoming more and more a part of what business is, and we’ve passed the point when computers were considered overhead.” Magid believes investments in IT will continue in the years ahead, and those investments will need to be as productive as possible. There have been other compliance issues in the recent past. Banking and pharmaceuticals are two areas that Magid noted. Both have stringent regulations regarding managed environments and both have seen the benefits of a better managed IT department as it went hand-in-hand with compliancy issues. The pharmaceutical companies are ahead of the curve on SOX because the same concepts involved in SOX were built into the drug manufacturing process mandates several years ago. The basics of those mandates were to demonstrate an understanding of how every change in a company’s system gets into production, and the ability to document it all. In the pharmaceutical industry changes to software are treated just like changes to the formulas for drugs. This is really just a best practices approach that can be applied to managing anything, Magid says. “Look what’s happened in manufacturing over the past 30 or 40 years. We’ve taken exactly the same principals we’re talking about today and applied them to manufacturing because we needed visibility into the process. We needed quality. We needed to manage the production of the goods we delivered to our customers. Now this is the same idea is being applied to our software processes.” The Sarbanes-Oxley Act was passed into law by the U.S. Congress in response to a series of horrific accounting scandals in major corporations that were discovered in 2001 and 2002. It became law in July 2002. The essence of this act makes an auditor responsible for supervision of an organization’s internal documentation and accountability processes. There are specific provisions for the retention of documents surrounding the audit process and the documentation of internal process controls. Change management (CM) software, explains SoftLanding’s King, provides a controlled and auditable process for modifying software. Within the realm of Sarbanes-Oxley, this relates to any application that touches the company’s financial data. CM software “documents all software modifications and allows an auditor to select a sample set of changes for inspection,” King says. “The auditors want to see the entire lifecycle of changes from the initial request for the change through the final deployment. Under the new compliance rules, a programmer, for instance, cannot promote his or her own changes to production. There has to be an approval process and reports that show what objects were changed, who changed them, and who approved the promotion.” Change management tools provide a mechanism for that information to be easily accessible and controllable. Based on her interaction with new CM customers who are dealing with compliancy issues, many have “functioned in the past with a low-level type of control,” King says. She describes it as a paper trail with no repeatable process in place.” But promotions were not easily recovered if objects were moved to production and later it was necessary to back them out.” By having more controls in place within the IT department, will there be efficiencies that translate to the bottom line? Magid makes the point that IT departments have never done a good job of tracking what they do. “It’s hard to see cost savings if you don’t know how much it is costing now,” he says. “If you don’t do a good job of estimating the cost of the project and you don’t do a good job of managing and tracking the costs of the project, then it’s hard to say we’ll save money after making changes–we didn’t know how we were doing before. There can be cost savings in doing this, but it is hard to see because we have not established a baseline.” The key, Magid says, is to start tracking how well you perform by keeping track of what you are promising and how well you are delivering on those promises. This is done by getting better control, doing better testing, and finding out whether quality and delivery times improve and whether overall productivity increases. “Right now, IT delivers something like 24 percent of its projects on time and on budget,” Magid says. “Companies that improve the management of their IT processes are in the 80 percent to 90 percent range of delivering projects on time and on budget.” Magid says the move to outsourcing illustrates this point. “Outsourcing companies got certified regarding the quality of their management processes. They can show they have a level of IT organization that exceeds what their prospective customer has, because that company likely doesn’t know what level of organization it has. The outsourcing company says we can provide you with better quality at lower cost.” There is no requirement for software tools to comply with Sarbanes-Oxley. The benefits of reducing risks, eliminating inefficiencies, and increasing communications are all positive factors, but not necessarily tied to the purchase of software. “We are clear with people about that,” King says. “But without the tools, it can be very difficult to achieve the requirements.” This would be particularly true when dealing with larger companies that have more than $75 million in assets, a figure that is the target for the first SOX deadline compliance, November 2004. Publicly traded companies with less than $75 million in assets have their deadline extended until July 2005. Whether your organization is well-prepared for compliance issues due to a highly organized and rigorously followed business plan or whether something close to the opposite is true, the focus is on developing better business processes and more timely financial reporting. The route to compliance, whether it is SOX or any of the other compliance mandates, begins with internal controls that are documented and audited. A company spends a far greater portion of its compliancy budget on the auditing than on the software to help solve any of the weaknesses that the audit discovers. Caldwell says it is difficult to estimate the cost of Sarbanes-Oxley compliance because of variables within the audit processes and how well equipped the company is with technologies that can be adapted to solve the problem. “As always, internal costs to document processes and fill the gaps determine user requirements for applications,” Caldwell notes, “and the purchase of additional outside expertise will dwarf the cost of software licenses.” The Gartner recommendation, he says, is for companies to budget 20 percent of their overall Sarbanes-Oxley budget for IT, with that money being earmarked for application purchases and development costs. The auditing process commonly involves an external auditing team that provides an assessment of the reporting and documentation procedures, which includes an evaluation of the IT environment’s role in these affairs. The result is a list of weaknesses or deficiencies that the audit team uncovers and that require remediation. After the audit report is completed, the company must devise a plan to address the weaknesses. Those solutions could be based on a software tool and/or a written procedure. Once the weaknesses are addressed, internal testing is done on the new procedures to verify the proper result. Then the outside auditing team returns to verify the compliance. In situations where software factors into the solution, it is typically a product that vendors have been selling for many years. These products have a track record and an installed base. In many instances, King says, the companies now ready to make a purchase have been considering the product for a year or more, but were held back because of budgetary constraints. Because of the urgency that comes with government mandates, many companies have expanded their budgets, sometimes with money from other departments. Without a doubt, the compliancy issues are pumping up IT budgets. Vendors with software that contributes to the compliancy efforts are enjoying banner years. “Budgets that were on hold are now open to IT resources applied to SOX,” King says. “Most of the companies we’ve spoken with are through the preliminary auditing phase, and are now addressing the weaknesses pointed out to them by the auditing teams.” Magid says Aldon closed its fiscal year on April 30 showing a 20 percent gain over its biggest year ever. “Industry-wide, the compliance issues have turned around what was a declining investment in the IT industry. Now it is on a growth curve. According to Gartner reports, the company expects the IT spending hike to continue through early 2005. |