"They are on to us," former Enron CEO Jeffrey Skilling reportedly told a colleague in 2001 after hearing about a scathing report of Enron by Off Wall Street Consulting, a research firm. The report was the first sprinkle of rain before the storm that culminated in the Sarbanes-Oxley Act (SOX). While SOX aims to prevent fraud, few CIOs in 2001 could have anticipated the effort and expense required by the law.
So how can we streamline compliance and reduce the expense of SOX? At NCI Building Systems, we haven't identified a single path to comply efficiently, but rather several nuts-and-bolts principles to improve controls and cut costs.
Start with CobiT guidelines. The Control Objectives for Information and related Technology from the IT Governance Institute (www.itgi.org) help identify key controls in your organization. It is much easier to start with CobiT and match it with your controls rather than vice versa.
Identify the hard stuff early. Some controls, notably change management and data access procedures, are time-consuming to test and remediate. In particular, segregation of duties is a critical IT control that requires a major time investment.
Don't confuse best practices and key controls. SOX requires proper governance (i.e., key controls), not organizational efficiency (i.e., best practices). So, for example, a best practice is to avoid hard-coding data in programs. But a key control might require that the same person not develop code and also move that code into production to prevent unauthorized and potentially fraudulent program changes.
Avoid paper. IT controls can be documented with screenshots, electronic files and imaged paper documents. This speeds workflow and allows the external auditor to carry a CD copy for easy off-site review.
Encourage visual display of results. While the large accounting firms might disagree, SOX auditing today is much like the auditing of yesterday: Staff is stretched thin and appreciates anything that speeds the review process. For time-strapped staff, signposts and pictures are helpful.
Don't make IT professionals write policies and procedures. Just because IT professionals may be able to write doesn't mean they should. With IT duties at peak levels, it's unlikely that you'll get your best and brightest to focus on writing.
Tie key controls to IT policies and procedures. If your policy manual stipulates that your system be configured to prompt users to change network passwords every 60 days, use the same wording for an IT security-related key control. Cross-reference every key control with a relevant section in your policy manual; this demonstrates that you have embedded key controls in day-to-day operations.
Routinely perform internal reviews and correct control failures immediately. This provides two benefits: (1) Continuous remediation eliminates emergency efforts at year-end because of deficiencies; and (2) ongoing effort indicates the organization's commitment to a strong control environment.
A recent Business Roundtable survey reports that large firms spend an average of $1 million to $5 million annually on SOX compliance. The effort to streamline SOX compliance will reap multiple benefits: lower costs, improved business processes and, hopefully, satisfied auditors.
Eric J. Brown is vice president and CIO of NCI Building Systems. William A. Yarberry Jr., CPA, is a consultant specializing in Sarbanes-Oxley compliance for IT.
This was first published in May 2006