Is Sarbanes-Oxley All Bad?

Enhancing Business Mobility with Convertible PCs Advance your BlackBerry(R) solution management know-how this July Why SaaS is Vital to Email and Web Security Backup and Recovery for Microsoft Exchange Server Not All QSAs Are Created Equal: What You Should Know Before You Buy Reduce Energy Costs and Go Green Case Study: Trinity Health Care Computerworld Technology Briefing: An open-source path to optimal virtualization Learn-Fast Guide: It's All About You Sign up to receive Security Resource Alerts

April 15, 2004 (Computerworld) -- Finding the Sarbanes-Oxley Act as difficult to swallow as bad-tasting medicine, many companies question the need for it. They might better question why it took an act of Congress to get companies to list and track the performance of their material risks and associated control procedures, activities that are fundamental to running a good business.
Sarbanes-Oxley raises even bigger questions: Is your company really organized when it comes to managing overall governance, risk and compliance (GRC)? Doesn't compliance encompass more than accounting controls? (Enron wasn't an accounting problem; it was a business and ethics problem. Accounting was just the means to perpetrate the crime.) And once a company is organized to manage GRC, how does it leverage technology that enables truly effective and efficient GRC management?
Seize the Opportunity
Is Sarbanes-Oxley all bad? Not when it makes compliance management visible at the highest organizational levels. The COSO framework, the underpinning of Sarbanes-Oxley's internal control requirements, isn't a vast conspiracy to enrich accounting firms. Many, if not most, risk-related processes in a company may be poorly run for the simple reason that they have been viewed as a burden and not a driver of revenue. As a result, most compliance activities have been seen as bothersome necessities rather than as strategic imperatives. COSO provides the guidelines to enhance compliance processes.
Rather than railing about compliance and regulatory requirements, companies should use this time to define a GRC strategy. Companies that execute this strategy as rapidly as possible can increase competitive advantage, whereas companies mired in risk avoidance will be left far behind.
Compliance is friction in your organization, and the friction has gotten bad -- more regulations, more scrutiny and enforcement, and more time spent by your employees doing what for most is an adjunct to their primary job of attracting and retaining customers. But companies with well-run compliance processes (with applied resources and executive commitment) enjoy share-price premiums, competitive advantage, improved morale and reduced risk of being tomorrow's corporate scandal headline. How do successful companies transform GRC management into a real driver of business performance? They leverage the substantial effort and cost tied to Sarbanes-Oxley for all compliance issues.
Richard Steinberg, the founder of Steinberg Governance Advisors Inc., was one of the principal PricewaterhouseCoopers authors of the COSO Internal Control -- Integrated Framework and is an internationally recognized expert on corporate governance, internal control and enterprise risk management. According to Steinberg, "Some of the companies I'm working with are not seeking merely to comply with the Sarbanes-Oxley requirements and viewing them as an entirely unwelcome burden, but rather are using it to put a stake in the ground to transform the way they run their businesses. They're looking to achieve better visibility into their governance, risk and compliance nervous system, and gaining the advantage of better identifying and managing their key business risks. These are organizations that I believe enhance the likelihood of their thriving in the coming decade."
How, then, does one use technology to facilitate this strategic approach to GRC management? Silos of technology purchased and implemented as part of yet another compliance fire brigade only make the problem worse. By approaching GRC from the point of view put forth by COSO and the regulators, a simple road map emerges for a long-term strategic approach to solving this problem. The road map suggests defining a technology strategy that will address these numerous and functionally disparate processes with consistency. It will also facilitate addressing short-term priorities like Sarbanes-Oxley, but within a framework that can be leveraged.
Step 1
The COSO Internal Control -- Integrated Framework established a broad definition of internal control extending to all objectives of an organization. Review the introduction, especially to the new COSO version that defines enterprise risk management principles. COSO is recognized by the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board for corporate use in meeting Sarbanes-Oxley reporting requirements.
Step 2
Become familiar with the U.S. Sentencing Commission's "Seven Elements of an Effective Compliance Process," an important standard that provides an effective operational approach to running compliance. The seven elements cover the following:

1. Policies and procedures


2. Oversight


3. Delegation


4. Communication


5. Auditing and monitoring


6. Enforcement


7. Continuous process improvement

Developed by the federal government and adopted by the Sentencing Commission for determining potential sentences and fines, the seven elements are an excellent tool for measuring compliance management initiatives.
Step 3
Develop a comprehensive technology approach to managing GRC as a portfolio of processes, not a single, isolated process. With Steps 1 and 2 behind you, a strategic approach that's consistent with these principles can be defined so that everyone, from IT staff to the business owners of the various compliance-related problems, is on the same page. The benefit to your organization of the first three steps will be a consistent approach in moving beyond Sarbanes-Oxley to other compliance issues, allowing effective leveraging of the substantial effort and cost.
Step 4
Once the technology strategy has been determined, specific processes, including Sarbanes-Oxley, can be defined, automated and measured in a consistent way. Start with one regulatory-driven group of processes (Sarbanes-Oxley is a good starting point) and gradually move to others as you build the portfolio. As Steinberg notes, "Management teams that leverage their efforts to comply with the internal control requirements of Sarbanes-Oxley and begin building a broad-based enterprise risk management process are significantly better positioned to achieve their company's fundamental profit and return objectives."
Rest in Peace (and Prosperity)
Instead of seeing Sarbanes-Oxley as bad medicine, focus on the underlying problem in a positive way. The results will be confidence that the risks you have chosen to take are defined, that resources are allocated according to these business decisions and that exceptions to your risk tolerance have been detected and corrected. You will not only provide clarity to the capital markets and other outside constituents like regulators; you will also sleep at night knowing your company is well run.
Steven Lindseth is chairman of Axentis Inc. in Warrensville Heights, Ohio, a provider of managed service software to address specific compliance problems as well as enterprisewide GRC initiatives.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Today's US college business professors, hopefully, aren't all like the one who is teaching a Florida university's business major. Maybe..." Read more... "For the first time in 30 years, there were no public offerings from a venture backed company. Look for more..." Read more... Read more Management posts or See all Blogs

Microsoft promises four patches next week Google gives away home-cooked Web application security scanner Storm botnet stages Fourth of July attacks More top stories...

Microsoft trumpets security additions in upcoming IE8 Apple cuts price of high-end SSD MacBook Air by $500 Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Computerworld invites all storage industry leaders to join us at an exclusive virtual event! Computerworld invites all storage industry leaders to join us at an exclusive virtual event! Register now and we'll see you LIVE on June 24th at 11am! Go to the webcast  Computerworld Technology Briefing: Meetings @ the Speed of Business Download this Technology Briefing now, compliments of Microsoft! (Source: Microsoft) For large organizations, Web conferencing gives a major boost to collaboration among far-flung offices. For smaller companies, experts say Web conferencing is no longer a luxury but a necessity for everything from webinars to customer presentations. But the real value lies in saving soft costs and in increases in productivity. Download this executive briefing  Taking Control of Software Licensing Get this white paper now! (Source: BDNA) Pricing model changes, virtualization, and vendor audits are just a few of the reasons why software licensing is full of factors outside your control. Accurate information is the best weapon for managing vendors. This white paper discusses new technologies to enter conversations with vendors on your toes, not your heels. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Microsoft promises four patches next week
• Google gives away home-cooked Web application security scanner
• Storm botnet stages Fourth of July attacks
• More top stories 

Intercept Spam & Viruses With MessageLabs MessageLabs is offering a complimentary 30 day trial of its managed Anti-virus and Anti-spam security solutions. MessageLabs guarantees complete protection against all know and unknown email threats. By providing 24 hour support, your business can increase productivity and decrease risk. Register for a complimentary trial and receive a free datasheet. Download this white paper now!

Is Your Company a Great Place to Work? Our annual survey recognizes top employers that offer satisfying and challenging work environments for their IT staffs. Nominate a company here. See the 2007 Best Places to Work in IT report

Enhancing Business Mobility with Convertible PCs For years Pen enabled computing devices have enjoyed great success and acceptance in highly vertical industries like delivery services, auditing and POS. The primary limitations of early pen computing devices, which were the hurdles to early mainstream adoption, were the power limitations of the devices, no stable OS environment for application development, and the lack of a keyboard for traditional input. Now, with the availability of Windows XP Tablet PC edition and Vista, which are both Pen Enabled operating systems, the flexibility afforded by dual function convertible notebooks and a host of 3rd party applications, Pen Computing has expanded into areas like healthcare, insurance, education, retail, and sales force automation. What used to be strictly vertical has now caught on as a preferred alternative to standard notebooks. Is now the right time for you to consider pen computing? Tune in to find out what these amazing mobile devices can do to simplify tasks, expand the utility of a traditional notebook, and increase the ROI of traditional notebook computing. Listen to this podcast now