Sarbanes-Oxley mandates lead to IT certification push

Computerworld - CEOs and chief financial officers who are obligated by the Sarbanes-Oxley Act to stand behind the financial accounting controls used by their companies are increasingly asking operating units, including IT, to certify that they have put adequate safeguards in place.
"I'm hearing a lot of discussion about that," said Chris McLaughlin, global director of financial services marketing at FileNet Corp., a Costa Mesa, Calif.-based software vendor that sells document management tools for use in Sarbanes-Oxley compliance projects.
With CEOs and CFOs now being held accountable for the accuracy of the financial reporting at their companies, "they are looking for ways to distribute that responsibility downward through their organizations," McLaughlin said. That includes asking IT managers to certify the systems used to process financial data, he added.
Some companies are doing internal audits using certification standards such as SAS 70 to give their IT operations the equivalent of a Good Housekeeping Seal of Approval.
SAS 70—known formally as the Statement on Auditing Standards No. 70, Service Organizations—was developed by the New York-based American Institute of Certified Public Accountants.
In addition, some outsourcing vendors have started offering SAS 70 audits to their clients. That was an unexpected windfall for Energy Absorption Systems Inc. after the Chicago-based maker of highway crash barriers hired an application service provider (ASP) earlier this year to manage its finance applications.
"We see them as another group to help us improve on our internal controls," said Bob Latek, senior vice president and controller at Energy Absorption Systems.
Latek, who spoke at an IT conference for CFOs last month (see story), said that letting the ASP run the certification process should help his company cut its Sarbanes-Oxley compliance costs in half "and save us a lot of time, too."
Anthony Noble, director of IT audits at Viacom Inc., said that at the next meeting of the company's divisional CIOs in January, he plans to raise the issue of whether the New York-based parent company of MTV, CBS, Blockbuster Video and other entertainment businesses should conduct IT certifications.
Noble said he understands the potential usefulness of such certifications as a sort of "life insurance policy." But he added that he's skeptical about the way some big auditing firms are using SAS 70 as a sales tool to generate incremental business through Sarbanes-Oxley consulting deals.
Ed Trainor, senior vice president of information systems at Paramount Pictures Corp., a Hollywood-based Viacom unit, said IT certifications "are a commendable thing to do for a variety of reasons." However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources," added Trainor, who is also president of the Chicago-based Society for Information Management.
The SAS 70 Type II report that companies can use to document the effectiveness of their internal IT controls will have to be updated to meet requirements specific to Sarbanes-Oxley, such as quantifying the extent of testing done on financial systems, said Lynn Edelson, a Los Angeles-based consultant at PricewaterhouseCoopers.

SAS 70 1 2 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Additional Resources POLL RESULTS Leading IT Pros Weigh In on Top IT Issues Accelerate your knowledge of the IT world you inhabit by viewing the results of a series of polls taken by your IT peers. These polls of 100+ IT professionals each are available for full viewing. They cover key topics such as virtualization, processor performance, green IT, cloud computing and many others. Be a part of the buzz. WHITE PAPER For Best Results, Think Beyond the Box Technology is complex. Keeping it running productively shouldn't be. To that end, you want to minimize the number of solutions needed in-house to simplify operations, maintenance, and support. Kodak offers a best-practices model. One company provides support for both scanner and software, for fast problem resolution without vendor finger-pointing. Download now! WHITE PAPER Accelerating the Path to Demand Intelligence with a Demand Signal Repository Utilizing demand intelligence improves the precision of pricing, product assortments, channel/store placement, and promotion, which are all essential for sustainable revenue management performance. Learn more, download this free whitepaper today. White Papers & Webcasts IT Modernization in Government As IT budgets are slashed, IT management pressures rise and legacy systems linger in government organizations, modernizing the IT infrastructure and applications has...   Strategic ECM Webinar Learn what new strategic business benefits can be realized through ECM!... 2009 Gartner Magic Quadrant Report Truly understand your options for WAN Optimization Controllers...   Managing And Protecting Your Ever Increasing Mobile Assets Learn best practices for desktop and application virtualization, computer security, and computer life-cycle management.... Tech Horizons: ASG's metaCMDB, The Technology That Rocks Improved business productivity often requires more efficient IT and more efficient IT cannot be achieved without a better understanding of the way business...   5 Architecture Issues that Impact BES performance This Live webinar will identify critical log file errors, performance counters, and configurations to pay close attention to when optimizing BES server performance.... The Vector Approach to Data Center Power Planning This white paper describes an approach that considers the major milestones and thresholds in data center power requirements-and how planners should adjust their...   Usability Is Everything Learn what sets Workday's HR and Payroll solutions apart from the competition.... Yankee Group Mobile WAN Optimization Report Mobile work continues to evolve. Learn how to keep up with the demands of your organization's mobile workforce....   The Value of Real SaaS at Workday Cost savings, speed to value, and innovation brought to the enterprise by Workday's software-as-a-service solutions for HR and Payroll.... All White Papers | All Webcasts Computerworld Reports An Interactive eBook: Enterprise Security The Business Case for Server Virtualization Computerworld Technology Briefing: Intelligent Users Use Business Intelligence All Computerworld Reports Sign up to receive updates on the latest Government resources   White Papers IT Modernization in Government Tech Horizons: ASG's metaCMDB, The Technology That Rocks Yankee Group Mobile WAN Optimization Report Sun GlassFish Portfolio - Deploy Web Applications with Open Source Protecting Content During Business Disruption: Are You Covered? Creating a Complete ECM Solution - DocuShare and Sharepoint Is your data center running out of power or cooling? Is your data center ready for virtualization? Should Your Email Live in the Cloud - A Comparative Cost Analysis Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs 2009 Gartner Magic Quadrant Report The Vector Approach to Data Center Power Planning Mitigating Litigation Risk with Email Management Tools An SMB's Guide to ECM Software Selecting a Practical ECM Solution: Critical Considerations Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring The necessary convergence of IT and Facilities What your IT equipment needs from a UPS Authentication as a Service by Forrester Research IDC White Paper: CCM for IT Compliance and Risk Management Sponsored Links HP StorageWorks products-control, consolidation and confidence. 64-page prescriptive guide to security, compliance, and IT operations. Looking to add Unix/Linux functionality to Windows? FREE guide to saving up to 95% on network hardware costs. Start saving today! Enhance your career with a Boston University online Master's in CIS Find IT jobs in the Healthcare industry on Dice.com Network Tools Made By Engineers for Engineers Live Webcast: Building a More Productive Organization  A User Perspective With the NEW KODAK i700 Series Scanners get full speed at 300dpi! ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Introducing the new HP ProLiant G6 server family Wait for the upturn, or get ready for it with Capgemini's Technovision study. Download it here. Instantly know your IT service state - anytime, anywhere @ AccelOps.net Try the best rules engine free! Decisions.FICO.com Learn How to Create a High Performance Workplace Thrill Dad this Fathers Day and save up to 66% plus 4 FREE Caramel Apple Tartlets from Omaha Steaks. ESET NOD32 with ThreatSense(R) - Get your free trial now! Join the conversation about the hottest IT trends with Computerworld on Twitter. Create business data you can believe in with data governance Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.