excelleRx Moves to Unisys Server Platform
What Does Enterprise Metadata Management Mean in 2005? By Stu Carty
Westchester Community College Scales Up with Unisys ES7000 Server By Elizabeth Lipp

 

  


What Your Employees Don't Know Can Hurt You
By Chris Williams

Deadlines for complying with the Sarbanes-Oxley Act of 2002, commonly known as Sarbox, and company audits, are approaching. Many companies, however, are not fully prepared for these audits. What they may not realize is that without proper guidance, their employees could unwittingly violate Sarbox requirements - putting their companies in jeopardy.
     Most IT organizations impacted by this legislation are focused on achieving and maintaining compliance with the general IT controls specified in Section 404. This involves far more than just establishing rigid controls over various processes and access to information. It also requires merging people, processes and technology into a unified, enterprise-wide compliance effort.
     From a people perspective, compliance requires the philosophical adoption of the Sarbox legislation across the enterprise. This involves the indoctrination of ownership onto every individual who has access to records that affect the company's ability to attest to and validate that the data it provides is accurate-whether or not an individual's access has been deemed significant.
Good intentions are not enough
     Each individual in the IT organization who has access to information must understand that everything he or she does can affect the company's ability to comply. In many cases, violations result from good intentions. In misguided attempts to do the right thing for the company, people might not always follow specific documentation of processes. Here's' an example that illustrates that point. A manager is under a deadline to report information to the chief executive officer. This manager is not authorized to access the needed information, however, and asks a colleague in IT to grant access privileges. Based on a high degree of personal trust in this manager, the IT person enables access, but just for the day. The manager's problem is solved, but a greater problem for the company may have just been created. The IT person has violated process rules by going around standard identification management protocols, possibly compromising Sarbox compliance and exposing the company to the risk of severe penalties.
     There are numerous obstacles to the philosophical adoption of Sarbox. One obstacle is a general lack of understanding of Sarbox requirements by employees. The employees may believe they fully understand the rules of compliance, but in actuality, they don't. Employees may believe that Sarbox does not affect their jobs. They may think that Sarbox is not within their scope of responsibility and do not comprehend how their jobs can influence compliance.
Some important questions to ask employees
     As a result of this lack of knowledge and these misconceptions, there may not be complete buy-in to Sarbox requirements at all levels of the company. This is especially true at lower levels. In addition, even at lower levels, there are certain degrees of accountability, ownership, and responsibility that must be adopted. A simple test to gauge employees' familiarity with Sarbox and awareness of their roles in compliance is to ask five questions:

  • Have you read Sarbox?
  • Have you participated in company sponsored education programs that define what Sarbox means to your organization and reporting?
  • Do you know which parts of your procedures are related to Sarbox?
  • Do you follow the procedures?
  • Do you understand the impact if you don't follow the procedures?

It is important that employees not only adopt Sarbox philosophically, but also understand its nuances. They need to understand how Sarbox applies in their respective environments and in relation to normal performance of their duties. Employees should fully understand the potential ramifications their actions will have upon Sarbox compliance.
     Every individual that has access to specific information or systems must operate within the boundaries of both legitimacy and appropriateness. Yet, most people are unaware of the difference between legitimacy and appropriateness with respect to Sarbox. To illustrate the difference, consider two users of a UNIX system that maintains financial records: a UNIX system administrator and an end user from the financial department. Both have legitimate rights to access financial records on the system. The UNIX administrator has legitimate rights to access all elements of the system, including the financial records. The financial user has legitimate rights to access certain financial records on the UNIX system. When it comes to appropriateness, however, there is a difference. It is inappropriate for the UNIX administrator to alter the financial records-whether or not the alteration is intentional or completely innocent-despite the fact that the administrator has the ability to do so. On the other hand, it is fully appropriate for the financial user to alter the financial records.

Ignorance is not an excuse
Sarbox is the law, and ignorance of the compliance requirements isn't an excuse. However, if people do not know what Sarbox is, they cannot comply with its requirements. Education is key to corporate compliance. Educating people on what Sarbox addresses and how the company is going to embrace it is fundamental and should be extended to all employees who access data. Companies should educate employees on their roles in maintaining compliance. Education is particularly important for employees in the IT organization.
     The company needs to initiate a continuing program to impart knowledge and increase the awareness of Sarbox across the enterprise. There are two essential parts of such a program, the big-picture aspects and job-related functions.

Communicate the big picture:

  • Ensure that employees understand the big picture. Like all projects and initiatives, the initial phase of the education program should provide basic information to all involved parties.
  • Demonstrate senior-level support. Corporate-wide ownership is essential, even though
    the senior management team is ultimately culpable and must attest that compliance is being achieved by adding their signatures to the annual report.
  • Effectively communicate the importance of the processes. As with all issues in modern computing, the definition of process is essential to satisfying the control objectives needed to become Sarbox compliant. The organization must create and document processes, whether or not automation is involved. The organization must then provide education that articulates the processes, their constraints, and the ramifications of not following those processes.

Communicate job-related information:

  • Ensure that employees understand the details of how these laws impact their job and work activities. Conduct training sessions and provide communications to make them aware of the Sarbox requirements and what it means to them. The creation and maintenance of automated services to execute processes may reside with a group of technical resources that involve only a small number of people.
  • Top-level management should take an active role in the education and communication process to instill corporate-wide ownership of Sarbox, through written communications and the incorporation of Sarbox information into presentations, meetings and goals
  • Publish results. Partial scores or promises to "do better next time" are not acceptable in the realm of Sarbox compliance-there is only compliance or non-compliance. Organizations should quickly make public their audit results.
  • Conduct a continuous campaign. Sarbox compliance is not a one-time cure, so it is critical to keep the Sarbox initiative alive in the minds of all affected employees.
  • Empower employees. Sarbanes-Oxley is the responsibility of everyone in the company. Subsequently, it is important to empower all employees. Empowerment can come in many forms. The organization can empower a security administrator in the IT organization to deny access to anyone, regardless of corporate position, if that access breaches a policy such as segregation of duties, excessive rights, mutual rights, or exclusivity rules.

How Technology Can Help
Technology plays an indispensable role in helping companies to comply. The IT-focused control framework called Control Objectives for Information and Related Technology (COBIT) provides very specific IT governance guidelines. General IT controls span five critical IT process areas: application change management, data management and disaster recovery, operations and problem management, security administration, and asset management. Systems-based controls can address all of these areas.
      Achieving and maintaining Sarbox compliance requires the successful orchestration of people, processes, and technology across the organization. The IT organization plays a pivotal role in this orchestration. Key to the successful performance of this role is educating people about Sarbox, developing right processes and utilizing technology to support compliance.

About the Author:
Chris Williams is Marketing Manager, Identity Management Solutions at BMC Software. More information is available at www.bmc.com.
 

Subscribe | Advertising | Submit Editorial | About Us | Contact Us | In-Depth | 5 Minute Briefing Archives | Home

© 2005 Unisphere Media L.L.C.