Marc Masnik jokes that he sometimes feels he's got Sarbanes-Oxley tattooed all over his body because the law touches everything he does these days. But a bull's eye might be a better image.
Masnik's company, TIBCO Software of Palo Alto, Calif., is among the first wave of publicly traded companies to file an annual report to the Securities and Exchange Commission after the Sarbanes-Oxley Act (SOX) kicks in Nov. 15. The senior IT manager says he's ready to prove on paper that TIBCO's internal data controls work. He's also fully aware failing to do so could land his CEO and CFO in prison.
Time is nigh for corporations to comply with one of the most influential pieces of legislation this decade. Born out of the Enron scandal, SOX is changing the way even private and non-profit companies do business and how leaders view information security. More attention is being paid to risk analyses and investments are being made in security infrastructure. Communication also is improving between top executives and IT managers. The board room is starting to "get it."
SOX is primarily about new corporate governance rules for public companies, including SEC registrants and foreign-based companies trading on U.S. stock exchanges. Broad in scope, there's one small section that seems to have caused the biggest headaches, and it's the one that deals with information security. Section 404 mandates controls be placed on corporate data and that auditors sign off on those protections.
For many companies, 404 boils down to a different way of doing business -- one far more expensive. Those who remember the Y2K compliance craze see similarities with SOX, forcing enterprises to take a close look at their computing systems -- but at a cost.
"People are identifying weaknesses in their controls and their processes as part of writing these reports," says Arlie Nogay, an attorney with the nationwide law firm ReedSmith, whose clients have spent up to millions of dollars to date on SOX compliance. "It is having its intended effect. People are finding problems in their systems. An unintended effect has been the massive amounts of time and money it's costing to do these reports correctly."
Keeping track of changes
TIBCO caught a break by using its own software to create toolkits for the technology-based 404 components. But the company, with roughly 1,700 employees worldwide that likes to operate "lean and mean," ended up devoting a full-time consultant and two IT team members specifically to guiding the project. Another five IT members from a staff of 50 worked up to 25% of their time on compliance issues -- for the last full year.
It didn't help that in the middle of meeting mandates, the company acquired a U.K. firm with 16 subsidiaries. But probably most difficult has been dealing with inteR7x7nn7 rnal auditors that don't want to get caught with their pants down.
"It was very difficult primarily because the audit firms to date are as new to this as we are," Masnik explains. "That means there's a delicate balancing act between your audit firm and your IT compliance team to really understand what is and isn't necessary for Sarbanes Oxley compliance."
Though the company already had sound security practices in place, the IT staff wasn't used to the level of change control mandated by SOX. "We now sign off on every single firewall change at TIBCO. That just plain ol' didn't happen before," Masnik says. "I would be shocked if that happened in any organization except for those with security clearance."
Larger companies will file their SOX-compliant annual reports first. About 40% of corporations end their year Dec. 31. The SEC has extended the deadline to this summer for public companies with a $75 million market cap and foreign-based firms trading on U.S. stock exchanges. For many of these companies, top executives must take a more active role in operational issues under SOX since violations fall squarely on their shoulders (and shackles).
"If I'm a CEO or CFO, I now need to rely on an area that I never really thought about in the past -- the back office operations; the IT staff," explains Paul Reymann, a former federal regulator who is now CEO of IT consultancy Reymann Group Inc.
That could strain work relationships for employees normally not closely supervised. But it also could be welcomed by IT departments considered long ignored. In either situation, it's important that IT managers keep company executives and directors fully informed of SOX compliance issues, speaking in "plain language" everyone understands, experts say.
These same experts are at odds over just how many companies are ready for SOX. Some consultants report clients on target and on pace; while others say many companies are woefully behind. Enterprises considering going public are trying to meet mandates, too. Meanwhile, private companies are voluntarily incorporating SOX rules and guidelines to stay competitive with rivals now able to prove they've safer computing systems.
Steep learning curves abound
A majority of SOX auditors will base a company's internal controls on the COSO, COBIT and ISO 17799 frameworks. They'll scrutinize documents that demonstrate how the IT staff assesses risk, develops policy, monitors and manages change controls and handles incidents.
Since SOX was made law in 2002, security vendors have touted their wares as a means of making companies compliant, providing tools and frameworks to assist in flagging violations and tightening controls. Not surprisingly, many security companies saw a spike in interest this summer from customers falling under SOX.
"The companies have spoken to their auditors and there's now a keen understanding of the level of review that'll be done," says Gretchen Hellman, senior manager of product marketing for security management provider ArcSight of Cupertino, Calif., which provides a framework for SOX compliance.
Another security provider, Mountain View, Calif.-based Reconnex, provides technology to track down information leaks on corporate networks. Its staff has been startled at how much confidential data still slips out in e-mail attachments and instant messages, many by poorly trained users unaware they are in violation of federal law.
"I think a lot of companies on the steep slope of the learning curve. They're still on the baseline, still assessing the risks and what the core needs are and getting their arms around what the organization needs," explains Daniel Smith, director of customer support for Reconnex.
That doesn't surprise Masnik. "We're finding people assessing their needs for outside support based on the most simplistic model: 'Oh, I'll just provide documentation for the processes I have in place.' What they don't realize is that throughout that year things change and those changes will add complexity to the situation."
In the end, a primary goal of SOX will be more secured networks, since corporations will have to walk the walk and not just talk the talk.
Reymann says regulators are likely to show leniency toward first-time offenders, provided there's proof the companies tried to build a solid security infrastructure. "Every company has a different risk profile and a need for different solutions," he says. Eventually, though, offenders will appear in the press and companies will receive another wake-up call. Not just the C-level suite and board room directors, but their IT departments.
"So many people talk about Sarbanes Oxley and its corporate governance mandates but miss that it's really about IT. Without IT, you can't have good internal controls," says Reymann.