There's plenty of available advice on how to bring an organization into Sarbanes-Oxley compliance, including the prickly Section 404 that deals with information security. Though that portion of the omnibus law is short in wording, it's big on impact -- both for the company and the IT department -- since it demands a level of documentation that typically hasn't been in place before. IT security processes will come under sharper scrutiny by auditors who don't want to be caught letting a violation slip by, either.
Marc Masnik, senior IT manager for business software maker TIBCO, has some kernels of wisdom to impart on those public companies filing SEC reports after the Nov. 15 deadline. He speaks not just as a consultant for TIBCO clients facing SOX compliance, but as someone whose own company must meet the same stringent requirements just days after the deadline.
1. Start early. TIBCO began the process a full year ago, and still underestimated the amount of time, money and manpower it would take to ensure data controls were in place. Those behind on coming into compliance should anticipate dropping other projects in the short term. "If it's already too late, then anticipate more intrusive impact on ongoing projects than you thought," Masnik advises. "Expect people who didn't anticipate being involved on the IT team to be involved, particularly those people in operations and networking."
2. Anticipate bringing in well-qualified outside resources to mirror what an auditor will do during the audit process. "Do not assume that you can be your own check and balance," he said. Hire someone familiar with the audit process to double-check your work. Auditors for SEC filings cannot do that since they're forbidden from scrutinizing their own work product.
3. Make sure the executive team and senior IT management team promote SOX mandates as a positive movement towards better processes for the organization. "If not positioned properly within the IT organization, it will be fought hand, tooth and nail," warns Masnik. Instead, emphasize that, yes, this is going require a lot of hard work, but in the long run it will make the company and IT department better.
4. Understand there's room for compromise with an audit partner. Don't assume that just because the auditor says you have to document every single thing in the organization that you can't push back occasionally. "They are going to treat this in the most conservative vein; you need to treat this in the most realistic vein."