How to Learn to Love Sarbanes-Oxley

Embracing new Sarbanes-Oxley requirements can provide benefits to your security program and your business.

Like most of you, I approached Sarbanes-Oxley compliance last year with a certain trepidation. Within many companies, there's always resistance to change and fear of the unknown, and SOX fits those bills. Even in my own department, employees were a little apprehensive of what they perceived would be extra paperwork, more time required for approval, just more time to do everything. Outside the company, we worried about the auditors. Not because we worried we'd done something wrong; we simply didn't know what they were looking for.

Despite our concerns, we survived year one of SOX compliance relatively unscathed. And here's the best news: Contrary to popular opinion—that the addition of controls will inevitably slow you down—I see a strong correlation between efficiency and good controls. That's right, for all the fretting over regulation, SOX compliance could be a good thing for information security.

Anyway, now it's year two, and we're applying what we've learned from the first go-round to make this year less stressful and more productive. Here's what we've learned.

1 Refine your documentation.

The biggest lesson we learned from year one was that documenting controls that are not crucial leads to an unnecessarily arduous audit process. To paraphrase a line from the movie Field of Dreams, If you document it, they will audit it. Don't try to impress the auditors with how many controls you have. They don't want to see that. They want to focus in depth on critical controls rather than in breadth on every single control. Don't get academic and try to match up point-for-point with one of the IT Control Reference frameworks. You'll kill yourself trying to document all those controls, and the auditors will be forced to consider all those controls as key to your business (and audit all of them).

Let's be clear: I'm not saying you should arbitrarily reduce the number of controls—that's not smart. And I'm not saying to discount those control frameworks. A lot of experience went into their development, and if you ignore the critical parts of those frameworks, the auditors will know. All I'm saying is to focus your documentation on the controls that are critical to your business, and then the auditors will follow your lead and zero in on what's important.

Figuring out which controls are key, I admit, is a learning process. We went to independent third-party auditors for advice. I also happen to be an auditor, so I understand control environments. That helped. Tap people with experience from inside and outside your organization to determine the key controls.

2 Centralization is simplification.

A smart thing we did was to centralize security administration. Say you have six business systems in six places, and a control on each of those business systems is user ID and password administration. If you haven't centralized security administration, then that's six different controls for the auditors to check. Centralize administration, document the control once, and it applies everywhere, as long as it's processed in a single way by a single set of people (we found that this was especially important to the auditors). Suddenly, you've made your audit less painful and you've drastically reduced your total number of controls, thereby creating business efficiency. In year two, we'll extend this by simply applying centralized administration to any new business systems that enter our scope.

3 To deal with acquisitions, bring down the hammer.

Audits take a snapshot, but your business is a motion picture. It continues to change even after the auditors give you the thumbs up. So just when you thought you had everything in place, you realize that the scope of compliance has changed. Like many companies, we have grown by acquisition during the past year. And in our case the acquired companies had been privately held in the past. They had no previous experience with SOX. To deal with this, our approach is to extend our SOX model to the acquired company.

Be firm and consistent, and it will work. They've got very little reason to dislike it and we've got plenty of reasons to do it, number one being keeping our controls centralized and streamlined so audits go more smoothly. For example, one company had a business system that supported complex passwords—one of our controls—but in their system it wasn't turned on. We persisted in having it turned on, and in the end we have a better overall control because of it.

4 Tie SOX success to paychecks.

We use a performance planning and management process here, wherein we set performance objectives for each employee and meet throughout the year to check progress on them. How employees are doing can contribute to their paychecks. So it was relatively easy for me to include SOX-related activities in performance objectives. For example, I have an analyst in my department, and one of her duties is to perform certain periodic SOX analyses as documented in our IT general controls. Now those duties are part of her performance plan. So if those analyses don't happen, or they're late, incomplete or inaccurate, she knows it's part of her job evaluation throughout the year.

By doing this, you not only keep your staff compliance-motivated but you'll avoid questions from the auditors, who would frown upon late or incomplete documentation. The first thing they'd say is, You committed to semiannual analysis, but we see no evidence to support that you did that.

5 Keep in touch with auditors and peers.

Yes, we're starting year two of SOX compliance, but in a way the process is ongoing. We've tried to keep the relationship with the auditors going. If they're in town, we'll go to lunch and tell them about our progress. We ask them what they're seeing out in the field and what are the trends to be aware of. I also like to pick the brains of other people. I'll ask peers about their experiences. It doesn't take long to do and you can learn really useful things by just asking.

6 Accept and absorb the up-front costs.

Looking at it now, I think the cost of SOX compliance is front-loaded. A huge amount had to happen in year one, and it required a significant investment. But the opinion here, especially within risk management, audit and security, is that if we discount any dollars spent, we really believe SOX has improved the way we handle important issues like change control, security and operations.

But what about the expense, right? Even if it improved the company, was it worth it? I think that over time we'll find it was well worth it. Some companies are trying to spend less up front, just making sure they're compliant; they try to spread the expense out over time. Others are willing to make the required commitments sooner rather than later. We were the latter. We really wanted to be outstanding, so we made the investment in year one. And I think, going into year two, the cost curve will be dramatically different for managing IT controls.

7 Enjoy the efficiencies you create.

In fact, I believe the efficiencies SOX helps us create will easily justify the cost we've put into SOX compliance. I see a strong correlation between efficiencies and SOX. It's helping us run lean. It's forcing us to review our processes and take out the waste. So, will we be SOX compliant? Yes, we believe so. We'll also be far more efficient and effective, and, while technically that's an ancillary benefit to SOX compliance, it's the kind of benefit that I want to put front and center with our management.


Copyright © 2005 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.