SOX It to Them
- 05 June, 2006 09:00
- Comments
I've come up with a solution for solving world poverty: Every time a representative of an IT vendor uses Sarbanes-Oxley or SOX in relation to their product you make a $1 donation to Oxfam. Better yet, you could set up a SOX-free compliance unit in your office and then fine the vendors when they make irrelevant breaches. Given that most of the IT products or services currently available purport to help with SOX compliance, Oxfam coffers would soon be overflowing.
My gripe isn't with SOX per se, or the need for regulation, but I do object strongly with the way "compliance" is abused by salespeople. Why do they insist on wrapping foreign laws - which for all but the biggest Australian companies have no relevance - around their "offerings"? What relevance has SOX got for the Victorian government, or for that matter 95 percent of Australian businesses?
Compliance is hardly a recent phenomenon. Australia has long had jurisdictional recordkeeping requirements. Organizations have always had to retain corporate records for at least seven years. In fact, Brisbane-based Watchdog Compliance advises that there are currently over a staggering 1000 pieces of compliance legislation in Australia, most of which significantly pre-dates SOX.
Undaunted, it seems that a number of bright sparks in the marketing departments of many of the IT vendors have come to the enlightened observation that perhaps recordkeeping and IT systems could be one and the same. Jumping on the Sarbanes-Oxley bandwagon is the path to riches for their company. The problem with this is that only reinforces IT's (or in this case, IT vendors') reputation for over promising. SOX follows hot on the tails of office automation, open systems, client/server, Y2K and services-oriented architecture. Unfortunately, when the promise fails to materialize, usually after some significant corporate investment, the reputation of the IT industry, and those working in it, suffers in the eyes of the executive.
A good friend of mine has devised a short test that you can give any ICT vendor sales- or marketing-type who claims to address SOX with their product. My friend advises you ask these three key questions:
1.Can you tell me which clauses of the Sarbanes Oxley legislation will affect us?
2.Has your software actually been changed to assist with SOX compliance in any way and, if so, how?
3.Has your company actually changed the integrity of data collection as a result of SOX?
I suspect that in 95 percent of cases you will get a "no" to all of the above. If so you may wish to remind the salesperson about the Trade Practices Act, which has penalties of $500,000 personally, and $2 million corporately for misleading and deceptive practices. (And it's Australian, not US, legislation.) Regulators like ASIC, ACCC, and APRA enforce and require organizations to provide expensive corrective action if breaches occur. However these regulators seldom ask that an organization fix their computer systems. Instead they target the organizational culture and business environment.
And surely that is where CIOs should focus their energies in compliance activities. How are the appropriate compliance policies formulated? How are they communicated? How are they enforced? Where can IT assist with this work?
One thing is certain. In the current corporate climate, with the stock market at record highs, CIOs will not be short of compliance work to do.
Peter Hind is a freelance consultant and commentator with nearly 25 years experience in the IT industry. He is co-author of The IT Manager's Survival Guide and ran the InTEP IS executive gatherings in Australia for over 10 years
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Time to get Agile
-
QLD govt demands answers after pay glitch
-
Monash Uni reduces IT teams after consolidation project
-
iPad initiative for pupils in WA
-
All Systems Down
-
NAND Flash Solid State Storage for the Enterprise
NAND Flash-based solid state storage (SSS) solutions, as they exist today, offer unparalleled performance combined with a level of data integrity and availability for mission-critical data that matches and potentially exceeds storage solutions based on mechanical, magnetic drives. Long associated with consumer electronics, NAND Flash has become a viable storage medium for commercial and governmental information systems, often referred to collectively as enterprise applications. -
The eGuide to Data Movement and Governance: Helping Business Professionals Stay Up to Speed
You fail an audit. Or customer information is compromised. Or you are called on the carpet for failing to meet a critical customer SLA. At that point you realise just how important it is to your organisation and to your career. How do you prepare for that moment? More importantly, how do you prevent it from happening in the first place? It is absolutely critical that you understand the possible consequences of a failure to properly monitor, control, and protect the movement of data. Missed opportunities and lost revenue might be the least of your worries. In some cases, poor practices can lead to lawsuits, fines, and even the failure of the business itself. The purpose of this eGuide is to help you grasp the measures that can keep your organisation on track to meet objectives and in line with regulations. -
Miercom Report - Plug and Play Switches
Avaya engaged Miercom to evaluate the plug and play features and ease of configuration of the ERS 4548GT- PWR Edge Switch. The energy efficiency of the ERS was compared to similar switches and is discussed in this report as well. Read on.
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment