InfoXchange
The Newsletter of the ICCA Greater Boston Chapter

Mentor's Corner
Toolkit for Consultants: SOX Summary

By C. Thomas Tyler, Chief Technology Officer of The Go To Group, Inc.
Today's article is a summary of a particular piece of legislation that affects many IT organizations, and creates opportunities for some consultants. At the very least, awareness of it might help you project the image of a savvy consultant, all up-to-speed on issues that may affect your clients' business. And, depending on what industry you or your clients are in, this legislation may have a more direct impact on you.

How SOX Got Started

The legislation I speak (write) of is the Sarbanes-Oxley Act of 2002. Remember Enron, Tyco, and other corporate scandals that rocked the American financial scene, not long after 9/11? A few nasty people, for which the technical term is schmuckazoids, attempted to defraud investors with the use of creative accounting techniques. The government's response was the Sarbanes-Oxley Act, often referred to as "SOX".

SOX is aimed at improving public confidence in the American stock market system. The Act promotes a higher degree of transparency in the processes that produce financial reports for public companies, and sets up a policing mechanism to ensure those standards are adhered to.

SOX and the IT Industry

The relevant news for ICCA is Section 404 of the Act, titled "Management Assessment Of Internal Controls." Section 404 effectively expands the scope of financial report auditing to include IT systems and processes that produce financial reports. The Act requires that top management of public companies attest to the effectiveness of those systems and processes which produce financial reports. The systems and processes are collectively referred to as "internal controls".

To determine the effectiveness of internal controls, financial reporting auditors are more technically savvy about the management and operation of IT systems than ever before. They ask tough questions, like: For those in the software development world who have been involved in efforts to improve the software development process, these are familiar questions. SOX simply forces public companies to answer them, at least for systems contributing significantly to public financial reporting.

One wonders if it occurred to the authors of the legislation that, to many in the IT industry, "404" has come to mean "not quite with it" or "something's missing upstairs", as he "He is so 404 before he's had his first coffee." This is of course because 404 is a commonly seen error from web servers, when you try to view a page that's not there.

SOX Compliance and Consulting Opportunities

If your clients include public companies, you need to know that following established best practices for development and maintenance of certain software systems, those that can significantly impact financial reporting, is required by law. Audits of financial reports go far broader and deeper than just reviewing the reports themselves. They go into the heart of IT systems that produce those reports.

If you happen to be consulting on or delivering such systems, knowledge of regulatory compliance is of obvious value. You may find yourself asked to support a compliance-related project, if you're the subject matter expert for any such systems.

SOX knowledge is particularly helpful to consultants in fields that are somehow related to IT best practices. This is because the drive to comply with SOX can actually drive customers to you, if you can market to that need. This includes diverse fields like: If you provide consulting services in any of these areas, it is worth taking some time to figure out how SOX-awareness might help you market your consulting business.

Surviving the Audit

So what is a SOX audit like? How do auditors determine what's effective and what's not? They love to hear tell of name brand process maturity models, like "CMMI" and Digital Six Sigma, and the like. Best practices have evolved and matured in the software world for decades. Established disciplines such as configuration management evolved to help answer the kind of questions auditors love to ask, like You can't get away with answering those questions just once during a SOX audit. You have to show how the systems you have in place can answer questions like that at any time. Auditors favor solutions involving automation.

The PCAOB

The auditing efforts of public auditing firms are now coordinated by the Public Company Accounting Oversight Board, or PCAOB (http://www.pcaob.org). The PCAOB was charted by the law to establish and adopt standards for auditing internal controls of public companies. The Board makes a level playing field, making sure companies are audited against a common set of standards.

Thou Shall Follow IT Best Practices

What are the auditors looking for? They're looking to make sure that systems used to produce financial reports follow industry best practices. The law doesn't explicitly define what those best practices are. In practical terms, auditors rely on standards already established within the IT industry for measuring the maturity of various processes. For example, if your organization has been "climbing the SEI scale," or working toward ISO 9001 certification, you'll be able to answer some of the auditors' initial questions quickly. Auditors consider a wide range of factors, such as the ability of your process to provide basic quality assurance, and the ability of your systems to assure that only authorized personnel have access, to name a few things.

Take Configuration Management (CM) as an example. Within the software development world, CM is considered the foundation of any organized software development process. If you are attempting to achieve any measure of quality for a software development process, CM infrastructure must be in place, just as surely as the computer network. For example, to climb only to Maturity Level 2 on the Software Engineering Institute's capability level scale, CM is one of the key process areas for which a solution must be implemented. When auditors are seeking to determine the effectiveness of internal controls, their job, and your audit, will go a lot easier if you can show that you have the basics, such as CM, under control.

Conclusion

Hopefully this little introduction to SOX was at least entertaining, perhaps even helpful! Or, if not SOX, there may be other regulatory issues in your industry, the awareness of which can only help convey the image of an in-tune consultant. It behooves you to pay attention to such things.

By C. Thomas Tyler is the Chief Technology Officer of The Go To Group, Inc. and the Former President of the ICCA Greater Boston Chapter. He can be reached at Tom.Tyler@Go2Group.com or you may view his website at www.Go2Group.com