By Tim Cole (© 2005)
As if
viruses, worms, spam and malware weren’t enough, IT professionals today have
even mightier adversaries: auditors and accountants.
They may
not be as malicious as hackers or spammers, but they can be almost as bothersome.
In fact, hardly a day passes now in most corporations without controllers asking
for details on any number of internal or external transactions, or who did what
and when with which computer system.
Welcome
to the new world of corporate IT governance. With stock markets still reeling
from the fallout from Enron, Worldcom, Parmelat et al., headlines are screaming
for blood on boardroom floors, and reviewers are turning the spotlight on just
about every business process. IT is right up there at the head of the list.
Of
course, the auditors aren’t on their own. C-level executives are doing the
pushing, themselves under pressure from owners and investors, not to mention
regulators and legislators. A spate of new rules and laws are on the way or
already in the books, including the dreaded “s-word”: Sarbanes-Oxley.
Named
after its initiators, Senator Paul Sarbanes and Representative Michael Oxley,
“SOX”, as its is often called, was passed by the U.S. Congress in 2002 and
became law of the land on November 15th, 2004. It is considered to be the most
serious change in U.S. corporate regulation since the Securities Exchange Act of
1934. Aimed at re-establishing the trust of investors, it has in fact made
“compliance” the corporate phrase of the year in 2005. “In the financial
industry, but in others as well, not a single IT investment decision will be
made in the next 12 to 18 months that isn’t directly or indirectly impacted by
regulatory concerns”, the IT department head of one of Europe’s largest
insurance companies recently said (also adding: “but please don’t quote me…”).
SOX is
just one of a raft of rules newly laid down by governments and legislatures
around the world. In Europe, the most fundamental are the so-called “Basel
II” accords aimed at reducing the risk to banking organizations burdened with
billions in bad corporate debts. In effect, they force companies seeking credit
to create completely transparent business processes, a kind of glass house full
of managers furiously busy covering their respective posteriors.
And for
the first time, IT has been at the epicenter of events. After all, hardly a
business process today does not involve sending data over the Internet or
sharing information with someone outside the company, be it a supplier, a
partner, a consultant or a customer. Keeping track of whodunit and when (and
more especially: why?) may very well be the biggest challenge facing IT planners
and system administrators since the invention of computers. As it turns out,
most of the time no one really has a clue.
For one
thing, the number of applications and individual users accessing them is growing
by leaps and bounds. Gartner Group estimated that the average white-collar
worker at a major corporation will log into between 50 and 70 different systems
at one time or another. And while log files may determine that the correct user
name and password were indeed entered, that doesn’t prove who typed them in.
“Passwords are inherently unsafe”, none other that Bill Gates announced to
an astonished audience at a technology show in Copenhagen last year. His company,
Microsoft, is currently doing away with password systems altogether, replacing
them with smart cards to protect both physical and digital tools and assets
within the company buildings as well as within its networks.
Time was
when IT managers dealt with security issues as a way to keep the boss off their
backs. Now, with a myriad of new laws on the books, establishing security and
compliance policies—and enforcing them—is how IT managers keep their bosses
out of jail. Sarbanes-Oxley and its equivalents in other countries almost
uniformly provide for stiff penalties, the most brow-raising of which are the
criminal sentences that could be handed down. A corporate executive in the U.S.
could face up to 20 years in prison for "knowingly" altering or
destroying computer data in an effort to influence or impede any federal
investigation or bankruptcy.
Already
IT investment patterns are shifting to cope with the new rule of law. Since it
requires meticulous documentation of accounting and other processes,
compliance produces terabytes of electronic data, or what would have been
mountains of paperwork in another era. The net effect, says David Goulden, a
senior executive at EMC, an industry leader in mass storage, is to double the
number of copies that are kept of every document, and to double the length of
time for which they are kept. Suddenly, an average firm's storage needs will
more than double annually.
While
the cost of compliance may not rise to the monetary damage caused by virus
attacks and spam, it does shape up to a substantial financial burden, as well as
a serious stability test for IT infrastructure. But there are unexpected
benefits, too. Largely as a by-product of their regulatory compliance efforts,
companies are dramatically improving the reliability of their financial
forecasting. According to the Hackett Group, a business advisory firm, more than
two thirds of all companies are now confident with their financial forecasting
and reporting outputs. Only 9 percent of average companies made the same claim
just a year ago.
If the
trend continues, the net result of the new push towards corporate IT governance
may be an end to the long-standing rivalries between IT and finance
professionals. Instead of bickering they may actually be reaching to each other
for help—and delivering some remarkable results. The truth is: financial
professionals and IT professional are more codependent than ever. And that may
be turn out to be a good thing for business.