SOX Compliance and ITSM
While ITSM was not conceived with SOX in mind, it does define the consistent, repeatable, auditable and verifiable practices needed to access and track the data vital for compliance, said Ken Hamilton, president of Manage One, an ITSM consultancy.
"ITSM gives you a governance framework that essentially allows you to have more control over the validity, integrity, timeliness and availability of your data," he said.
By pursuing compliance with SOX based on ITSM, which is based on the best practices defined in the IT information library (ITIL), CIOs can ensure the financial data the CEO and CFO are now required to sign-off on is auditable. This will become extremely important as of June 15, 2004 when most companies will have to have audit trails in place for all material events that affect the bottom line.
This means everything from the number of laptops (and what's on them) to the amount of downtime a company experiences with its e-commerce servers will have to, one way or another, be accounted for, said Ed Agar, a principal at Prime Sourcing Advisors.
"When you think about internal controls, the simple way to think about them is they are policies and procedures which companies use to generate those numbers and disclosures in the financial statements," added Gary Moran, managing director of Bearing Point's (formerly KPMG) Manufacturing and Technology practice. "What companies need to do is accumulate a significant amount of documentation to go and say 'These are the controls we have in place'. Then they must prove to themselves and then to their external auditors, that those controls are designed and operating effectively."
It is this term, internal controls, that is repeated over and over again and is the crux of SOX compliance, said Dan Burton, vice president of Government Affairs for 3A vendor EnTrust. In his review of the legislation, Burton found the three main areas CIOs need to be concerned with are authentication, authorization and the audit trail.
"It's just recently that there's a recognition that you cannot really comply with SOX unless you're internal controls, including your cyber security controls, are adequate," he said.
Five-Star All the Way
This is where ITSM really comes into play. By following an ITSM framework, CIOs basically have a well-used and trusted road map. Not necessarily for compliance with SOX, that's a side-effect, but, rather, a map of the best routes others have taken to get to a similar place. It's like having a AAA Tour Book that lists nothing but five-star accommodations.
For example, if a company has three different instances of the same or similar ERP systems installed at three different locations at different times, they might all be configured differently even though the reports they generate are the same. Under SOX, how those reports are come by is going to have to be auditable so, if nothing is done, three separate audit trails will have to be established in order to prove the data is valid. What ITSM says to do is reconfigure all three systems using a common format. Now, only one audit trail is necessary to trace all three system's reports.
"There's a bunch of configuration decisions that get made in connection with an ERP package, which, at times in the past, not many people paid attention to it, but now they need to pay more attention to it," said Bearing Point's Moran. "And to the extent you are doing a Sarbanes review you need IT help to look at how systems were configured to make sure they were configured in the best way for control purposes. ITSM would provide the proper framework to enable that."
This goes for all manner of systems, applications, infrastructures, networks ... anywhere IT touches or influences the bottom line. SOX says these touch points will have to be accounted for and ITSM is one methodology that can aid CIOs in the reorganizing their IT infrastructure to better align it with the business needs. This, after all, is the main goal of ITSM, not SOX compliance, said Manage One's Hamilton.
"IT and the business have to better integrate and ITSM and ITIL are intended to do that," he said.