The New Information Agenda. Do You Have One? The lack of trusted information is a major concern for businesses worldwide. The information agenda is a comprehensive, enterprise-wide plan for creating, delivering, and exploiting trusted information. It allows CIOs to achieve short-term tactical and long-term strategic changes. »   The Outsourcing Decision for a Globally Integrated Enterprise: From Commodity Outsourcing to Value Creation The Outsourcing Decision for a Globally Integrated Enterprise Globalization and advances in technology have changed the way business gets done. Today, outsourcing helps make the globally integrated enterprise possible. And the decision-making process for outsourcing is changing — with CIOs playing a more strategic role. »   IBM CIO insights: Igniting Innovation By Fusing Business and IT The disconnect between business and IT leaders is nothing new. But in a highly competitive environment, where innovation is the key to success, this lack of integration can cause companies to stagnate, lose money, and miss valuable opportunities. CIOs need to take the lead in correcting this problem. This executive guide outlines the solutions and initiatives IT leaders need to implement to help bridge the gap. This executive guide offers the solutions and insights CIOs need to take the lead in building a more innovative, more successful company. »   How are Other CIOs Driving Growth? IBM interviewed over 175 CIOs to see how they're bringing together business and IT to drive growth and financial success. We found that organizations with high levels of integration have experienced a 9% return on investment, and a 6% return on assets. Want to learn what else they are doing? Read our Global CIO Leadership Survey. »

XML/RSS feeds EarthWeb IT Management news and headlines CIO Update headlines See more EarthWeb Network RSS feeds FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Special Reports • ITIL v3: Bridging the Gap Between IT and Business • Outsourcing’s Seven-Year Itch • The Productivity of Technology is in Jeopardy • Offshore Considerations for Infrastructure Management • Disaster Waiting to Happen • Friday’s Top 5 • Top 10 Money Savers for 2008 • Understanding the 10 Fundamentals of Any Business • 8 Great Training Tips from the Canadian Army • Enterprise Architecture and SOA: Two Tribes More Special Reports

IT Focus Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Today on EarthWebNews.com • Apeer Has an Eye For Media Collaboration • SaaS Tool Offers Custom Database Development • XP Service Pack Rocky for Some, OK for Others • Why AMD Went the Multi-Chip Module Route • House Democrats Try Again With Net Neutrality Bill More EarthWebNews.com

Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers. Download this whitepaper now and get a chance to receive FREE XenServer HP Select Edition Software. Sponsored by HP, Citrix, and Intel.

Sharing the Burden of Compliance

By Liz Roop

September 30, 2005: Sarbanes Oxley compliance means your third-party services providers must be compliant too.

Once upon a time, SOX-induced insomnia was an affliction unique to the public company CIO. Not anymore. Today, they are joined by their IT service providers who are finding themselves caught in the crosshairs of their clients’ compliance efforts.

“Everyone is looking at their relationships, especially if they outsource a business type process like payroll or claims processing,” said Ed Byers, a principal with Delotte & Touche. “If you’re a CIO with an outsourcing service provider, you better be aware of the need to demonstrate internal controls.”

According to the SEC, in situations where management has outsourced certain functions to third-party service providers, it maintains a responsibility to assess the controls over the outsourced operations. That interpretation is echoed by the Public Company Accounting Oversight Board (PCAOB), which states the use of a service organization “does not reduce management’s responsibility to maintain effective internal control over financial reporting.”

Unfortunately, this does little to clear up the confusion surrounding which types of relationships are subject to control assessments. In some cases, such as with payroll or data processing, it’s obvious. Other relationships fall into a grey area, such as data centers, hosting services, software development, remote back-up services and hosted application service providers.

“It becomes an issue when a company outsourcers a specific area of general computer controls; for example, if they outsource software development. Typically, even in this case, the key controls still reside within the (contracting) company; for example, change control and other authorizations. However, if the key controls reside at your outsourcer, you will need to test those controls,” said Byers.

To Require or Not

From the client’s perspective, the ability to rely on third-party service providers to obtain independent assurances of controls was a welcome relief, according to Mary Makal, managing partner of Complyant Solutions, a SOX consulting and project management services firm, and creator of a software application designed to increase efficiencies associated with compliance efforts.

“It means they (the client company) don’t have to deal with certain aspects of compliance; for example the documentation and assessment of certain IT-related processes and controls, and can instead rely on their third-party service providers to obtain independent assurance of their controls,” she said.

Even so, client CIOs are not completely off the hook. They still must determine which, if any, of their service providers need to obtain those independent assurances, and whether they need to conduct their own audit or accept another certification such as the SAS 70 Type II or American Institute of Certified Public Accountants’ (AICPA) Trusted Services Principles & Criteria.

In many cases, companies are resolving that dilemma by simply requiring all their providers to obtain independent assurances, most often in the form of the SAS 70 Type II.

Makal said her general advice to CIOs is to request SAS 70s from all service providers then assess those that don’t have them to determine if it is a “make or break requirement.”

However, “all or nothing” isn’t the best approach in every case.

“If an outsourced IT process or service is significant to an IT shop and the provider does not have a SAS 70, or does not want to obtain one, then that may be a good reason to terminate the relationship," said Makal. "However, it would be prudent to ask questions and do some further investigation. Is it cost prohibitive? Are there issues with how they perform the service? Why haven’t they been required by other clients to have one?"

If the service provider is integral to your operations and you don't want to terminate the relationship because of the lack of a SAS 70, it may make sense to ask them to allow your own auditors to do some controls testing rather than forcing them to obtain outside certification.

Taking the Plunge

A growing number of service providers have opted to secure outside certification whether or not their client companies are requesting them.

Messaging services provider Postini, for example, has earned both the AICPA’s WebTrust Seal of Assurance and SAS 70 Type II certification. According to Jocelyn Ding, executive vice president of Worldwide Field Operations, the company pursued the trusted services seal in part to meet the needs of prospective and existing customers for assurance that company’s service complies with a set of objective standards governing availability, security and privacy, as well as to ensure that a framework is in place for compliance on an ongoing basis.

“It’s important to look at certification as a process that will strengthen internal processes around the certification criteria rather than just a process for obtaining a seal or report,” adds Ding. “Compliance with the certification criteria has to become a part of ongoing operations. It is a persistent process.”

For CenterBeam, a San Jose, Calif.-based IT outsourced services company, the decision to pursue SAS 70 Type II certification was an easy one, according to Eric Arnold, vice president of security, engineering and operations.

First, clients expect it and second, it allows them to provide clients with the value-add of taking on the responsibility of a least a portion of their customers’ compliance requirements.

“We had one customer who brought in an army of guys, including their auditors. They were loaded for bear,” said Arnold. “I asked them to show me their SOX (Sarbanes Oxley) criteria for the audit and, after going through it line by line, I came up with a matrix of three things we could do for them” that encompassed consultative, enabling and providing roles. “If you imagine a line with two end points, where one end is empty and the other is full, that’s the SOX criteria. We were able to cover the first third.”

The entire process took CenterBeam about two months and 25 hours a week of Arnold’s time, but he said the ROI is more than worth the effort and expense. For starters, the certification has enabled the company to close deals that were otherwise out of reach, and they realized an improvement in overall productivity.

Finally, said Arnold, who still spends about 15% of his month working with auditors from client companies, the SAS 70 lets him respond quickly to those requests. “Before we had certification … it was a nightmare.”

Tools:

Add www.cioupddate.com to your favorites Add www.cioupddate.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

• Return to Technology Trends Index
• Return to www.cioupdate.com Homepage