 |
by Russ Owen
Audit and security requirements are more demanding than ever for companies in Europe and North America. This means the Sarbanes-Oxley and health insurance privacy requirements in the United States and personal privacy laws in Europe now loom larger in making outsourcing decisions. |
It’s important to recognize, though, that none of these regulations make any important changes in outsourcing contracts. Sarbanes-Oxley increases a company’s audit requirements, but liability remains with the company — it can’t be sold to a third party. Outsourcing vendors can take much of the day-to-day responsibility for IT security, but it’s still the client who sets overall security policy.
Sarbanes-Oxley may promote outsourcing
It’s not surprising that there are so many complaints about the time and money required to comply with Sarbanes-Oxley. It is surprising that, by requiring companies to invest time and money, the new law seems to be promoting outsourcing.
Sarbanes-Oxley forces many companies to look at their total IT capacity for the first time. We frequently see clients who think they have 10 or 12 subsystems to track labor costs, but after a global audit, they find they have 27. Then they look at the audit requirements to maintain vigilance on 27 systems and find it’s much more efficient to consolidate down to a handful and maintain audit compliance in some central location. It’s another way of reinforcing the efficiencies of consolidation, standardization, and automation.
Companies that do full-scale outsourcing have an easier time with their audits than companies that smart-source. Take for example a Fortune 500 company that outsourced its infrastructure but none of its applications. The people there may feel they have pretty good control over their applications portfolio because they spend all their time on some high-profile corporate applications. They feel that if they have SAP all locked down they’re OK.
But there’s shadow IT out there in the company that isn’t being tracked. The company might have acquired three little garage shops in different parts of the world and picked up employees who keep track of their time on Lotus Notes or some other software. That might have gone unnoticed before, but it all comes out in the audit. If some software somewhere provides a feed into the financial results, then Sarbanes-Oxley will bring it under the scrutiny of the audit.
Accounting as a lens into IT
Sarbanes-Oxley sees a company’s accounting practices as the lens into its IT. An accounting audit becomes an IT audit only when a lack of control in IT exposes accounting to tampering.
Suppose, for example, that a system administrator can change journal entries in a way that materially changes reported results for a quarter. How many trusted employees have the level of access needed to make such changes? Do they have proper authority? Does someone approve their changes? What’s the time between an incident and when it’s detected? Is there monitoring at gateways or network access points that tracks traffic and password attempts? If so, does someone actually read these audit logs? These are the kinds of things you look for in an IT control audit to support Sarbanes-Oxley.
From an audit perspective, there’s no material deficiency unless a trusted employee misbehaves. But having a large number of employees with a high level of access is a warning sign. An outsourcing provider, particularly one that has a full-range contract and its own internal security processes, will catch these things and question them. The result is that the client does some necessary housecleaning.
The client still bears the financial responsibility. The entire finance department would have to be asleep at the wheel for a change made by a systems administrator to roll right through to the books.
1 | 2 | next page >
|
