Skip to content

Developing a Compliance solution to meet your audit needs: SOX, HIPPA, COBIT

June 21, 2008


Development of an IT compliance plan for Sarbanes-Oxley should be just one part of an overall compliance effort involving legal, accounting, and senior executive input. The chief focus of the regulation is upon financial procedures, and internal reporting procedures need to remain the key focus. However, the policies and procedures that are developed will require IT support. It is important that IT be represented on the compliance team, because electronic storage of information will be critical to meeting requirements. Changes in storage architecture need to be examined carefully to ensure that the result is adequate, that it is not disruptive of ordinary corporate business, and that it can be implemented at reasonable cost.

Within the IT department, it is important to examine the company’s exiting backup and storage systems, as well as the information that is being retained. The four basic steps that need to be taken are:

  • Scoping and evaluation of documents with regards to the need for retention and continued access.

  • Evaluation of current storage and backup practices, procedures, and equipment to determine adequacy of current system and specific changes that might be required.

  • Development of new systems and infrastructure, and providing for a minimally disruptive implementation.

  • Ensuring comprehensiveness of the new solution in meeting compliance requirements, and compatibility with existing systems.

The major control element of Sarbanes-Oxley is Section 404. It is this section that requires an independent audit process, and will have the most bearing upon development of IT controls. Overall, compliance should be undertaken as a project that includes:

  • Project organization, establishing the team to examine the requirements.

  • Development of a project plan, and establishing key success factors, milestones, and checkpoints.

  • Establishing a project approach and reporting requirements, including assessment of documentation requirements, definition of control units for evaluating entity-level and process-level controls, and identifying the tools and technology needed to support controls


Sarbanes-Oxley has had a dramatic and continuing effect upon organizations, particularly in the information technology and data storage areas. Although the regulation is designed principally to control accounting practices and ensure transparency in financial reporting, the mechanisms for data storage and verification have come under significant review. Meeting the new requirements requires an examination of in-place technology and procedures with the aim of creating a robust and verifiable system capable of withstanding an external audit.

As Sarbanes-Oxley comes into force, its scope is broadening to directly include more companies as a result of its built-in deadlines, and to include more companies indirectly as the need for compliance causes partnering firms to maintain the same levels of storage integrity and verification. The emphasis upon these processes can, and should, be used to improve IT processes so that they better support the other objectives of the business as well as strengthen disaster recovery.

Although Sarbanes-Oxley is the most important of the recent regulations in this area, it is not the only regulation to affect the storage area. In general, companies are being required to put best practice systems in place, supported by solid procedures that reduce the possibility of records tampering and make it possible to recover relevant material from backups.

The challenge is large, and compliance issues are constantly changing. The real focus, however, must be upon changing how data is viewed — particularly legacy data and messaging. A robust and secure storage system that provides reasonable access to backup documents provides a powerful mitigation tool for a multitude of legal and financial risks.

Compliance needs to become an ongoing process, with periodic reviews, as with other business risks. The IT department, which has often operated on its own, must now bring its policies into line with those of the rest of the firm

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: