IT directors should take the lead in preparing businesses
to meet the Sarbanes-Oxley rules and other regulations on corporate
governance, analysts have advised.
British businesses with a significant US presence, such as HSBC and
British Airways, are already conducting gap analyses of their IT
systems in preparation for compliance deadlines.
Experience from the US shows that businesses are likely to find
thousands of IT holes that need to be filled before they can
demonstrate that they meet the US standards for financial
reporting, Malcolm Marshall, partner at KPMG, will tell this week's
Infosecurity Europe conference.
A review of IT systems is fundamental to comply with
Sarbanes-Oxley, which requires businesses with a US stock market
listing to demonstrate best practice in their financial reporting
controls.
IT directors who do not take a lead in ensuring their businesses
are ready for Sarbanes-Oxley risk having cumbersome systems imposed
on them by the rest of the business, said Marshall.
CIOs can play a pivotal role in implementing Sarbanes-Oxley by
drawing on the experience of their risk management staff and
business continuity experts to identify key risks to the
business.
"The CIO really has to be on the steering group for
Sarbanes-Oxley," said Marshall. "For most organisations IT is
absolutely critical for the production of their financial
reporting. They need to understand how to embed processes into the
IT organisations that will help them comply with the least
effort."
Although Sarbanes-Oxley will only have a direct impact on IT
systems used for financial control, in practice it is easier for
most firms to carry out a complete review of their IT than to spend
time identifying the relevant systems, said Marshall.
Many US firms have found gaps in the access control policies of
their IT systems, making it difficult for them to identify who has
accessed systems and what activities they have carried out.
The regulations are likely to encourage take-up of single sign-on
and user authentication systems as businesses start getting to
grips with their implications, said Marshall.
"For the IT department, it is a driver to adopt new common
processes. IT departments could use it as a business case for
adhering to BS7799 and other international standards" he said.