IT should lead on Sarbanes-Oxley

IT directors should take the lead in preparing businesses to meet the Sarbanes-Oxley rules and other regulations on corporate...

IT directors should take the lead in preparing businesses to meet the Sarbanes-Oxley rules and other regulations on corporate governance, analysts have advised.

British businesses with a significant US presence, such as HSBC and British Airways, are already conducting gap analyses of their IT systems in preparation for compliance deadlines.

Experience from the US shows that businesses are likely to find thousands of IT holes that need to be filled before they can demonstrate that they meet the US standards for financial reporting, Malcolm Marshall, partner at KPMG, will tell this week's Infosecurity Europe conference.

A review of IT systems is fundamental to comply with Sarbanes-Oxley, which requires businesses with a US stock market listing to demonstrate best practice in their financial reporting controls.

IT directors who do not take a lead in ensuring their businesses are ready for Sarbanes-Oxley risk having cumbersome systems imposed on them by the rest of the business, said Marshall.

CIOs can play a pivotal role in implementing Sarbanes-Oxley by drawing on the experience of their risk management staff and business continuity experts to identify key risks to the business.

"The CIO really has to be on the steering group for Sarbanes-Oxley," said Marshall. "For most organisations IT is absolutely critical for the production of their financial reporting. They need to understand how to embed processes into the IT organisations that will help them comply with the least effort."

Although Sarbanes-Oxley will only have a direct impact on IT systems used for financial control, in practice it is easier for most firms to carry out a complete review of their IT than to spend time identifying the relevant systems, said Marshall.

Many US firms have found gaps in the access control policies of their IT systems, making it difficult for them to identify who has accessed systems and what activities they have carried out.

The regulations are likely to encourage take-up of single sign-on and user authentication systems as businesses start getting to grips with their implications, said Marshall.

"For the IT department, it is a driver to adopt new common processes. IT departments could use it as a business case for adhering to BS7799 and other international standards" he said.

Read more on IT legislation and regulation