| The Sarbanes-Oxley Act has been in force for some | | | | continuous basis. Data administration issues like |
| time now. Companies have acknowledged that it is not | | | | capacity management, storage requirements and |
| a one-off event, but is more in the nature of a process | | | | retrievability assume significance.o Have a foolproof |
| improvement activity enforceable by government | | | | e-mail policy in place. It will help in the long term, if all |
| regulations. A comparable process in the case of IT | | | | e-mails are saved. Good e-security policies are also |
| companies is the Software Engineering Institute's | | | | essential. User access and intrusion detection |
| Capability Maturity Model that governs organization | | | | infrastructure should be functional.o Have a constant |
| processes in I T companies. The Act has already had | | | | dialogue with the company's auditors and institute the |
| a major impact on the financial, management and IT | | | | concept of continuous auditing. Accurate and reliable |
| functions within public companies. It is, therefore, | | | | information about the company should always be |
| imperative that companies are fully aware of | | | | accessible. There may be a need to review financially |
| compliance requirements and institute implementation | | | | linked processes to ensure that adequate controls are |
| systems in their processes. | | | | in place.o Contact terms with suppliers and vendors |
| Implementation: | | | | may have to be reviewed in the light of SOX |
| Company managements have to be fully aware of | | | | requirements.o Employees have to be educated and |
| the ramifications of the Act since compliance failure | | | | awareness created regarding the compliance and |
| could lead to no end of trouble for company | | | | control issues, security standards and objectives. |
| executives. A major issue with companies has been | | | | Employee training assumes greater significance in this |
| that the SOX, as the Act is frequently referred to, is | | | | environment.o All systems and processes relating to |
| ambiguous. The reality is that the SOX are here to | | | | compliance issues should be tested periodically to |
| stay and it would be in the interest of companies to | | | | ensure their efficacy and reliability. |
| have policies in place for mission-critical systems. | | | | The basic premise of Sarbanes-Oxley is sound. |
| Some aspects to be monitored are:o The | | | | Organizations should use the opportunity provided by |
| responsibilities and roles for compliance initiatives should | | | | the Act as a stimulant to review their operational and |
| be clearly defined, and there should be no ambiguity in | | | | internal controls. The managerial processes have to be |
| this aspect.o It pays to have a pro-active approach | | | | updated on a continuous basis. Besides meeting |
| and not wait for a back-up log from their systems to | | | | compliance requirements mandated by the Act, |
| indicate trouble. A continuous review of records and | | | | companies will be able to improve their operational |
| historical data will give a faster indication of trouble. | | | | efficiency in the long term. |
| Business processes should be automated on a | | | | |