Office Memo 19

Home > Office Jotter > Office Memos > Office Memo 19

Time for a snack at Office Jotter?

Office Memo 19

16 June 2005

The Key to Compliance

In the wake of the Enron and Worldcom accounting scandals, the controls an enterprise sets up to ensure its integrity are open to increasing scrutiny. This has resulted in a growing number of initiatives such as Basel II, the Sarbanes-Oxley Act and the new Companies Act. These are all designed to ensure that high standards of corporate governance become part of day-to-day business culture.

Basel II

This forthcoming international protocol for the financial sector will replace the 1988 Capital Accord. It recognises that managing and controlling financial risk and operational risk, such as from computing, is an integral part of corporate governance. It obliges companies to assess their vulnerability to these risks and make it public.

Basel II is based on three main areas that allow banks to evaluate effectively the risks they face:

minimum capital requirements,

supervisory review of the institution's capital adequacy, and

internal process assessment and market discipline through effective disclosure to encourage sound banking practices.

Financial organisations that do not provide relevant details must set aside a fifth of their revenue to cover losses or risk being prevented from trading. The first phase of Basel II will come into effect at the end of 2006, with the more advanced elements planned for implementation at the end of 2007.

Sarbanes-Oxley Act

The furthest reaching of these regulations is the Sarbanes-Oxley Act. This requires companies to comply with challenging new standards for the accuracy, completeness and timeliness of financial reporting. It imposes increased penalties for misleading investors.

The act, which applies to all companies (and their subsidiaries) on the US public markets, protects the interests of investors and serves the wider public interest. It does so by outlawing practices that have proved damaging, such as overly close relationships between auditors and managers. The law includes stiff penalties for executives of non-compliant companies. These include fines of $5m dollars and up to 20 years in prison for each violation.

Companies Act

The Companies (Audit, Investigations and Community Enterprise) Act 2004 applies to companies based in the United Kingdom. It is designed to help UK firms avoid the much-publicised accounting and auditing problems experienced by companies such as Enron, Worldcom and Parmalat. The act imposes new measures to ensure that data relating to trades, transactions and accounting throughout an organisation is fully auditable.

A major innovation is the establishment of a new corporate entity, the "community interest company". These are businesses whose profits and assets are to be used for the benefit of the community.

Security

Basel II, the Sarbanes-Oxley Act and the Companies Act all highlight the fact that board directors and executive management have a duty to protect the information resources of their organisations. Network security - preventing unauthorised access to information and data - is of the utmost importance in this. The most effective way of achieving it is through the use of a provisioning solution that allows the enterprise to determine who has access to which application programs and when.

Putting an identity and access management programme into effect can be a difficult task for many large organisations. Ensuring the correct level of security and internal controls over key information and data is not easy.

Often, systems and access policies in use today were developed many years ago, when security was not necessarily the highest priority. Not only are these existing systems now unsuitable but so too are many of the policies associated with them. Access is granted manually or by 'home-grown' development.

Further, many of the systems cannot cater for temporary changes, such as using contract workers or members of staff being on leave. Also, companies often have myriad systems and access policies, which have merged with another organisation's policies, systems and architectures.

These are now major problems that need to be dealt with urgently. As well as the need to comply with corporate governance regulations, the situation has also given rise to an increased security threat. This is highlighted by the Financial Services Authority's Financial Crime Sector Report, Countering Financial Crime Risks in Information Security, published in November 2004.

Secure enterprise provisioning

Organisations can ease these problems by centrally managing IT systems and application programs, and the users who access them. Enterprise 'provisioning' systems automate the granting, managing and revoking of user-access rights and privileges. They enforce the policies that govern what users are allowed to access and then create that access for those users on the relevant systems and programs.

Provisioning of transactions can be dynamic and are based on the nature of an access request. The system starts the approval workflows defined by the relevant policy. It also provides robust reporting, letting the IT department better manage user access rights globally. For example, systems administrators can view in real time who has access to particular systems or the status of any individual access request.

The best of the new breed of provisioning systems enforce organisational policies that aid compliance with some of the regulations already discussed. Reporting and auditing tools list the people who have access to protected systems. They show how the access was granted and whether the right approvals were obtained. The software can also show that users who have left the organisation have had their access revoked.

These abilities not only make regulatory compliance straightforward and easy to manage, but ensure increased productivity. Users can be connected to the resources they need in a fraction of the time, cost and effort previously expended. Organizations can compress the user set-up process from weeks to minutes and application program integration from months to days.

The IT department's own productivity will increase dramatically, as resources are freed from the time-consuming tasks of managing user access and building integration to managed systems and applications.

By ensuring regulatory compliance and at the same time reducing costs, secure enterprise provisioning solutions will evolve into a critical element of the IT infrastructure of successful businesses.

***

Michael Burling, EMEA managing director of Thor Technologies, contributed this article. Our thanks go to him.

About Office Memos

An Office Memo is an extended comment on what is happening in the world of the electronic business and elsewhere. Some memos will have appeared in Office Jotter; others are simply referred to in it.

You are free to disagree with, amplify or even agree with anything that appears in Office Jotter or an Office Memo. Of course, the rest of us will never know this unless you write in with your views, so please comment, in the blog or with an Office Memo*.

Content from Office Jotter or Office Memo may be circulated freely, so long as you remember to credit its source.

Thanks,

Roger Whitehead

Publisher and editor

*No more than 1,000 words at a time, please. I edit material for publication but as lightly as possible.

Copyright Roger Whitehead, 2005. I hereby assert and give notice of my right under section 77 of the Copyright, Designs and Patents Act 1998 to be identified as the author of these publications.