Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Social Responsibility's Strategic Benefits
December 15, 11:30 AM - 12:30 PM US/Eastern (GMT-5)
Join Ed Granger-Happ, CIO of Save the Children, for a discussion of how creating an organization that is socially responsible improves staffing, retention, leadership development and overall corporate health.
Working With and Communicating to Your Board of Directors
January 13, 2009, 4:00 PM - 5:00 PM US/Eastern (GMT-5)
CIO panelists who will share tips and experiences working with their boards: Twila Day of SYSCO; Jeff O'Hare, West Corp.; Marc West, formerly with H&R Block.
IT's Role in Growing Mid-Market Companies
January 14, 4:00 PM - 5:00 PM ET (GMT-5)
Mid-market Council members will share their companies' stories and challenges in driving or coping with growth. Panelists represent Veterinary Pet Insurance, Medicis Pharmaceutical, and Intrax Cultural Exchange.
Learn more about the CIO Executive Council »
Apply today for a FREE subscription to CIO Magazine!
SOX and Micromanagement
How regulations are used as an excuse for costly disempowerment.
January 31, 2007 — CIO — Last night on the airplane, the fellow sitting next to me spoke candidly on the condition that I’d mention his son’s name in print. Hi, Brian!
He also demanded anonymity. We’re not talking about a national political intrigue here, but the facts are disturbing.
Wallace (not his real name) is an ERP consultant. On his last two projects—major implementation programs in two different huge corporations—he conservatively estimated that one-third of the costs of the project were wasted in the name of Sarbanes-Oxley (SOX) compliance.
That’s a 50 percent increase in project costs over what they otherwise would have been! I was skeptical. Sure, there are costs of compliance with all regulations. But “wasted”? Corporate accountability isn’t a waste.
No, he protested. He insisted he wasn’t talking about the costs of complying with SOX. Rather, he was saying that these companies could have complied to the same degree for far less money. Now he had my interest. As I probed, I learned that the real issue was not SOX, but instead was micromanagement.
<> Let’s look at how SOX and other regulatory requirements are sometimes implemented in a way that”s disempowering and expensive.Two Dimensions of SOX Compliance
As with many regulations, SOX generates two distinct requirements. On one hand, it causes clients to buy applications from IT that help them report data in a truthful, transparent and timely manner. From the IT perspective, this is nothing more than a driver of systems requirements. The regulation generates “sales” for IT internal service providers, at a cost to the company. But one would expect that clear data should be useful to leaders and shareholders as well as regulators, so the cost of these systems isn’t a total waste.
On the other hand, SOX (and other regulations such as validation in the pharmaceuticals industry) requires that IT produce documentation of its development and testing processes, among other internal controls. These are additional work products—“artifacts” if you like buzzwords—that become another deliverable inherent in any development project affected by the regulations. And of course, they have a cost too.
But again, documenting processes isn’t a total waste. Doing so should help IT improve its processes and produce better and more maintainable systems.
The waste that Wallace was talking about is more subtle.
The End Does Not Justify the Means
Wallace gave me an example. In the name of SOX compliance, one of the companies that Wallace had mandated the use of a specific documentation method, UML (Unified Modeling Language), for all systems built by IT. UML, incidentally, is an excellent way to describe an object-oriented system’s specifications.
The Business Case for Web Application Firewalls, by Ken Tyminski, former VP and CISO for the Prudential Insurance Company of America
BlackBerry in the Regulatory Spotlight - A White Paper by Day Pitney LLP
Stop mobility from jeopardizing PCI compliance with these best practices.
Putting Enterprise Communications on Autopilot
Improving Mobile Access to Data
Operational Excellence Is Key to Maximizing IT Investments
Endpoint Security: Compliance at the Endpoint
Paving the Way for Trusted Collaboration
Find out what Forrester says about mobile endpoint security and its management.
Grassroots Data Governance with SAP MDM
The CIO's Guide To Harnessing Enterprise 2.0
What's Next? Real Answers for Tough Times
A crystal ball won't provide the answers you need.
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Forrester: How to Squeeze Your Vendors
Security, Civil Liberties Experts Question Data-Mining
Microsoft Tools Build Bridge Between OpenXML, Other Formats
Microsoft Market Share Slips: Pressure's On for Windows 7 and IE8
Shoppers Opened Their Wallets on Cyber Monday
Windows 7 Beta Slated for Mid-January Release
Entellium Files Bankruptcy, Intuit Eyeing Assets
Registrations Open for .Tel Domain
Nvidia Restates Its Interest in Mini-Laptops
Apple Antivirus Support Page Removed
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
- CIO|
- Computerworld|
- CSO|
- DEMO|
- Game Pro|
- Games.net|
- IDG|
- IDG UK|
- IDG Connect|
- IDG Tech Network |
- IDG World Expo|
- Industry Standard|
- InfoWorld|
- ITworld|
- JavaWorld|
- LinuxWorld|
- MacUser|
- Macworld|
- Network World|
- PC World|
- Playlist|
- CIO UK|
- CIO Germany|
- CIO China|
- CIO Sweden|
- CIO Australia|
- Other CIO Sites
