Lot’s going on in the Sarbanes-Oxley thread from a last week (well, a lot for this blog at least). So let’s keep the momentum going. Adding in my own biases, there are two messages that emerge. The first is that complying with Sarbox is not a one-time event but and ongoing process. Sure, you need to be compliant this year and you will have an audit to determine if you are. But you also have to be compliant again next year, and the year after that, and so on. If you are dependent on a team of consultants to validate controls this year and you don’t change anything, you will be dependent on a team of consultants again next year. And if you haven’t been able to work on the projects that you really want to be doing (as opposed to the Sarbox related projects you probably are working on) then that is what you will be doing again next year. Hence, figuring out a way to simplify the audit process for next year should be your first priority. The second message is that companies should stop thinking about the process as Sarbox compliance, but more generally as compliance. The point here is that in the big picture Sarbox is juts one of several regulations that your company will need to comply with, be it OSHA, HIPAA, or something that hasn’t even been thought of yet. I don’t think that matters too much in and of itself, but it adds weight to the argument I’m about to present. One reason that companies have been slow turn to IT for solving Sarbox is that while they have to comply, there is no real incentive for doing so other than avoiding the fines/jail/embarrassment of not complying – the law sets minimum control levels but doesn’t reward companies that exceed these. So there is no ROI for automating a manual process that is compliant. Unless you think outside the Sarbox, so to speak (sorry, it’s terrible, but I couldn’t resist). The processes that you automate to increase the level of control will presumably make the business more efficient, by replacing a more time consuming or more expensive manual process. This is where the ROI comes in, with the secondary argument that the improved controls make complying with future regulation easier. So in answer to the timeline question that someone posted, I would guess that 2005 will be the year that CIOs concentrate on simplifying the audit as much as possible, and that 2006 and 2007 will be the years when everyone automates processes. Does that sound about right to all of you? Related content brandpost Zero-trust: Why You Shouldn’t Ignore Your Print Environment By Canon Business Solutions Jun 07, 2023 5 mins Zero Trust news Salesforce CEO Benioff shakes up executive team with new hires Six months after the company lost its co-CEO and announced it was laying off 10% of its global workforce, Salesforce’s top team is undergoing a major personnel change. By Charlotte Trueman Jun 07, 2023 3 mins Technology Industry Enterprise Applications opinion Cisco debuts bold portfolio of network, security, and observability solutions and previews generative AI capabilities for Webex and Security Cloud Cisco’s innovative technologies help connect the dots of its network- and cloud-based ecosystem. By Pete Bartolik Jun 07, 2023 4 mins Cloud Security brandpost Help wanted: IT tools and talent for building a multicloud estate Like all trade workers, IT leaders need the right tools and skills to succeed in a multicloud world characterized by application and data sprawl. By Chad Dunn, Vice President, Product Management, Dell APEX Jun 07, 2023 6 mins Multi Cloud Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe