Lot’s going on in the Sarbanes-Oxley thread from a last week (well, a lot for this blog at least). So let’s keep the momentum going.
Adding in my own biases, there are two messages that emerge. The first is that complying with Sarbox is not a one-time event but and ongoing process. Sure, you need to be compliant this year and you will have an audit to determine if you are. But you also have to be compliant again next year, and the year after that, and so on. If you are dependent on a team of consultants to validate controls this year and you don’t change anything, you will be dependent on a team of consultants again next year. And if you haven’t been able to work on the projects that you really want to be doing (as opposed to the Sarbox related projects you probably are working on) then that is what you will be doing again next year. Hence, figuring out a way to simplify the audit process for next year should be your first priority.
The second message is that companies should stop thinking about the process as Sarbox compliance, but more generally as compliance. The point here is that in the big picture Sarbox is juts one of several regulations that your company will need to comply with, be it OSHA, HIPAA, or something that hasn’t even been thought of yet. I don’t think that matters too much in and of itself, but it adds weight to the argument I’m about to present.
One reason that companies have been slow turn to IT for solving Sarbox is that while they have to comply, there is no real incentive for doing so other than avoiding the fines/jail/embarrassment of not complying – the law sets minimum control levels but doesn’t reward companies that exceed these. So there is no ROI for automating a manual process that is compliant. Unless you think outside the Sarbox, so to speak (sorry, it’s terrible, but I couldn’t resist). The processes that you automate to increase the level of control will presumably make the business more efficient, by replacing a more time consuming or more expensive manual process. This is where the ROI comes in, with the secondary argument that the improved controls make complying with future regulation easier.
So in answer to the timeline question that someone posted, I would guess that 2005 will be the year that CIOs concentrate on simplifying the audit as much as possible, and that 2006 and 2007 will be the years when everyone automates processes. Does that sound about right to all of you?