IT gets ready for audit rules
Madeline Bennett [15-04-2004]
The European Commission last month announced plans for tougher
auditing regulations across member states, to combat fraud and
malpractice and to give investors faith in the accuracy of accounts
data in the wake of the Enron and Parmalat scandals. The need for
good systems to prove compliance could cause headaches for IT
managers, but may also raise the profile of IT at board level.
When the new rules emerge, they are likely to be similar to those of
the Sarbanes-Oxley (SOX) Act in the US, with tough penalties for non-
compliance, probably including jail sentences for senior managers who
sign off for accounts without taking adequate measures to ensure that
they are correct.
A consultation process will now take place, after which proposals are
likely to be submitted to the European Parliament and the Council of
Ministers. "When Europe is deliberating this, it will be very much
with Sarbanes-Oxley in mind as the benchmark," said Alan Pelz-Sharpe,
research director at analyst firm Ovum.
"Under Sarbanes-Oxley, the penalties are much tougher, with the
potential of a lengthy prison sentence for chief executives," he
added. "In Europe, you could get away with claiming incompetence. SOX
is saying forget about the letter of the law and prove you knew what
you were doing."
Compliance would be a top priority for chief executives and chief
financial officers - and therefore IT chiefs. "This will be the issue
that puts CIOs [chief information officers] on the board," predicted
Mike Davis, senior research analyst at Butler Group. "Financial
directors [will] now have to show they have processes in place to
demonstrate compliance and show data has been accurately recorded.
The CIO runs these systems, and is the only person who has the full
scope of this area."
Meanwhile, IT managers are already shouldering the burden of setting
up systems for other new regulations, including Basel II rules for
financial organisations; International Accounting Standards; and anti-
money-laundering laws.
"We are now talking about highly complex, multi-stream software
development projects involving enhancements to existing systems and
databases plus the development of new ones," said David Porter, head
of security and risk at IT consultancy Detica. IT chiefs' efforts
will definitely cover structured data, such as that found in
accounting systems and databases. "[But] if the US experience is
anything to go by then IT managers had better start looking at
unstructured data [as well] such as emails, instant messaging and
telephone calls," Porter added.
In the US, financial services organisations are required to monitor,
store and report on a wide range of employee communications. However,
the large amount of unstructured data involved makes this a daunting
challenge, and some types of communication are often not detected and
recorded by traditional IT systems.
Due to the complex nature of compliance projects, which often
comprise multiple co-dependent units, IT directors could benefit from
improving their programme management skills, argued Porter. "They
could in fact look to the public sector to see how large programmes
are put together and managed," he said. "There is a lot of useful
best practice to be found there."
But while the current emphasis on compliance is likely to mean more
work for IT teams, it could also bring benefits. Porter argued it
could help budget-starved IT departments kick-start the
transformation of creaking IT systems and processes into something
more powerful and flexible.
---
* Origin: [adminz] tech, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:16
search: