Regulations such as Sarbanes-Oxley and The Health Insurance Portability and Accountability Act (HIPAA) both have significant implications for the CIO as well as the CFO and your company’s General Counsel because these regulations require IT managers to provide internal controls, specifically – an audit trail. Certainly Sarbanes-Oxley is primarily financial legislation, enacted in part as a reaction to corporate scandals such as Enron and others. However, the emphasis on internal controls exceeds policies, procedures and external audits. In fact, even though the SEC is still defining ‘internal controls,’ it is clear that any public company that uses IT as part of its financial and accounting processes will have to deal with the IT controls that inevitably will be included in these regulatory requirements.
Therefore, for CIOs, the heat is on and is getting warmer! The good news is that there are several immediate steps that can be taken to ensure that business teams and technologies will pass muster. Firstly, custom-developed financial systems are often fraught with potential data-integrity vulnerabilities. Thus good practice would be to ensure that the IT control processes include a segregation of duties within the systems development staff. That is, the people who code program changes are different from the people who test programs and are also differentiated from the team that is responsible for production change control.
Packaged financial systems are also vulnerable. Many Enterprise Resource Planning (ERP) systems offer audit-trail functionality. However, customizing these systems can impact the built-in IT controls. Therefore, it is critical to make sure that all such customizations do not create audit problems.
Just as important as the technical and process controls are the project management methodologies that IT teams might employ, especially since poor project management is the leading cause of system implementation failure and degradation. Therefore, one way to help ensure that systems meet requirements is to have a sound and successful selection and implementation process for all new or upgraded systems.
Finally, the ways in which a firm stores and transmits electronic documents and the determination of when this data is deleted have significant legal consequences. For this reason, the CIO must work closely with the CFO and legal counsel to create appropriate policies regarding document retention and destruction.
The real complexity comes with legislation such as the Health Insurance Portability and Accountability Act of l996 (HIPAA) which requires IT managers to provide an audit trail of access records that usually stretches across multiple users and systems. Complying with terms of the act may become a real challenge in light of the complexity of modern web-services and corporate portals. Corporate portals currently deal primarily with managing access and control for unique users. However, the process of identity management is getting more and more complicated as web services and service oriented architecture become more common. In such an environment, both people and applications are seeking access to controlled data.
For example, in the era of HIPAA, one might find a web service application accessing insurance or health data rather than a specific individual. This is a concept in which the application is getting access and then providing that access to a variety of users. In such an instance, auditing might be a problem. Certainly the application is acting on the user’s behalf, yet the application is nonetheless adding a layer or sometimes several layers of complexity. In some such instances, the user may even be four or five layers removed from the actual transaction with specific access and control information carried in a domain of trust.
While such access to controlled data may not be a significant issue yet, things are moving in this direction, and the new federated architecture carries with it great potential for complexity. Consequently, a standards-based software using security access markup language (SAML) and security provisioning markup language (SPML) has been developed to deal with this complex issue. At present, such software allows increased control over identity management in the web services arena. It should also be noted that this type of software comes at a cost. According to the Gartner group, this software currently costs about $5 to $25 per user to license.1 Furthermore, according to International Data Corporation (IDC), sales of identity management software will grow at an annual rate of 52%. They estimate that sales of these applications will increase from $550 million in 2001 to $2 billion in 2006.2
Now that the Securities and Exchange Commission (SEC) has postponed implementing certain sections of the Sarbanes-Oxley Act that pertain to internal auditing, a window of opportunity exists for firms to prepare now for what will follow. In fact, companies have about nine months not only to ensure that the proper processes and procedures are in place, but also that their systems are ready for the appropriate identity management requirements both now and in the future.