Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
02 January 2006  
Untitled Document
Sections

Market
Management
Technology
 Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Exp. Healthcare Mgmt.
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 
Home - Market - Article

30 Minute Interview

“Organisations are building checkpoints into their processes to sustain compliance-related efforts”

There are specialised tools that help organisations comply with regulations such as SOX (Sarbanes-Oxley Act of 2002). Do organisations need specialised tools or are the ERP vendors coming out with updates that take care of compliance?

Vander Wal: It is critical to put in automated controls. It indicates that the organisations putting these controls in place are serious about what they are doing. There are two types of controls—those that prevent and those that detect. Automated tools tend to be preventive controls. The greater the number of preventive controls, the higher the chances that these controls are going to be followed. Last year, in the first year of SOX, a lot of detect controls were put in place to address deficiencies caught by the company management or external auditors. These need to be replaced with automated controls.



Kenneth L Vander Wal
Partner
Technology and Security Risk Services
Ernst & Young


Sunil Chandiramani
Partner
Ernst & Young

Is the increase in regulations to ensure good corporate governance and behaviour a temporary phenomenon driven by scandals like Enron and Worldcom or are we moving into an era of corporate citizenship and ‘good’ business?

The greater the number of preventive controls, the higher the chances that these controls are going to be followed

Vander Wal: HIPPA was the regulatory framework for the healthcare industry. When privacy regulations were finally in place, we had to sign documents when we wanted to go to the doctor. After it became effective, it proved to be good for the healthcare industry. Today it is difficult to get medical information about individuals. I see the same thing happening from the SOX perspective. There is a lot of discussion on the cost of compliance with some people saying that it’s too high.

There is a significant reduction in the number of controls that are being tested versus last year. Most organisations have seen the benefits of compliance. It will continue to be in focus. Organisations are moving from project to process. Now that they are there, they must sustain their efforts and maintain compliance. To this end, they are building checkpoints into the processes.

Chandiramani: From a regulatory perspective, after the scandals (Worldcom, Enron etc.) interest in SOX went up everywhere. All countries have realised that they need to do something in the area of corporate governance. Clause 49 in India is a reflection of SOX.

In the sphere of outsourcing, the IS Act, amendments to the act, training the police …it has all happened very quickly. Regulations leading to data security, privacy, better governance are here to stay. They will become more stringent and will not dilute in any form, shape or manner. They are there to protect investors and you will not see them complaining about the cost of compliance.

Vander Wal: It is evident that the US regulations such as SOX have put a set of regulations in place that does not exist anywhere else. Organisations obtaining third party reports in other countries are putting themselves through SOX-like evaluations.

The IT control structure or regulatory framework of commercial companies outside the US lags significantly behind what is in the US. SOX forced it to happen in the US.

Indian service providers supporting US-based companies are being forced to put in application controls. These companies are being audited again for SOX-like internal control requirements.

How does a CIO go about putting IT controls in place to ensure compliance? Is policy the best place to begin?

Vander Wal: There are a bunch of SAS (Statement on Auditing Standards) of which No. 70 deals with service organisations. For a CIO providing services to multinational corporations, he has to demonstrate that he has adequate controls in place. Third party auditors work with the CIO and his staff to identify the controls that are in place. Verification and testing proves that the tools are operating as they should. SAS 70 verifies that the controls are in place. The CIO and his team need to query their users so that they know what the users’ needs are.

Chandiramani: Over 40 percent of the Fortune 500 outsources to Indian ITeS companies. 70 percent of them outsource work to Indian software houses. All these companies need to comply with SOX. To this end they need to deploy tools like SAS 70. CMMi, CMM, BS7799 are just the building blocks. These do not satisfy their customers’ needs. If they are unable to address these needs, they will either face a flight of business or an increased scrutiny, driving up their costs.

—Prashant L Rao

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.