R U Compliant? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture

R U Compliant?

Sarbanes-Oxley Act compliance is nothing if not a real-time challenge. Creating a good information flow among potentially hundreds of stakeholders requires a new influx of technology, including solutions based on instant messaging.

Making Sarbanes-Oxley Act (SOX) compliance happen in a large, geographically dispersed enterprise is not a trivial matter. In fact it's probably the biggest unsolicited project to hit businesses and IT departments since Y2K and the introduction of the Euro. However, unlike Y2K and the Euro there's no simple technology fix. You can't just change some code or go and buy a new ERP system. SOX compliance reaches deep into the bowels of an organization, affecting large numbers of people and processes.

In a large enterprise, a SOX project can involve hundreds of stakeholders directly and thousands indirectly. Viewed as a cultural change management project, SOX compliance involves the whole organization. A lot of people are touched by it: both internal employees and external business partners in the form of consultants, auditors, and IT suppliers. A SOX project can also draw attention to hundreds of business processes and potentially thousands of individual activities within those processes.

A project of this nature is bound to be costly. AMR Research, the Financial Executives Institute (FEI), and similar market trend analysis firms estimate annual SOX compliance costs to be in the range of $2 to $5 million for large organizations. Such costs are a financial burden every business subject to SOX has to bear — and they aren't expected to go away anytime soon. Failure to comply will be punished perhaps most of all through lost reputation in the marketplace. Yet, it's by no means clear that effective compliance will return proportionately equal positive rewards.

SOX projects also have regulatory deadlines that are difficult to ignore. SOX project milestones — and there are a lot of them — must be met; any slippage must be controlled ruthlessly to avoid missing demanding quarterly and annual reporting deadlines. Time is certainly of the essence. Even more than time constraints, however, SOX compliance teams are under pressure because experienced SOX resources are thin on the ground and expensive to acquire.

SOX compliance teams have largely come to grips with understanding and defining the new compliance taxonomy. To address process oversight and documentation, teams are implementing new processes and technology. The focus is now beginning to turn toward how to improve the performance of SOX projects to make them happen faster, cheaper, and better. This is where compliance event management (CEM) and real-time collaboration (RTC) technology come into play.

TABLE 1 Compliance issue resolution scenarios.


CEM is about resolving issues that arise during work on SOX compliance projects as quickly and cost-effectively as possible. And you can expect plenty of compliance "events" to surface in environments where regulations are changing, taxonomies aren't fully defined, people don't have strong experience in compliance processes, and organizations haven't had enough time to firm up complete sets of SOX best practices, let alone understand and implement them.

A compliance event may take the form of one of the following:

  • The introduction of new or revised compliance regulations
  • A dispute over compliance documentation and/or processes
  • Veracity and transparency issues relating to financial report numbers
  • "Whistle blowing" by process stakeholders
  • Disputes with business partners who have a compliance dimension
  • Compliance "pushback" by compliance partners (for example, auditors)
  • Compliance investigations by regulatory authorities.

For some specific examples of typical compliance event scenarios, see Table 1.

It's often not possible to handle these compliance events in conventional ways (for example, by face-to-face meetings, email, or via online portals). Travel costs and email response delays leading to generally extended latency between events and actions all come into play. These delays lead to project cost escalation, milestone slippage, and the eventual possibility of some kind of "material" or "significant" event occurring that may trigger a SOX investigation or even a fine.

Adding RTC capabilities into the technology stack can help alleviate certain costs and reduce time latency in resolving compliance events. For RTC to help in this way it has to deliver presence awareness, desktop application integration, and specific RTC applications, including Web conferencing and instant messaging (IM).

How RTC Helps

RTC is all about information immediacy; that is, conversing and collaborating online — seeing and hearing rather than reading and sharing documents or process context by sharing your desktop online.

Presence awareness means knowing who's online at a given point in time: Which SOX team members are online now and available to collaborate? By detecting a team member online, you can initiate a dialog through IM or a similar service and invite the individual to participate in some form of immediate collaboration.

With presence awareness a visible part of other applications, SOX team members have the opportunity to initiate collaboration from within a specific area, such as a document, spreadsheet, or portal page. In this way, RTC enables users to share their current context, reducing the time needed to bring other collaborators up to speed. RTC allows teams to literally make sure everyone is on the same page from the point of collaboration.

IM is the preferred method of communication for real-time collaborators because it's more immediate, more conversational than email, and doesn't depend on recipients having to monitor their inboxes. Web conferencing provides a way to structure and deliver text, video, and audio content over the Internet within a formalized meeting or conference structure. Usually, a team can record a Web conference and archive it for replay and reuse later by people who were unable to attend the original Webcast or in order to help recruit and train new members to the compliance team.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Why IT Leaders Should Make Cloud Training a Top Priority
John Edwards, Technology Journalist & Author,  4/14/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Lessons I've Learned From My Career in Technology
Guest Commentary, Guest Commentary,  5/4/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll