Sarbanes Oxley Compliance

Where did the idea of compliance officers come from?

The industry that developed compliance officers first was the defense industry. Back in the mid-1980s, a whole bunch of defense contractors got into trouble. There was fraud, waste and abuse in the news, and President Reagan, in order to stem the tide, asked Deputy Secretary of Defense David Packard to form a commission. The Packard Commission recommended that clean up its own house.
I remember those overpriced toilet seats.

A funny aside, we had a vice president at United Technologies Corp., who was the first director of the office of federal procurement policy, but then went to work for us. He was asked to testify because of his prior position. They asked him what he thought about the $8,000 toilet seat, and his comment was, 'I don't want to take a position on that.' That's the only comment that made it into the news.

A whole bunch of CEOs got together after that and they developed what they called DII, the Defense Industry Initiatives, to write codes of ethics and develop programs. The outgrowth of that was having compliance officers to be responsible for developing those programs.
What's your view on the expense of compliance?

I would like to split out SOX [Sarbanes-Oxley Act] from general compliance. Prior to SOX, compliance programs consisted of things that were more than financial issues. Now along comes SOX, and what SOX says is your financials needs to be documented. How you handle your books and records needs to be documented. Some people might have said, 'Gee, weren't they documented before?' To a large extent they were, but over time some of those procedures changed, and the documentation wasn't changed. What became expensive was the interpretation of SOX, the testing, the requirement of having another set of auditors besides your independent auditors. So everybody is trying to do this thing completely right, and because this is a first-time effort, even companies that might have thought they were compliant prior to SOX, they are spending the money to make sure they are compliant.
There's a code of ethics that is kind of built into the military, where you worked previously, but there doesn't seem to be anything quite like that in the business world.

You're absolutely right.
The former CEO and other senior executives have been indicted on fraud charges. [CEO Sanjay Kumar and CA's former head of worldwide sales, Stephen Richards, have pleaded not guilty. Others have pleaded guilty to charges of securities fraud or obstruction of justice.] Do you think punishment is the only way to prevent misdeeds in business?

Wow. There are two answers. I don't know what else you can do with respect to misdeeds other than to punish. But I do know that if boards of directors and shareholders are not savvy to the fact that if there are individuals who have done the wrong thing, and the boards and shareholders haven't done the proper background checks in hiring those people later on, that is a huge mistake on the part of corporations -- to allow someone who has been punished for misdeeds, and then putting them back in the driver's seat should be a real negative in the business world.
Do you have to spend a lot of time reining in the tendency in people to win? Business is extremely competitive, and the desire to win at any cost, I think is pretty strong among very successful people.

No question about that. The desire to win is an important ingredient in business, and you really don't want to impede that desire to win. What you want to make sure is that everybody understands that the desire has to be measured with doing it the right way. I have to tell you that one of the things I talk to ethics officers about all the time is that you can sit there constantly and say no, no, no, you can't do this and you can't do that, and that may be one way to do your job. A better way to go about your job is to work with business and say, what is it that you're trying to accomplish and let's find the right way to do it.
Your job is not really to be a preacher, I guess.

If I end up being a preacher, I'm dead. People don't want to be lectured to. Most people feel they have good values to begin with. What they need is some guidance in solutions that are good, positive and workable and still help them meet their goals. I use an example with sales all the time. I say, if you come to me and say, 'I want to bribe, is that OK?' the answer is no, it's not OK. But that's really not the question you wanted to ask me. You want to tell me what your problem is and we want to find a solution.
Can you give me an example of a gray area where you have to come in and mediate?

Sure. You're out negotiating sales maybe in a foreign location. Someone comes to you -- a potential customer -- and says, 'I would really like to come visit your facility to see how your operation works.' This may not be a Computer Associates problem because we don't do a lot of manufacturing, but a lot of companies do. So, the answer is, of course, but the potential customer wants you to pay for it and the question is, 'Can we do that?' The answer in most instances is absolutely. But the gray area comes in when you ask how much entertaining you can do while you are there -- and are there any stop-offs, like to Orlando or to Las Vegas? Is there walking around money? Taking them out to dinner while they are there is certainly acceptable. Where you start to get uncomfortable is going beyond that and taking side trips, shopping trips.
We talked a little bit about SOX. Is SOX is a good thing?

Absolutely. I actually wrote a paper saying be happy for Sarbanes-Oxley. There are some unintended consequences of Sarbanes-Oxley that make my life and everybody else's difficult, and one of them is the huge cost associated with it. But how do you argue a provision in the law that says you must document your controls? How can you argue against a provision that says you need to have a mechanism where your employees can bring accounting irregularities up through the system and the board and the suit committee can act on it? I think most people will tell you that the law itself is a very proper one
Is there anything that CIOs should know about chief compliance officers?

The message I would want chief information officers to be aware of is that compliance officers and chief information officers should be working hand in glove. Some of the best controls that I am aware of are controls that are developed between the compliance organization and the chief information officer's organization. The more we can automate controls, the more we can take the human element out of it, the more reliance our employees and shareholders can have on the system. The chief compliance officer and the chief information officer should be married at the hip.
Patrick Gnazzo was appointed senior vice president of business practices and chief compliance officer (CCO) at Computer Associates International Inc. in January. A former chief trial lawyer for the U.S. Department of the Navy and a United Technologies Corp. CCO for 10 years, Gnazzo came to CA as part of a deal with the federal government in which the company agreed to pay $225 million in restitution to shareholders and improve its compliance and ethics practices. Gnazzo has until Dec. 31 to get a program up and running. A frequent lecturer on ethics and compliance, he spoke with SearchCIO.com about what compliance officers do and why.

Who do you report to?

The COO [chief operating officer]. We don't have a dedicated CIO role right now; our CTO is largely performing that function. However, my boss is a former CIO. The CTO and I report to the COO.
What percentage of your job is spent working on compliance regulations?

In 2004, I spent approximately 40% of my time on compliance. Things really fired up in 2004. When I came on board, compliance activities had been building for at least the last 12 months. I was originally hired NOT to do compliance directly. I was to handle the security aspects of compliance only. Then last fall, my boss asked for me to become corporate compliance officer, in addition to my role as CSO. So now I'm involved with other compliance issues. There was no single, executive-level focal point before I took it over. Prior to that, each business unit would identify their issues and address compliance at their own levels.
Do you have any other staff dedicated to compliance?

I have one full-time coordinator and two part-time coordinators working on compliance. We also involve the appropriate business people. The full-time coordinator is a temporary position, ending later this year (2005). Then we'll be relying upon the part-time positions to provide program coordination and help the individual contributors when they have problems. The full-time temporary person was needed initially to get the program on its feet.
What compliance regulations have you had to comply with in the past year? Which were the most challenging?

In 2004, our emphasis was on two areas. First with Visa. Visa has a cardholder information security program. We had to demonstrate compliance with that. Most people might not consider Visa compliance as a big deal compared with SOX [Sarbanes-Oxley] or GLBA [Gramm-Leach-Bliley Act] -- but it was important to our organization. There were real consequences if we didn't meet their test -- they could revoke our right to process Visa transactions. Visa has to approve anyone that wants to process transactions. This security program is a big strategic initiative for them. It also includes a lot of risk for us -- considering we could lose a huge revenue stream.

The other big regulation challenge in 2004 was getting our SAS 70 Type 2 compliance report. We needed to get this report for our customers -- all financial institutions. SAS 70 is a third-party attestation, a common instrument used when two parties work closely together and they want to make sure the other is doing what they're contractually obligated to do. When a bank outsources work to a vendor, examining the SAS 70 report is typically part of the financial institution's risk management program. The banks will look for certain controls in the vendor's organization.

It's an annual event for us; 2004 was our first one. Industry-wide, the increased emphasis on SAS 70, which has been around for quite some time now, has developed as a direct result of increased regulatory pressure on financial institutions. Financial institutions need to demonstrate good risk management practices when they are working with particular vendors or service providers. It's a reality for any financial institution because almost all of them outsource some aspect of their IT or tech operations, thus placing customer date at risk.
You're not a publicly traded company, so you didn't have to meet the SOX deadline. But do you have to meet any of the guidelines indirectly since you work with mostly publicly traded companies?

We have decided to adopt various aspects of the SOX requirements. We think it's just a matter of good business practice. We're currently analyzing now which practices we should adopt and how and when to do it. Most business leaders would probably tell you that if you're a company today that's not subject to SOX or other major regulations, it's just a matter of time before you will be. Eventually, I believe the government will extend these requirements to nonpublic institutions.
All of your customers are financial institutions. Is there even more pressure from them for you to be 100% compliant at all time?

Yes. Since we only serve financial institutions, we are getting increased pressure. I believe there are two specific reasons. First, the auditors themselves are getting more sophisticated on how they evaluate financial institutions. Secondly, the regulations are getting much more strict. As most people know, it's a common practice among financial institutions to outsource some or all of their IT to TSPs [technology service providers]. The regulators have guidelines that tell financial institutions how they should manage TSPs. One specific requirement is that financial institutions can not outsource risk management.

Banks in the past have tended to implicitly outsource risk management along with the systems. Regulators are now demanding that financial institutions prove they are actively conducting risk management on any technology outsourcing contracts. One thing we try to do is recognize what the burden is on the customer. From the auditors -- we try to deliver our services in a way that they meet that burden of proof. We see a lot of the compliance work we do on behalf of our customers as a way to differentiate ourselves in the market.
Do you send any work offshore? If so, is compliance an issue when working with an offshore customer or partner?

We don't send work offshore. We have customers who do that, though. We try to work with our customers on how to manage their risk with offshore partners. For example, we perform a certain amount of systems monitoring and forward anything we find to our customers. I'll give you a specific problem for which there is no easy answer: We bond all of our staff which requires a certain amount of background checking, which is fairly straightforward in the U.S. When a customer of ours is doing business with an offshore partner, our customer typically will want to perform similar background checks. However, it's not always clear how to do that with people overseas. It's usually an issue of how do you find a level of scrutiny that's equivalent to a check you've done with a U.S. worker. But, how does that work in India or wherever your offshore partner happens to be? What's considered to be equivalent?
Have you been audited for any compliance regulations? If so, did they uncover any issues?

Yes, we largely have had customers auditing us. In 2004, we had no less than 10 external audits. We also had six internal audits.

Issues have come up, but nothing I consider to be serious. One example is we had some faulty maintenance performed on an exterior door to our building. When the auditor was checking our physical perimeter, they found the door didn't close completely all the time. Even though that door provided no direct access to a protected area, the incident was noted in the report and we did a follow-up with the maintenance group to explain how important this issue was.

Some of our time and effort working with external auditors is spent working with auditors to help them interpret the regulations for our specific context. These regulations are very complex themselves. Issues brought up by the auditors are often matters of interpretation. We sometimes have to point out to the auditors that there isn't an issue and why -- typically because we have a different control or other compensating controls. But in the end, if the auditor is insistent, we will usually accept the issue and make the necessary changes for the customers. However, there have never been any real show stoppers.
Does the business side fully support any efforts and spending for compliance? Do they realize the value and importance of these initiatives?

Yes, for us it's very obvious. There's a clear connection between compliance and business success. We have no problems with having the business recognize the value of compliance. However, because there is so much compliance that needs to be done, the business often has a difficult time prioritizing what needs to get done.
I read that you have an off-site business continuity and disaster recovery site in Colorado. I assume DR/BC [Disaster Recovery/Business Continuance] plans are essential to the success of compliance regulations. Is that correct? Did you have this site set up before many of the regulations and auditors starting coming out?

There are several compliance initiatives that officially told us we had to have this; VISA CISP, for example. Even so, the reason we have DR/BC is that the business recognizes that the money spent today to ensure business continuity will pay off. You're talking about companies [our customers] that if they're not able to process transactions, the revenue loss for them could be astounding, much more than they are paying for the DR/BC plans. Therefore, the first priority is how to prevent loss of revenue. I think compliance issues are also addressed in there, but ensuring continuous revenue is our No. 1 goal here.
Do new customers ask about your compliance plans or situation? Is it as important to them?

We make sure our compliance goals are included in our initial marketing pitches -- we state we're very in-tuned with their compliance needs. In some cases we're more aware of their compliance regulations than they are. On their side, there's an initial line of questions about whether we're compliant -- basically to make sure we're credible. Most of the customer's effort then moves to making sure we can deliver on their technological goals and that we come in at a good price point. Once they know we're viable -- they'll do more due diligence on us. My point is that they're interested in our compliance efforts, but it's not their No. 1 priority. They want to make sure we can deliver the service first.
Kip Boyle was hired as chief security officer of Pemco Corp. in October 2003. Compliance was not originally part of the job. But as compliance activities grew and became more important at his organization, Boyle was asked to take on the role of corporate compliance officer -- in addition to his current role -- and oversee the company's compliance efforts. In this exclusive interview with SearchCIO.com, he discusses his most challenging compliance issues and how to deal with both internal and external audits.

What are the top three priorities for 2005?

The first one would definitely be to completely understand business needs and how IT can support them and provide leadership. We're here to figure out how to make the business work better. The second trend would involve some level of compliance. And the third one would be to stabilize the mess we created ourselves in our Web infrastructures and to sort out and run things more efficiently and effectively.
You talk a lot about the importance of IT people understanding the business. Were you hired for your business experience?

Yes, I was hired for that. George [George Colony, Forrester's CEO] has even told me that. He wants someone with business savvy. I was a management consultant for 15 years before I got into IT.

And I know technology better than most CIOs. My focus is always on driving and moving the business forward.

I also work very closely with all the other executives at Forrester. We meet on a regular and even ad hoc basis. I've only been here two and half months, and I feel the only way to learn the business is to roll up my sleeves and dive right in to it. I've even gone on some sales and client calls. There's no better way than walking in their [the business unit executives] shoes to feel their pain and completely understand the business.
You've also been charged with handling Sarbanes-Oxley compliance for the IT organization. Is this an IT or business initiative?

Compliance is definitely a major business initiative at Forrester. We are a relatively small public company. Compliance isn't anything new; the new part is that it's now legislated. Compliance requirements have been in place in large companies for years. At smaller companies, we just didn't have formal processes documented like larger companies.

So now we're just taking the time to document processes and cross our t's and dot our i's.
You were quoted you as saying you'd like to "help ensure that the company's IT strategy more closely mirrors advice the company gives externally to clients." Can you elaborate on this?

In my new position, I wear a few hats. George [Colony] asked me to look at our research and make sure it's relevant to our target audience. I used to belong to that audience [Fortune 500 CIOs]. So I faithfully read all the research we write and try to give it a QA check.

In cases where it applies to a company of our size, I try to leverage the knowledge we offer others and apply it to our own internal projects and processes.
When you were CIO at Callisma, you said your biggest success at the time was "building high-performance IT management teams that are passionate to build great systems." Is this still one of your top priorities?

Definitely. Unfortunately, I can't do much of this alone. I need people who are passionate about their work. I've inherited a fairly good team here.

But we're also looking outside to bring in a few people, to replace some turnover. We currently have a staff of 28 people in IT and I plan to hire approximately six more people in the near future -- in our operations, help desk, applications development and Web site development groups. The rest of my staffing needs will be augmented by external resources, as necessary.
Colony has said that today's Internet is "dumb, boring and isolated." Have you been directed to set up systems for a better, more interactive Internet?

I'm actively pursuing it [the X Internet]. A lot has to do with organic IT and organic business. Many other companies have the same vision, but just call it something else [instead of X Internet]. Basically, it's all about making technology more flexible and responsive to the business; costing less money and creating shorter cycle times to achieve the needs of the business.

This is definitely a journey - not a one-time event. One way to get us to that vision is to re-architect a solution. Much of the future Web will be driven by the extended Internet -- a connection of the physical world with the Web world.

You'll see a lot of use of Wi-Fi to connect everything and everyone. Our business isn't the same as a consumer goods service -- where they just want to track things to see if they're selling. We want to look at how our research is used after it leaves our Web site. We're looking to implement underlying technology for the X Internet. With that in mind, we plan to make our Web site as interesting, active and useful as possible.
Forrester said IT budgets have finally loosened up this year. Did that happen in your group? If so, how will you spend it?

Our budget did increase. We're spending the additional money this year to increase staffing and to complete a few large projects. We have five major initiatives for the remainder of this year.

Throughout each of these, we will extensively leverage Forrester's own research and advice that we provide to our clients, and apply it to our own internal systems and processes.

We are building a complete data warehouse/BI [business intelligence] reporting solution. On the heels of a recently completed major upgrade to our Siebel CRM system, we are implementing continuous customer management processes, in which we will use data cleansing tools to improve the quality of our data in Siebel -- and revise access controls, change processes and re-architect interfaces to keep the data clean.

We will redesign our entire outbound e-mail marketing process with our customers, consolidate four existing systems into one, and more tightly integrate that with Siebel.

Following a recently completed project to improve search and browse, we are investing to further improve our external customer facing Web site. Lastly, we have a number of infrastructure and internal IT projects in the works, including new e-mail systems, network and server infrastructure refreshes.
Tell me more about your BI/reporting solution.

Our data warehouse will include data from our Siebel CRM, PeopleSoft Finance and HR, and customer-facing Web site. We plan to deliver, on an incremental basis, a complete set of Web-delivered self-service reports to serve all of our operating and corporate groups.

Based on recommendations from our own Forrester analysts, we are also creating an active dashboard that presents data that are leading indicators of major business drivers.

For example, we will be looking at the frequency with which our research is downloaded or read on our Web site, which we have found to be a leading indicator of customer renewal rates. Active dashboards, those based on leading indicators, will allow us to take preventative actions, rather than just letting us look in the rear view mirror at what transpired last month.
George Orlov took over the role of CIO/CTO at Forrester Research in late December. He is in the unusual position of having to guarantee that the company's IT strategy reflects the advice and research the firm provides to its clients. In an interview with SearchCIO, Orlov discussed his 2005 priorities and his plans to stay connected with the business side of the house.

of loan requests each month, and a compliance rule states that the company must respond to each request within 30 days. To meet that requirement, the group was looking...

data privacy regulations like the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.

Talking aside, when it comes to actually...