In Tuesday's Sarbanes-Oxley Compliance Journal, Syrinx Consulting CEO Andrew Gelina outlines several do's and don'ts for CIOs who are implementing a Sarbanes-Oxley compliance program in their companies. Though they are most likely review for many, they zero in on one important fact that is often forgotten:
[A]ny compliance effort requires the cooperation of people, and people are imperfect.
To that end, the "Do" list includes such advice as:
- Start with good IT governance, then move to financial controls. Always let the IT and financial managers involved know ahead of time that a Sarbanes-Oxley compliant protocol is in the works and that it will help, rather than harm, department efficiencies.
- Make it an enterprise-wide effort to define the compliance program's goals and the processes necessary to meet those goals. That way, they're more likely to take ownership of the program's success.
- Keep it simple.
- Use technology to increase data visibility and improve process efficiency.
- Make sure processes, technology driven or otherwise, are auditable.
And on the "Don't" list:
- Hurry. Analyze your IT and financial controls and define your compliance goals before you think about purchasing technology.
- Deploy a huge new system across the entire organization all at once. Such "bomb dropping," as Gelina calls it, will ...
- shove a square peg into a round hole. Find the technology that will do the job that needs to be done.
- Confuse compliance with disaster recovery.