It’s becoming increasingly clear that compliance efforts are consuming a significant portion of IT resources. The majority of CIOs expect 10 per cent or more of their 2006 IT budget to be dedicated to compliance, according to Gartner research.
Often that means IT projects without a compliance payoff get relegated to the back burner. “Twenty-seven per cent of CIOs are saying that they’re getting dedicated funding for compliance for 2006, 22 per cent say they don’t know where the money is going to come from, and the rest are getting the money by deferring other projects, that sort of thing,” says French Caldwell, a research vice-president at Gartner.
The good news is that as public companies accumulate compliance experience, the price tag for compliance is expected to decrease gradually.
“It is getting cheaper. We’re seeing an increase in IT budgets [dedicated to these projects], but that’s more than being offset by the decrease in what companies are going to be paying consultants and auditors,” Caldwell says.
Mark Guth, manager of IT networks at Nicor Gas in Naperville, Ill., estimates that compliance costs for the U.S. Sarbanes-Oxley Act (SOX) accounted for about two per cent of operational expenses in the IT department in 2005. That’s down from the year before, when the natural gas distribution company started its SOX efforts in earnest.
“What we discovered is that there’s a very high entry cost to comply,” Guth says. “Once we adopted procedures and made it part of our normal monthly and quarterly routines, we dropped the manpower requirements by almost 90 per cent.”
In 2004, Nicor’s IT department spent about 8,500 hours to set up, test and work through compliance issues. “In 2005 it took us only about 900 man-hours to execute all those tests, compile the results and be at the same level of compliance that we were in 2004. In fact, we were better off in 2005 from a compliance standpoint,” Guth says. (See sidebar Spring Cleaning)
Productivity takes a hit
For IT, the compliance burden isn’t just about diverting staff and funds to compliance-related projects. In some cases, compliance takes a serious toll on IT productivity.
Archer Daniels Midland Investor Services (ADMIS), a Chicago financial services company, is a subsidiary of the US$35 billion agricultural processor, ADM.
While parent company ADM coordinates all SOX compliance efforts for the entire business, ADMIS operates its own IT systems and is responsible for executing the compliance provisions required.
“In the past it’s been a huge advantage because we are a smaller shop and we could move faster and quicker and bring things into a production mode a lot quicker than a huge shop because we’re more flexible,” says Sam Helmich, vice-president of technology at ADMIS. “Well, we’ve lost that productivity.”
Because of the processes ADMIS had to put in place for SOX, Helmich’s 15-person staff spends a lot more time doing paperwork, waiting for approvals and handing off projects — to avoid creating a segregation-of-duties conflict — instead of seeing them through to completion.
“It’s a time drain,” Helmich says. “My team’s productivity has dropped 20 per cent.”
Segregation-of-duties issues also drove up spending on IT gear at ADMIS. Helmich has to provide separate systems for development and testing that aren’t tied to production systems. “I can’t have developers running on the same system. Even though they were segregated and couldn’t affect production data, I couldn’t have them even accessing the same system,” he says.
That meant spending about US$500,000 to upgrade the firm’s IBM AS/400 systems last year.
“I ended up buying a machine that’s three or four times more powerful than what I really would have needed so that I could create LPARs — virtual logical machines — so that there’s total segregation between development, testing and production environments,” Helmich says.
Helmich also had to buy more Intel servers for his development environments. Having more boxes and more complex gear to manage adds to the SOX tally. “It takes more systems management time to handle more systems and keep everything segregated,” he says. “It’s a trickle-down effect.”
One bright spot is that Helmich has found ways to satisfy some requirements using software he already had.
ADMIS has been using Team 2, a task-management application from software maker Alexsys, since 1998 to keep track of help desk tickets and work orders. Helmich found he can manipulate the software’s rules engine to create some of the process controls and audit trails he needs for compliance.
For example, ADMIS is using Team 2 to track requests for software development and programming projects. The software creates an electronic trail that starts with a work request and runs through the project design, testing, implementation and post-rollout phases. “We’re using it as a project management workflow tool,” Helmich says.
There are a few more processes Helmich plans to automate with the Team software. It’s just a matter of finding the time, he says.
Some companies have created new positions inside IT to deal with compliance challenges.
Security software maker McAfee hired Mark Homs to handle security and compliance issues related to the company’s SAP system. “I deal with the internal audit people, the Sarbanes-Oxley committee, CFO, CIO, end users and anyone in between,” says Homs, whose title is SAP security manager.
Before joining McAfee, Homs led SAP security at a Northrop Grumman division, worked as a consultant and did a brief stint with a vendor of compliance-related software. His expertise lies in the intricacies of SAP configuration and the design of sustainable security schemas for ERP systems — a key asset in today’s compliance world.
SAP applications are extremely flexible, and controls are complex. Choosing the best way to configure security settings isn’t intuitive, Homs says. “Some of the ways you can achieve the controls are maintainable, and some are not. That’s where a lot of companies have had problems.”
When Homs came on board at McAfee, he helped rewrite its SAP security framework and bought software from Approva to help manage and strengthen the company’s business controls. The vendor’s BizRights platform helps McAfee spot and remediate risky configuration settings, policy violations and role conflicts.
Without a tool such as Approva, getting to the root of an issue takes a lot of work. For example, if the accounting department wants to restrict access to a particular transaction, Approva makes it easy, Homs says.
“Approva can show me who has access to this transaction. But it won’t stop there. It will say ‘this is who has access to the transaction, this is how they get it, this is what authorization value it gives to them.’”
SAP doesn’t provide that kind of reporting natively. The information is out there, but it’s not easy to correlate, Homs says. Approva does the correlation automatically, which justifies the investment in the software, Homs says. But putting an exact number on the return is difficult. He estimates by automating a lot of functions with BizRights, McAfee avoids having to retain about one-half of a staff member.
Also see sidebar A logical answer