Nederland
Ga naar de client area Ga naar de download area

Nieuwsbrief

Ja, ik ontvang graag 3x per jaar de gratis nieuwsbrief EscrowEssentials


SOX: the new buzzword for protecting software assets

March 2007

Publication: IT Online
Publication Date: 26 March 2007

 

The IT industry is known for its acronyms. It's almost reached a point where anyone not familiar with the terminology entering the industry for the first time needs to be accompanied by interpreter. And now, there appears to be a new word buzzing around the boardrooms and IT departments of companies that depend on ICT for mission-critical business processes – SOX.

SOX is the abbreviation for the Sarbanes-Oxley Act, which instructs executive management of publicly held companies in the United States of America to evaluate and report on the effectiveness of their internal controls over financial reporting, and have independent auditors substantiate the effectiveness of these controls.

While the Act was promulgated in the US, it has significant global reach because it requires all subsidiaries of US firms operating outside of the US, companies doing business with US firms, or companies with any degree of US shareholding to employ the same controls.

Writing in the Sarbines-Oxley Compliance Journal, Iron Mountain product manager, Saul Marcus, pointed out an addition element of SOX: while compliance fundamentally focuses on the integrity of financial statements, regulators now recognise the significance and broader scope of information systems and applications that materially affect financial status and reporting.

Here, Section 404 of the Act is of particular reference as it deals with the application software and information technology (IT) processes that sustain a company's day-to-day operations.

Marcus lists several applications that are attracting the regulators' interest:

 

- Supply chain applications that affect the delivery of products, and hence revenue recognition;

 

- Enterprise Resource Planning (ERP) systems that provide data for a balance sheet;

 

- Service delivery applications or shipping systems that feed revenue recognition;

 

- Contract management systems or sales force automation applications that impact strategic accounts and revenue.

 

“This shows that IT certainly needs to worry about SOX?” he writes. “Although compliance efforts involve the entire company, IT often becomes the backbone of any corporate compliance effort. These compliance requirements have confronted IT executives and managers with new challenges. The new regulations will require IT to coordinate closely with other business departments, namely Finance and Legal.

“Navigating the compliance issues around protecting strategic assets is not easy. Compliance is more than documentation; it also includes the control testing of systems, the tighter management of critical third party services, and the near real-time ability to report on all events that ‘materially affect' the business.

“However, there is an upshot of compliance mandates. As companies incorporate best practices to meet regulatory requirements, they are also creating the basis for a solid business continuity strategy.”

Marcus identifies software escrow as one of the smart business practices and key components of regulatory compliance.

“Escrow management is evolving to meet the challenges presented by compliance regulations. Technology escrow has long been an established best practice for vendor management and business continuity. Now, technology escrow can become a valuable component of a corporate compliance strategy as well,” he concludes.

In the US, Fidelity National Information Services is an example of how one company is helping its clients achieve compliance with the Sarbanes-Oxley Act by offering them a technology escrow service.

“FIS provides a host of services designed to help our clients manage their businesses,” says Lenny Smith, director of division operations for the company's Integrated Financial Solutions division. “One way we can do that is to help them navigate the ever-increasing challenges of regulatory compliance.”

In South Africa, leading legal firm Webber Wentzel Bowens has enhanced its specialist ICT capabilities to ensure it is able to assist clients comply with SOX and other international and local corporate governance acts.

Also locally, Escrow Europe director Andrew Stekhoven is one of the most outspoken proponents of active software escrow and its role in minimising the risk of running ICT-dependent mission-critical business processes.

“The objectives of active software escrow are rooted in promoting ICT good governance, and take cognisance of the fact that suppliers and their licensed end-user can be proactive in complying with current protocols and quality standards such as King II, Basel lI, ISO9001, South African National Standard ISO/IEC17799, COSO, COBIT, ITIL, SOX etc,” he says.

“For example, ISO 9001 (ISO 9001, Quality Systems - Model for Quality Assurance in Design/Development, Production, Installation and Servicing) covers product design and development, it is the standard applied to software and has emerged as the undisputed international benchmark for quality management.

“The South African National Standard ISO /IEC17799  (edition 1) “Information Technology – Code of Practice for Information Security Management” defines a comprehensive process of information security management that enables better information security management and specifically includes Business Continuity Management.

‘And ISO 12207 describes five primary processes (with the subcategories of activities and tasks) – acquisition, supply, development, maintenance, and operation required to produce large, complex software systems.”

According to Stekhoven, there are two other important considerations South African directors should not overlook. One is the fact that South African law currently does not provide for the protection of, and access to, software source code in the event of software supplier insolvency.

“The other is that the risk is specifically excluded from all Directors & Officers (D&O) and loss of profit/business interruption insurance policies. This means that, should the company loose significant business or be forced to close its doors because directors did not take reliable and reasonable precautions to protect its investment in ICT-dependent mission-critical applications, the directors will be held personally liable for that loss.

“The fact is, as companies continue to grapple with the compliance issues brought about by increased business regulations, protecting software assets should be an integral part of compliance strategies. Business managers should investigate the latest tools available through technology escrow to help protect the software that runs their business,” he says.

Terug