Enforcing internal processes and policies can be a headache. As long as I'm passing the SOX audits, do I really need to care about every day operational compliance?
I have spent a great deal of time talking with very skilled and experienced auditors who work with IT people day in and out. Many have expressed concern and disappointment that we've missed a good opportunity with SOX
to make meaningful IT improvements. Instead of implementing controls to solve real IT problems, many organizations have simply papered over their problems or weaseled their way out of the "materiality threshold" by arguing that IT deficiencies could not jeopardize 5 percent of revenues.
These auditors will allude to the IT heroics required to pass the SOX audit. They shake their heads at the fact that they'll have to do it all again in a year because, in the absence of knowing what changed in the environment, they will have to re-certify the effectiveness of their controls. Repeating this incredibly laborious testing process is ineffective and a waste of resources.
Culture of change management eases compliance, eases costs
Just because you passed your SOX audit doesn't mean your peers in management, internal audit or security are happy with the situation. You may find tremendous opportunity to decrease costs by ensuring that controls are built into daily operations. I've learned that the key trait high performers have in common is a culture of change management, which means the attitude at the top of the organization is that there are no acceptable unauthorized changes.
These organizations have preventative controls in place -- change management policies the organization is following -- not just for SOX compliance but for operational excellence. Further, these organizations have automated detective controls that monitor infrastructure and enforce the IT policy that there will be no unauthorized change. By doing this, not only will you increase the operational effectiveness and efficiency of your IT group, but imagine the surprise on your auditor's face when you say, "Here are our IT processes and how I substantiate my assertions that there have been no unauthorized changes to these systems."
Your auditor will quickly find other, higher risk areas to kick tires and you'll spend less time on activities such as liaising with auditors and fulfilling urgent document requests. Instead, you can focus on high value work that the business really cares about. How great would that be?