The Sarbanes-Oxley Act has been in force for some time now. Companies have acknowledged that it is not a one-off event, but is more in the nature of a process improvement activity enforceable by government regulations. A comparable process in the case of IT companies is the Software Engineering Institute’s Capability Maturity Model that governs organization processes in I T companies. The Act has already had a major impact on the financial, management and IT functions within public companies. It is, therefore, imperative that companies are fully aware of compliance requirements and institute implementation systems in their processes.

Implementation: Company managements have to be fully aware of the ramifications of the Act since compliance failure could lead to no end of trouble for company executives. A major issue with companies has been that the SOX, as the Act is frequently referred to, is ambiguous. The reality is that the SOX are here to stay and it would be in the interest of companies to have policies in place for mission-critical systems. Some aspects to be monitored are:

• The responsibilities and roles for compliance initiatives should be clearly defined, and there should be no ambiguity in this aspect.

• It pays to have a pro-active approach and not wait for a back-up log from their systems to indicate trouble. A continuous review of records and historical data will give a faster indication of trouble. Business processes should be automated on a continuous basis. Data administration issues like capacity management, storage requirements and retrievability assume significance.

• Have a foolproof e-mail policy in place. It will help in the long term, if all e-mails are saved. Good e-security policies are also essential. User access and intrusion detection infrastructure should be functional.

• Have a constant dialogue with the company’s auditors and institute the concept of continuous auditing. Accurate and reliable information about the company should always be accessible. There may be a need to review financially linked processes to ensure that adequate controls are in place.

• Contact terms with suppliers and vendors may have to be reviewed in the light of SOX requirements.

• Employees have to be educated and awareness created regarding the compliance and control issues, security standards and objectives. Employee training assumes greater significance in this environment.

• All systems and processes relating to compliance issues should be tested periodically to ensure their efficacy and reliability.

The basic premise of Sarbanes-Oxley is sound. Organizations should use the opportunity provided by the Act as a stimulant to review their operational and internal controls. The managerial processes have to be updated on a continuous basis. Besides meeting compliance requirements mandated by the Act, companies will be able to improve their operational efficiency in the long term.