Regulatory Compliance Question

During my career, I have been on three sides of the SOX issue:

  1. At Ernst & Young I was worried about how to audit for SOX compliance
  2. At my previous employer I was an application owner that had to fill out the SOX compliance questionnaires and ensure my application had appropriate controls in order comply with the regulations (and pass the audit!)
  3. Now I work for a technology company that is in a position to offer solutions that can help make it easier for companies to comply with SOX and other regulations

This leads me to a question: For those of you out there that are dealing with SOX, GLBA, etc., what would make your task easier?  My group is looking at what Microsoft could do to make the task of compliance less burdensome, and would really like your input.  By the way, answering “Provide an extra headcount to fill out questionnaires” is not something Microsoft can do! 😉

You can respond by either sending me a note using the “Contact” link or post a comment to this post.  Thanks for your input!

Comments (5)

  1. Sean says:

    Hi Bill,

    This is slightly unrelated, but I wondered if you happened to catch the Charlie Rose interview with HBS professor William Sahlman? I was pretty drowsy by the time the show came on (12am), but they got off on a side discussion about SOX that was really insightful. Worth watching if you can find a recording.

    The specific points (I can remember) Sahlman made were:

    1. SOX is a mistake brought on by a reaction to regulate company processes in response to accounting scandals and misses the point by not focusing on the causes that incented the misconduct in the first place.

    2. In a cynical view, SOX has enriched the very firms who were complicit in the accounting scandals SOX is supposed to address.

    3. The goal of completely meeting SOX compliance requirements is impossible and there is a "rush to the bottom" as companies push the minimum they can get away with. With compliance being as subjective as it is now, it’s not clear what incentives there are to do more than the bare minimum.

    4. Lastly, SOX is going to force a lot of companies to reconsider being public given the overhead of meeting compliance requirements. SOX is expensive, hence all the excitement in the consulting world — yea! our next Y2K?

    I’m sorry to hijack your post, but I thought his points were relevant and applicable to thinking about the SOX solution.

    Are you going to post the reponses you’ve receieved so far?

    Happy New Year!

  2. Mr P says:

    the healthcare company I’m working for are doing as little as possible to implement Hipaa, they probably spend more on the legal dept to make sure that they can’t be touched for that, rather than spend the money to implement the system right in the first place.

  3. Adam Field (Content Master Ltd) says:

    When i worked at a FTSE 500 mortgage company a few years back, we were pushing the implementation of BS7799.

    Any IT projects that even remotely touched on compliance related bits were pushed through under the 7799 banner without argument – including ones that had previously been rejected by management as unnecessary.

  4. Gary Hinson (NoticeBored) says:

    Overall positive.

    There has been a significant increase in demand for IT auditors as a result of the compliance issue, both from the Big 6 -> 5 -> 4 and from their clients.

    Cynics have been saying for years that nothing much would change on infosec unless organizations were forced by law to do something. Seems they were correct.