Thus far, Blue Rhino's experience with Sarbanes-Oxley has soured management on the legislation. The company has had to grudgingly accept that it will have to be a more deliberate organization for the foreseeable future. Echoing the words of many other companies facing the legislation, Mark Castaneda, Blue Rhino's chief financial officer, says, "We are being punished for the ills of dishonest companies."
But even with that in stark relief, Castaneda and CIO Travatello concede that the company has made some significant gains from its efforts to meet the demands of the legislation. For one thing, it has added urgency to an inchoate financial re-engineering initiative that the company had started in 2002, even before Sarbanes-Oxley was passed.
At the time, faced with a growing retail network that included more than 50 distributorships in 46 states, company management realized that it was drowning in inventory, in large part because distributors were sending receivables and payables data to headquarters piecemeal, at the end of each month. This system, a legacy of Blue Rhino's rapid growth, during which the company simply added one information process on top of another, without any attempt to link them, required accounting staffers to plug the data into spreadsheets manually and then integrate these spreadsheets into the centralized corporate network. It could take a week or more to close the booksa long time during which inventory levels in the field were not monitored with sufficient timeliness. "We needed to close those books much more quickly and improve at least two or three days on inventory, or we couldn't operate at the speed we wanted to," says Travatello.
The company purchased Metastorm's E-work BPM software and began to use it to manage inventory on hand at the distributorsautomating the delivery of inventory information to headquarters and gaining the ability to transfer propane cylinders quickly among its distributors as demand dictated.
Then came Sarbanes-Oxley. "Sarbanes-Oxley got us going faster down the path we were already on," says Castaneda. "That got the organization in full gear."
If restructuring the inventory system was any guidethe project, which involved revamping data banks and retraining employees, took monthsCastaneda and Travatello knew they had a lot of work on their hands to meet the requirements of Section 404. So by the middle of last year, they had earmarked $400,000half from the IT budget and half from the finance- department budgetand assigned 3 information-systems staffers (out of 12 in the entire group) to tackling compliance. Already comfortable with the E-work software, they decided to use it for the Sarbanes-Oxley initiative as well.
The first step was documenting the company's direct and indirect financial operations. To do that, staffers created a template that could be filled in to depict each processthe flow of data, the movement of money, the personnel activitiesinvolved in accounting, ordering, inventory, supply-chain management and delivery. Within each of these templates, Travatello's team looked for holesplaces where there weren't sufficient safeguards to ensure that information couldn't be changed without appropriate levels of permission, for instance, or where the data wasn't immediately available to management in a clear format that highlighted any aberrations or discrepancies. And the team tore apart each process to expose potential gaps that weren't immediately obvious.
Hidden deep in a tax application, for example, they found that a certain amount of information could be accessed by computers residing in the IT department. The team asked IT managers to provide evidence of the process control that ensures no one can modify the data at the IT department level; operations that didn't meet the high standards of Sarbanes-Oxley were segregated for further gap analysis. "Every rock we turned over, we found a couple of things that jumped out at us and made us wonder why we ever decided to do it so inefficiently," says Travatello. "Why didn't we know we were doing it the wrong way?"
The Role of Standards in Cloud Security
Security is often cited as a primary cause for concern...Watch Now
Ensuring Resources for Mission Critical Workloads
Application workloads can thrive in cloud environments,...Watch Now
Improving Security in the Public Cloud
One of the main concerns about moving data to a public...Watch Now