Perspectives: Early Adopters

Even now, no one knows exactly how the Sarbanes-Oxley Act of 2002 will be enforced, or the precise criteria the SEC will use to justify and launch investigations. What we do know is that the speed with which the act became law surprised many executives, several of whom had to reset fiscal budgets, reshuffle projects and renegotiate service-level agreements in an effort to meet shifting compliance deadlines. With so much in flux, it seemed wise to talk to some executives who got a jump on their own compliance efforts and learn from their experience. Some key lessons: How Sarbanes reveals who your best managers are; how modeling tools can play an enormous role in helping companies record—and in some cases, optimize—their business processes; how e-learning saves time and money on education; and most profoundly, how CIOs and IT directors are using Sarbanes to achieve not only compliance, but also alignment.


Oscar De Jongh

Managing Director, Corporate Program Management Office

E.W. Scripps Co.

CIO Insight: How much of a pain has Sarbanes been so far?

De Jongh: It has definitely been a disruption for us. Last September, everyone was putting together their budgets for 2004, and they all had a series of projects and things they wanted to accomplish. I wouldn’t say we were caught off guard, but clearly it was not taken into consideration as we were planning for 2004. We have had to divert a lot of resources.

What were your first steps?

We started off with an overarching list of critical systems, and that’s what we assessed, so we took everything from servers, file servers, desktop printers—we had a pretty extensive list of about 80 systems. We were recently told that the list is actually shorter, due to the fact that the external auditing firms don’t have the manpower to go out and actually audit everything. But you have to look at things from two directions—from inside the accounting department out, and from outside in. We are a distributed environment, and there are other systems in other locations that are used to generate forecasts and such. So you really have to get a handle on what systems you have, what’s out of compliance, and how significant those systems are for 404 compliance and so forth.

We have a self-assessment system that our business-information group is building for the entire enterprise. It tells us by division, by business unit, by system and by some other data points we collect whether we are in compliance. The first round of self-assessment was a series of Excel spreadsheets we developed that provided a standard data-gathering format so we could aggregate all the information from the business units, and get a good snapshot of where we stood before we started to remediate. Then we uploaded that data into a Web-based application so the business units didn’t have to re-key all their information. All they had to do was review it, make changes and certify the data. To indicate compliance, we use yes/no, as well as numerical scoring, so if a system is in compliance, it’s a 10. If we have a project that’s almost finished, or we have a disaster-recovery plan in draft form, but a significant amount of the work is completed, it’s an 8. It’s a zero if no work has been accomplished.

We look at every control that we are not compliant with, regardless of the platform or product it’s related to, and we average it out for all the systems. Then we look at them at an enterprise level and determine which ones have significant costs and level of effort to get them in place. The next piece is to prioritize and put together a rough order of magnitude cost related to each system. So, for example, if we have a system that’s worth $200,000, and it’s going to cost $500,000 to make it compliant, that’s notable. This allows us to make intelligent business decisions about technology.

Any unexpected benefits?

When we first started doing this, there were some people who kicked and screamed. It was really interesting to see, when the self-assessments were done, that those who screamed the loudest had the worst results. Those who didn’t scream had their departments pretty well under control.

So the self-assessments help you identify your best managers?

Absolutely. That is more evident now than it’s ever been.

CIO Insight Staff
CIO Insight Staff
CIO Insight offers thought leadership and best practices in the IT security and management industry while providing expert recommendations on software solutions for IT leaders. It is the trusted resource for security professionals who need network monitoring technology and solutions to maintain regulatory compliance for their teams and organizations.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles