Oscar De Jongh
Managing Director, Corporate Program Management Office
E.W. Scripps Co.
CIO Insight: How much of a pain has Sarbanes been so far?
De Jongh: It has definitely been a disruption for us. Last September, everyone was putting together their budgets for 2004, and they all had a series of projects and things they wanted to accomplish. I wouldn't say we were caught off guard, but clearly it was not taken into consideration as we were planning for 2004. We have had to divert a lot of resources.
What were your first steps?
We started off with an overarching list of critical systems, and that's what we assessed, so we took everything from servers, file servers, desktop printerswe had a pretty extensive list of about 80 systems. We were recently told that the list is actually shorter, due to the fact that the external auditing firms don't have the manpower to go out and actually audit everything. But you have to look at things from two directionsfrom inside the accounting department out, and from outside in. We are a distributed environment, and there are other systems in other locations that are used to generate forecasts and such. So you really have to get a handle on what systems you have, what's out of compliance, and how significant those systems are for 404 compliance and so forth.
We have a self-assessment system that our business-information group is building for the entire enterprise. It tells us by division, by business unit, by system and by some other data points we collect whether we are in compliance. The first round of self-assessment was a series of Excel spreadsheets we developed that provided a standard data-gathering format so we could aggregate all the information from the business units, and get a good snapshot of where we stood before we started to remediate. Then we uploaded that data into a Web-based application so the business units didn't have to re-key all their information. All they had to do was review it, make changes and certify the data. To indicate compliance, we use yes/no, as well as numerical scoring, so if a system is in compliance, it's a 10. If we have a project that's almost finished, or we have a disaster-recovery plan in draft form, but a significant amount of the work is completed, it's an 8. It's a zero if no work has been accomplished.
We look at every control that we are not compliant with, regardless of the platform or product it's related to, and we average it out for all the systems. Then we look at them at an enterprise level and determine which ones have significant costs and level of effort to get them in place. The next piece is to prioritize and put together a rough order of magnitude cost related to each system. So, for example, if we have a system that's worth $200,000, and it's going to cost $500,000 to make it compliant, that's notable. This allows us to make intelligent business decisions about technology.
Any unexpected benefits?
When we first started doing this, there were some people who kicked and screamed. It was really interesting to see, when the self-assessments were done, that those who screamed the loudest had the worst results. Those who didn't scream had their departments pretty well under control.
So the self-assessments help you identify your best managers?
Absolutely. That is more evident now than it's ever been.