Web Extra: Rich Mogull on Social Re-engineering

By Gary Bolles  |  Posted 08-08-2003

Viewpoint: Rich Mogull

Rich Mogull is research director for the information security and risk practice at Gartner Inc. A former paramedic and firefighter, Mogull has extensive experience in risk analysis and scenario planning. We asked him to highlight some of the major areas of focus on the Sarbanes-Oxley Act for CIOs today.

What advice do you give to CIOs today? I've been telling them to pay attention and be a bit proactive, because you're going to see what's going on once your auditors start seeing how you do things. Depending on how you're doing things today, you might have a lot of changes or a few changes to make. If you don't have any internal process controls on your IT systems, you're going to have a lot of changes to make. Sarbanes-Oxley is all about internal process controls.

What do you tell CIOs they should do to prepare? What the CEO and the CFO are signing off on is that they're confident that their financial reports are accurate. So CIOs, if you interpret down, are going to be signing off that they believe the systems being used to generate financial reports are accurate.

What do you think about the new crop of applications focused specifically on compliance for Sarbanes-Oxley? If anybody comes in and says they have the Sarbanes-Oxley magic bullet, don't let them in the door. There's no Sarbanes-Oxley magic bullet, and you need to spend your money with your auditors before you even look at your IT systems. The risk management products can be very helpful in helping you look at your overall risk for your enterprise, and can potentially help you do material disclosures. But if you look at the way the legislation is written, you've got to deal with all of these other internal process issues first. And you're paying your auditors to do that, not buying a software tool to do it. Your auditors might be using a software tool [themselves], but if your auditors come in and say, "Well, we can't really help you with this, you've got to buy this software tool," they're not going to be in business very long. You don't hire a carpenter and buy him his hammer. That's why I think those tools are probably not a good value right now.