Standards and Compliance Issues

Standards and Compliance Issues: Including: ISO, CMM, ITIL, & Sarbanes-Oxley

Presented and Written By: Lauren Eilers Michele Hummel Eno Veshi 2

Executive Summary

Standards and regulations are very important components of the process of developing new technologies and ensuring that the business products fulfill legal and customer requirements. Producers around the globe use standards and regulations as guidelines to help them learn about and understand the requirements that their products will need to meet in order to be marketable. The rapid rise of the Information Technology (IT) industry in the last two decades has drastically changed the way we do business. Numerous information technology companies have been founded, and most other companies have at least an IT component. This growth in Information Technology has been followed by an increase in regulations and standards directed towards the IT industry. This expansion of IT and the rules and standards related to it impacts managers in most companies, if not currently, then in the future. With respect to the Information Technology industry, regulations and standards can assist with establishment of industry norms and avoidance of disparate practices within the same industry, establishment of credibility, especially for new or offshore IT firms, competitiveness, and cost control. The institution across the IT industry of norms related to quality of products and services can help improve the reputation of the whole industry and contribute a competitive edge to a country. Disparate practices, however, can lead to consumer dissatisfaction and distrust, especially if the consumer has difficulty identifying quality providers from non-quality ones. Thus, widespread industry norms can serve as a type of identification for quality providers/products/services. Adoption of practices which meet or exceed industry standards and comply with regulations can assist newcomers to the industry and offshore IT firms to attract more customers, despite their lack of experience. The increase in cost and the increase in size of IT Department have been important issues that US companies have had to face. Upper management is pushing IT managers to increase the value they receive per dollar invested in Information Systems. In addition, the failure of some IT projects and underestimation of the cost of others also increase costs. According to the 1997 Chaos report by Standishgroup, the U.S. “spend(s) more than $250 billion each year on IT application development of approximately 175,000 projects… (and) a staggering 31.1% of projects will be cancelled before they ever get completed… (and) 52.7% of projects will cost 189% of their original estimates.”1 Only after fully understanding the effects that regulations and standardization has on day-to-day operations of business, will managers be able to find solutions that improve the performance of the company. ISO ISO standards are used in all the sectors of the industry. They are created and implemented as a joint effort between the business companies and the ISO member countries governments. By applying ISO standards to its products a company: - Meets the quality and safety requirements. - Guarantees customer satisfaction. - Achieves world-wide market access for its products. 3

- Creates the framework for improving existing technologies and developing new ones. - Works towards sustainable, environment-friendly business processes that on their part stimulate goodwill among the consumers all around the world. CMM The Capability Maturity Model (CMM) is a detailed model to direct companies through the processes associated with software improvement. This model follows a philosophy of “continuous process improvement”. It is not designed as a checklist but a progression which companies follow, improving with and building upon each level. The importance of this model for management is its ability to be utilized as a means to document the company’s level of quality in its software development, or as a guide to develop quality information technology. Some companies desire assessment according to the CMM to demonstrate their position with respect to their competitors, to win more business. There is no requirement for yearly reassessments, as with ISO. CMM is costly to implement, especially for a company starting at the beginning level. Some companies question whether the cost is worth the results or the amount of work involved. ITIL IT Infrastructure Library (ITIL): A thorough set of best practices for implementing and maintaining an IT infrastructure. Developed and maintained by the Office of Government Commerce in the UK. The Library details IT Service Management by detailing two main core areas and dividing those two areas into 11 disciplines that work interdependently. It can be adapted to fit any size of organization. ITL is a framework not a set of rules that an organization should adopt and then adapt the framework to fit the organization. The main objectives of ITIL are: Reduce costs, improve availability, tune capacity, increase throughput, optimize resource utilization, improve scalability, and achieve high quality. SOX The Sarbanes-Oxley Act of 2002, also known as SOX, impacts the IT industry through its effect on all publicly held U.S. companies. The Act is intended to address fraudulent business practices, set rules for financial reporting, and ensure the protection of information via internal controls. It also aims to restore a more positive relationship between the public and accounting, auditing and corporate professionals. SOX costs have been a continuing concern for all publicly held companies. Year- One costs were estimated to be $1 million for every $1 billion in revenue, but for smaller companies, costs are actually much more than estimated. The main costs associated with SOX compliance are the implementation and testing of new system controls and auditing. Auditing costs account for as much as 35% of total compliance costs. The good news is costs are expected to decrease up to 42% in year two. The main reasons costs are expected to drop are: reduced documentation, increased efficiency, and fewer problems to fix. SOX is also affecting companies outside the US, because all companies traded on US Stock Exchanges must comply. Many European companies are threatening to de-list from the US Stock Exchanges, because the benefit of being listed is no longer outweighing the cost of maintaining the listing and complying with Sarbanes-Oxley. SOX requires all companies to provide certain information, and some of this information 4 is protected by Europe’s Data Protection Act of 1998, so SOX compliance is also causing issues for this reason. Case Studies Our interviewees emphasized the following points: - The application and compliance with Sarbanes-Oxley Act has increased companies costs, especially during the first year. - SOX has increased the accountability, and the security against financial fraud. - More red tape and paper trail used in making decisions. - In the years to come the benefits from SOX will be more obvious. 5

Standards and Compliance Issues Including CMM, ISO, ITIL & Sarbanes Oxley

Standards and regulations are very important components of the process of developing new technologies and ensuring that the business products fulfill legal and customer requirements. Based on the definition from Wikipedia, a “standard is a level of quality or excellence that is accepted as the norm or by which actual attainments are judged”.1 Standards are not necessarily imposed by the government nor accompanied by incentives. Standards usually originate from within the industries and are often developed from international organizations such as ISO (International Standard Organization). On the other hand, a regulation is “a legal restriction promulgated by government administrative agencies through rulemaking supported by a threat of sanction or a fine”.2 Thus, regulations are basically rules set by the government, which are accompanied by incentives to encourage people to follow them.

Producers around the globe use standards and regulations as guidelines to help them learn about and understand the requirements that their products will need to meet in order to be marketable. Without standards, new technologies might become stagnant, slowing down the overall economic growth of the respective countries.

The rapid rise of the Information Technology (IT) industry in the last two decades has changed forever the way we do business. Numerous information technology companies have been founded and most other companies have at least an IT component. This growth in Information Technology has been followed by an increase in regulations and standards directed towards the IT industry.

Why regulate and impose standards?  Standards ensure acceptable quality & maintain competitiveness.  Avoid disparate practices within the same industry.  Due to increased cost of IT.  Due to increased size of the IT workforce.

With respect to the Information Technology industry, regulations and standards can assist with establishment of industry norms and avoidance of disparate practices within the same industry, establishment of credibility, especially for new or offshore IT firms, competitiveness, and cost control. The institution across the IT industry of norms related to quality of products and services can help improve the reputation of the whole industry and contribute a competitive edge to a country. Disparate practices, however, can lead to consumer dissatisfaction and distrust, especially if the consumer has difficulty identifying quality providers from non-quality ones. 6

Thus, widespread industry norms can serve as a type of identification for quality providers/ products/ services. Adoption of practices which meet or exceed industry standards and comply with regulations can assist newcomers to the industry and offshore IT firms to attract more customers, despite their lack of experience. India in particular has espoused this idea, adopting standards and complying with regulations to increase their credibility as quality offshore providers. 3

The increase in cost and the increase in size of IT Department have been important issues that US companies have had to face. Upper management is pushing IT managers to increase the value they receive per dollar invested in Information Systems. Only after fully understanding the effects that regulations and standardization has on day- to-day operations of business, will managers be able to find solutions that improve the performance of the company.

In our presentation we focus on the following standards and regulations: - ISO  International Standards Organization. - CMM  Capability Maturity Model. - ITIL  Information Technology Infrastructure Library. - SOX  Sarbanes-Oxley Act.

ISO standards apply to every economic sector. They (ISO) are the most used standards in today’s economy. We will explain in more detail how ISO 9001 helps organizations to meet customer expectations, while keeping their costs low. CMM and ITIL are standards that focus on IT, and we wanted the IT managers to understand the benefits that come from applying CMM and ITIL to their organizations. Sarbanes Oxley Act is a more recent regulation and is still undergoing revisions, as best practices are determined. Also: - It has changed the way American companies do business. - It has significantly increased the importance of the IT departments in publicly held companies (IT departments have shouldered most of the responsibility to implement and comply with Sarbanes-Oxley Act).

What is ISO ? A brief history, facts

ISO is a non-governmental organization whose members comprise the standard national bodies of 156 countries. The main contribution of ISO is the fact that it identifies the standards needed by businesses, governments and social organizations around the world, and develops these standards in close partnership with the sectors that will use them. ISO standards and rules come to life as part of an expert input and consensus from all the groups that have a stake in the sector where the standards will be used. For these reason ISO rules are respected and accepted worldwide. Even though, it refers to itself as a non-governmental organization, ISO carries much more weight than the average NGO, for the simple fact that most of its standards are turned into laws by the member countries. 4 7

ISO is the oldest standard organization. It was created in 1947, to provide guidelines and rules that would apply to the invention, development, and distribution of new products and technologies across the industrial specter. There are currently 15,036 standards and many more are in the developing phase. 4 These standards are used in a variety of sectors, from the traditional fields such as agriculture and construction to mechanical engineering, manufacturing, distribution, transport, medical devices, and communication technology development.

ISO’s Partners

The list of the achievement of ISO would have never been nearly as long if it was not for the effective and long term partnership of ISO with organizations such as IEC, ITU, World Bank.

- The IEC or International Electrotechnical Commission is the leading global organization that prepares and publishes international standards for all electrical, electronic and related technologies. These serve as a basis for national standardization and as references when drafting international tenders and contracts.

Through the close cooperation between ISO and IEC, the World Trade Agreement on Technical Barriers to Trade has come to life and become an integral part of global business.

- The ITU or International Telecommunication Union is the oldest international organization created in 1865. ITU has been the forum where governments and private sector work together to coordinate the operation of telecommunication networks and services, and to develop the communication technology. ISO and ITU joint efforts have successfully brought together governments and private industries, resulting in rapid improvements of the telecommunication infrastructure not only in the developed countries but in developing nations as well.4

The Future of ISO

Many challenges await ISO in the 21st century. There are three areas where ISO is mostly focusing its efforts:

- The Environment – In the light of the global warming, pollution, destruction of forests has become urgent to set up new and improve the existing standards in order to create a structure that supports a sustainable, environment friendly economic development. It is for these reasons that ISO has been working for a while in developing standards that meet requirements such as greenhouse gas verification ( climate change mitigation), or standards that adequately determine the level of water, air pollution. As one of the officials of ISO stated: “Environmental problems are by their nature international and can only be solved at the international level. All laws, regulations 8

and standards concerning air and water should repose on the same scientific and technological base. By developing the appropriate International Standards, ISO can provide that base.” 4

- The Service Sectors – standard are being developed to address the needs of personal financial services, market opinion, social research and tourism.

- The Good managerial and Organizational Practices – after the fraud and corruption scandals that have plagued the corporation world in the last few years (Enron, WorldCom), ISO is developing guidelines to address the concerns about the social responsibility and accountability of the upper management in corporate hierarchy. 4

ISO benefits

There are three main benefits that result from the efforts of ISO:

1) Worldwide recognition. ISO standards are recognized not only in ISO member countries (156 countries and counting) but also by other countries that engage in business with ISO members.

2) Level the Playing Field. ISO makes transparent the requirements products must meet in order to compete in a global economy. As a result suppliers from developed and developing countries alike can compete on an equal basis.

3) Disseminate new technologies and businesses. The international standards developed by ISO help to reduce trade barriers caused by different certifications in different countries, allowing companies from member countries to reach new markets. ISO guidelines help limit significant delays and costs that result from multiple testing especially during the process of developing new technologies. This process has become faster and more efficient in making new technologies available to the global market. 4 To illustrate how ISO standards are implemented, we will describe in more detail the ISO 9001 Standard. It is a guideline that has revolutionized the way business is done, positively impacting the quality management system within the corporation. We will focus in the following points:

- Why use ISO 9001. - What is a Quality Management System? General requirements. - What documentation is needed to meet this standard? - What is the Management Responsibility? - Planning. - Resource Management. - Customer-related process. Product design and development. - Measurement, analysis, and improvement. 9

ISO 9001

1) Why use ISO 9001?

To effectively run an organization, the management should identify and manage numerous linked activities. These activities enable the transformation of input into outputs. Often the output from one process directly affects the output of another process. ISO 9001 helps the company to: - Understand and meet process/product requirement. - Accurately determine the value added to the company as result of the process. - Obtain and analyze the results of process performance and effectiveness. - Continue the improvement of processes based on the data obtained from the previous step.

To summarize, an organization should use ISO 9001 standard when: a) The company plans to provide assurance that its products meet customer and regulatory requirements. b) The company wants to increase customer satisfaction in a systematic way. 5

2) What is Quality Management System (QMS)? Its general requirements.

Based on a definition taken from www.wikipedia.com, “Quality Management System outlines the policies and procedures necessary to improve and control the various processes that will ultimately lead to a better business performance”. There are 8 principles upon which ISO 9001 is based:

a) Customer Focus  Understand customer needs, be aware of changes in these needs, always meet customer requirements and strive to exceed them.

b) Leadership  Management should unite and direct the organization with a clear vision. Lead by listening, lead by example.

c) Involvement of People  Always remember that people are the heart and soul of the organization, involve them, make them understand that they are stakeholders, if the company does well, they will do well.

d) Process Approach  The correct approach of the processes, ensures that the desired results will be attained.

e) System Approach to Management  Identify, understand, and manage interrelated processes as the use of a system increases the efficiency and the effectiveness of the organization.

f) Continual Improvement  Improve, improve and then improve some more. 10

g) Factual Approach to Decision Making  Make decisions after all the data and information is properly processed and analyzed.

h) Mutually Beneficial Supplier Relationships  Create mutually beneficial relationships with your suppliers. It will be very important for the organization in the short and long run. 5

As we see in the above statement, the implementation of the appropriate Quality Management System is crucial in the success of the company. Before starting the implementation of QMS, the company should meet the following requirements: - Identify the processes that will be included in the Quality Management System.

- Determine the sequence and interaction between these systems.

- Determine the appropriate criteria to ensure the effectiveness of operational and control processes.

- Ensure the availability of the necessary resources and information to support the processes under consideration. ( processes we previously choose to include in the Quality Management System)

- Monitor, measure and analyze the data obtained from the processes under the consideration. - Take the appropriate actions to achieve performance objectives and a continuous improvement of the processes.

After identifying the processes we will consider and establishing our goals, we should proceed to create and organize the data necessary for the Quality Management System. 5

2) What documentation is needed to meet the requirement we mentioned above?

It is at this stage that the arduous job of collecting and organizing data begins. In creating a record of Quality Management System, the organization will need to:

- Have a quality policy and written quality objectives.

- Create the so-called “quality manual”, where except the above policies, should include a detailed description of the Quality Management System.

- Have in place procedures that ensure the processes of QMS will be documented as required.

- Record the results achieved and provide evidence of the activities performed.5 11

3) What is management’s responsibility?

Now we move to a more specific stage. It is focus on the behavior of the management which is crucial in the company success. The management should have a clear vision and provide firm, fair leadership. They should:

- Communicate to the employees the importance of meeting customer, legal and regulatory requirements.

- Establish written policies that ensure quality.

- Undertake reviews to ensure that the quality and effectiveness goals are met.

- Make sure the needed resources for the successful completion of QMS processes are available.

Ultimately in order to have a successful outcome of the business processes, the management should provide evidence of their commitment to the development and improvement of the Quality Management System.5

4) Planning

Planning is another responsibility of the management of the company. During planning certain conditions should be met:

- Ensure that the Quality Management System is ready to meet the quality and regulatory requirements.

- Ensure that the existing Quality Management System continues to work effectively while changes and improvements to the system are planned and carried out. 5

5) Resource Management.

For the company to carry out the planned steps, as stated in the Quality Management System requirements, the organization should ensure the availability of the necessary resources as follows:

- Make sure that the company has all the necessary materials, equipment, information, and is employing the qualified people to build, operate and maintain the required level of functionality.

- Make available the necessary resources that will allow the company’s products to meet customer requirements, consequently increasing customer satisfaction.

Part of the Quality Management System is customer-related processes that really emphasize the importance of customer satisfaction as the only expected outcome. 5 12

6) Customer-related processes. Product design and development.

The organization should make sure that its employees are aware of:

- The product requirements as specified by the customers, including delivery and post-delivery requirements.

- The requirements that should be met for the product to be used for the intended purposes.

- The statutory and regulatory requirements as they relate to the product.

- Any additional requirement that the company might deem necessary. 5

7) Measurement, Analysis, Improvement.

Measurement, analysis and improvement are very important steps in the process of ensuring that the product meets all the necessary requirements. The following are the points that the organization always should emphasize to its employees:

- Ensure the product is up to standard (meets all the requirements).

- Ensure that the Quality Management System works as planned.

- Based on the results received, continue efforts to improve product.

After following all the steps we mentioned above (1 through 8), it can be said that the product meets the requirements of the ISO 9001.5

CMM, Designed Specifically for the IT Industry

Unlike ISO with its broad reach, the Capability Maturity Model (CMM) was initially aimed at a single industry, information technology (IT). Understanding the importance of information technology, its potential impact on the future, and its use in creating a competitive edge, the U.S Congress created the Software Engineering Institute (SEI) in 1984. 6 Designed as a research and development center, one of the primary goals of the SEI was addressing the quality, or lack thereof, of software engineering and its products. After several years of work, in 1991, the SEI developed the CMM, a detailed structure designed to assist companies through the processes associated with software improvement. This model:  follows a philosophy of “continuous process improvement”.  is not designed as a checklist so much as a process which companies follow, improving with and building upon each level. 13

The 5 levels of CMM:

Optimizing

Managed

Defined Repeatable

Initial

Figure 1: 5 Levels of the Capability Maturity Model7

Initial level – no management processes? Typically, organizations at the Initial Level use no management processes and fail to document or evaluate their work. If an organization at this level is able to produce some quality software, the success is most frequently due to extreme efforts by a few members of the project team, or to individual practices by a manager. Therefore, due to the lack of management and monitoring, the probability of producing quality software is low. 3, 6

The move from the Initial Level to the Repeatable Level is often considered one of the most difficult in the process since companies must abandon their disorganized, unpredictable practices and begin using more orderly ones. 6 Under CMM, the development of order begins with a combination of management practices: requirements management, project management, software management and quality assurance.6 Requirements management involves identifying the requirements for a project and assigning responsibility for each to an appropriate part of the team. Then, during project management, a project leader is chosen and a project plan is drafted, implemented, and then analyzed. Software management examines data from the analyses, determines components which are necessary for positive outcomes and applies these to new projects. Finally, quality assurance focuses primarily on the comparison of actual progress on a project to its project plan. Deviances from the plan can be better viewed and corrected as needed. Thus, the combination of these four management practices allows quality products to be more easily reproduced; quality is no longer a chance occurrence.

Once a company implements the management practices and demonstrates the ability to repeat successes, it is ready to move to the Defined Level of CMM. Here, the management practices and processes proven on the project level are expanded throughout the company. This expansion of knowledge is facilitated by a training group, which is now formed. Another group formed at this level is the software engineering process group, whose function is the development of further software processes, building on those already present. As a result of all these actions, the company increases its productivity, efficiency and effectiveness.6 14

While the Defined Level continues with development of further management practices, the focus of the Managed Level of the CMM model is to manage all these practices and the software products themselves. In particular, the company sets defined, measurable goals to ensure quality of each software product and process. Additionally, the company collects data from all current projects and analyzes it, using a software process database; this information is then shared throughout the company. In general, during this level, the company benefits from increased quality of its products and processes and communication of positive and negative feedback from the analyses. This results in increased predictability of success and decreased risk. 6

The fifth level of the CMM model is the Optimizing Level. As in the Managed level, analysis occurs to identify problems and weaknesses, and the company takes steps to correct them to avoid reoccurrence. However, at the Optimizing Level, the company also tries to identify problems and weaknesses in advance of their occurrence, 6 to keep them from happening. Similarly, the company also works to prevent any defects, rather than waiting to address them once they have already been produced. A final focus at this level is “continuous process improvement.” 6 This involves continually working to improve the company, its processes and products. Therefore, unlike the other levels, the Optimizing level does not really end.

Why waste money to implement CMM? The CMM is utilized primarily as a way to document a company’s level of quality, though it may also be used simply as a guide for quality software development. To be used as documentation of quality, an assessment needs to be performed by an SEI-trained assessor.6 The assessor evaluates a company and determines its level with respect to the CMM. A company does not have to obtain additional assessments, though the option exists, but it is expected to continue with the philosophy of CMM and continue to improve. The CMM assessment level can then be used by a company as validation that it produces quality software products. This is required for companies who are competing for U.S. government contracts and is especially important for small, unknown or outsourcing companies, who may have no other way to document quality performance.

According to Persse in 2001, most IT organizations assess at level 1, and only 1-2 percent assess at level five. 6 However, according to a more recent study by the SEI based on the results of assessments of 1106 organizations during the period March 2002 through December 2005, and which were reported by January 2006, the data has changed. 6 (Figure 2.) According to the SEI study, only 2.2% of the organizations assessed at level 1, most (32.9%) of the organizations assessed at level 2 or level 3 (32.9%). In addition, organizations assessing at level 5 increased to 18.4%. Though this study is based on results from systems engineering, integrated production and process development, supplier sourcing, and software engineering, it still reveals a trend toward higher assessment levels of IT organizations. 15

CMMI Process Maturity Profile

SEI CMMI v.1.1 Class A Appraisal Results

550

s 500 n o i 450 t a z 400 32.9% 32.9% i n a 350 g r O

300 f

o 250 18.4% r e 200 b

m 150 u 9.0% N 100 4.5% 50 2.2%

l n a d d g e i e e d n v it g n ge i i n a i a iz G I n f t a e n im o D a t N M M p ly O e v ti ta ti n a u Q Figure 2: Based on most recent appraisal of 1,106 organizations, from 3/2002 – 12/2005 & reported by 1/2006. Includes results for system engineering, software engineering, integrated production & process development, & supplier sourcing. 7

Want to Know How to Save Time and Money, but Still Want the Highest Quality Information Technology System? Adopt ITIL!

The Information Technology Infrastructure Library (ITIL) is a set of “best practices” in IT for developing the highest quality support and delivery services. ITIL was originally developed by the Central Computer and Telecommunications Agency (CCTA) based in the UK, which has since been renamed the Office of Government Commerce (OGC), and currently has the duty of maintaining and updating the Library. Since this Agency has no ties to any commercial interests of ITIL, it is impartial. The IT Infrastructure Library consists of seven books detailing IT Service Management. IT Service Management is all about the efficient, effective, and economical use of the four P’s:  People o Customers, Users, and IT Staff and Managers 16

 Processes o ITIL  Products o Tools and Technology  Partners o Vendors and Suppliers People- Clear role definitions and responsibilities, training, and communication are all absolutely necessary to use this asset to its full extent. Processes- Service Management, specifically Delivery and Support, are the central areas of focus. - Service Delivery- is Tactical/Medium term Management - Service Support- is Operational/Short term Management Products- (i.e. Tools) many tools have been developed in accordance with ITIL standards. These tools are helpful in implementation and running of the system, but are not a solution in and of themselves. Partners- include all contributors to the service, including outside vendors/suppliers as well as internal groups.

ITIL defines eleven disciplines which define “best practice” procedures, which create a framework for organizations to handle the tremendous increase in reliance and complexity of IT. ITIL can be adapted to fit any size organization. The eleven disciplines described in the Library are separated into two core areas, Service Support and Service Delivery. The eleven disciplines should never be viewed independently, since they are so closely related in practice. 8

Service Delivery Service Level Management

Figure 3: ITIL Capacity Management

Availability Management Service Management Service Continuity Management

Financial Management

Service Support Incident Management Problem Management Service Desk Release Management Configuration Management

“Best Practice”, as defined by the most qualified and experienced professionals in each particular field, includes more than one person, more than one organization, more than one technology, and more than one event. It provides a generic starting point, guidelines, common vision and language, not supposed to be imposed from outside the organization, and is a perfect basis for professionalism. 17

ITIL Objectives  Reduce Costs  Improve Availability  Tune Capacity  Increase Throughput  Optimize Resource Utilization  Improve Scalability  High Quality Achieved by: o Service Improvement Program using Project Management o Service Culture o Supporting Disciplines8

The reason ITIL is so important is the constant need for high quality IT services. Organizations are becoming more and more dependent on IT, and with consumers becoming IT savvy as well, failure could be severely problematic. IT service structures are becoming more complex and competition is stiff. ITIL gives organizations a way to adopt the “best practices” for IT service implementation, without having to figure out what those “best practices” are for themselves. ITIL creates a cost effective, efficient, and high quality way for businesses of all sizes to have the best IT service structure they can. High quality adaptable IT services are also important when new legislation or regulations are required such as Sarbanes-Oxley, which will be discussed in detail in the following section.

“ What the law really does is enshrine the principles of honesty and accountability that I learned growing up in Ohio ... You never get in trouble by doing the right thing,” (Michael Oxley, co-sponsor of Sarbanes-Oxley Act) http://files.findlaw.com/news.findlaw.com/cnn/docs/gwbush/sarbanesoxley072302.pdf

A recent regulation that greatly impacts the IT industry is the Sarbanes-Oxley Act of 2002, also known as SOX. This act gives additional powers and responsibilities to the U.S. Securities and Exchange (SEC) related to financial reporting and disclosure and the prevention of fraud. One reason this regulation has such impact is due to the number of companies directly affected: 210,453 U.S. and 234,086 international registrants of the Securities and Exchange Commission (SEC). 9

Scandalous corporate behavior leads to need for new regulation.

During the 1990s and early 2000s, some executives were deceitful, acted inappropriately and unprofessionally, or made unauthorized changes to corporate financial information, for personal profit and to create better financial pictures of their companies (keep stock price high). Many were caught, leading to financial “scandals” and causing investors and corporations to lose large amounts of money. The enormity of the deception created widespread distrust towards corporate America and seriously undermined the 18 credibility of U.S. business in general. Enron (2001), Tyco (2002), WorldCom (2002), and Arthur Andersen (2002) were some of the major companies involved in illegal accounting and auditing practices.10, 11

In 2002, Senator Paul S. Sarbanes and Representative Michael G. Oxley each sponsored bills to address these misuses. The bills were combined to form the Sarbanes –Oxley Act, which was enacted on July 30, 2002. Most sections of the Act required compliance shortly after enactment of SOX. However, according to the SEC website, the deadline for "accelerated filers" to meet the requirements of Section 404 of Sarbanes-Oxley was originally the fiscal year ending on or after June 15, 2004, and was later changed to November 15, 2004. Likewise, the deadline for non-accelerated filers was originally the fiscal year ending on or after April 15, 2005, and later moved to July 15, 2005. An accelerated filer is defined as “a U.S. company that has equity market capitalization over $75 million and has filed at least one annual report with the Commission”. 12

How to restore the faith and trust of the public?

The primary goals of the Sarbanes-Oxley Act include renewing investors’ trust in the accounting and auditing professions, increasing auditor independence, increasing corporate responsibility for financial reporting, and ensuring accurate reporting and release of information. 13 To meet the first goal, the Act began with establishing the Public Company Accounting Oversight Board (section 101) and assigning it the responsibility of setting accounting standards, monitoring firms, and executing applicable punishments against public accounting firms. In addition, the Act establishes Fair Funds for Investors (section 308a). This program allows for monies obtained by the SEC from civil or criminal penalties to be redirected to the people who were harmed. 14 Finally, the Act addresses the roles of the auditor and the accountant. SOX separates the role of the auditor from that of the accountant and limits the services that an auditor is able to provide (section 201). Outside auditors are also given the responsibility of keeping the audit records, for 7 years after completion. And, outside auditors are subject to rotation requirements, fee and services disclosure, and pre-approval of services by an audit committee.

In order to increase corporate responsibility, SOX requires CEOs and CFOs to evaluate their internal controls over financial reporting and certify this information in their quarterly reports (sections 302, 404) 13. In a like manner, CIOs are now responsible for maintaining accuracy, dependability and security of the information systems used to manage and report this financial data. Further, to help ensure this responsible behavior, fraud and misconduct are subject to more severe civil and criminal penalties, and information about CEO and CFO salaries, bonuses, and profits are now available to the public. Additionally, insiders are subject to new rules, and executive directors and directors are no longer allowed to receive personal loans from their own companies. 13 Thus, SOX combines limitations on corporate behavior with requirements for corporate activities on the path to meeting this goal. 19

In addition to increasing corporate responsibility, Sarbanes-Oxley Act imposes specific requirements to ensure the accuracy of financial reporting and financial information that is disclosed to stakeholders and the public. Compliance with this part of the Act is very time-consuming and costly. First, all financial data is reviewed and verified for accuracy and correct documentation by the CEO/ CFO. Documentation of all material changes, such as acquisitions, is also reviewed and checked for accuracy. Next, the CEO/CFO must evaluate how secure is the information, that is, how effective the company’s systems are at limiting access to the information. Then, any significant weaknesses in any of these areas must be reported to the SEC. 15 Moreover, following this process by the CEO/ CFO, an external auditor must also verify in writing that the internal controls over financial reporting are intact and effective. The auditor usually addresses the following areas within a company: “Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring”. 15

The Main Question on Every CEO/CFO’s Mind: HOW MUCH WILL IT COST TO COMPLY WITH SOX?

Section 404 of the Sarbanes-Oxley Act requires management to create an annual report detailing the company’s internal control over financial reporting processes, as well as an external audit of those financial reporting processes and the management report. This section is meant to improve financial disclosure and reporting by making the management, i.e. the CEO/CFO, personally responsible for the internal financial control structures of the company. 16

The cost associated with compliance of Section 404 begins with the financial reporting structures within the company itself. If, prior to the passage of Sarbanes-Oxley, a company had been meticulous about its reporting structures and kept detailed documentation of all processes and security measures, then the cost of compliance would be relatively low. However, most companies were not so efficient with their financial reporting processes, and therefore have had to completely overhaul their entire reporting system or possibly even develop or install a completely new system. Due to security issues, total price of a Sarbanes-Oxley compliant system was unavailable.

Under Title II- Auditor Independence the Act states that the accounting firm hired to perform the audit of the company is not allowed to be involved in any other part of the company’s financial infrastructure including bookkeeping, design of financial information systems, appraisal services, actuarial services, internal audit outsourcing services, management or human resources, broker services, investment services, legal services of any kind, and any other service as determined by the Public Company Accounting Oversight Board. What this means is the auditing firm hired to perform the annual audit is not allowed to be connected with the Company being audited in any way. This keeps any conflict of interest from being part of the process. It also means that any information system implemented to help with SOX compliance is going to be tested to its fullest extent by the auditor, because the auditor is not allowed to have any part in the development of the system or the implementation. The auditor will be looking for any control issues, security clearance issues, and documentation issues. This part of the 20 process is what adds most to the time and of course the cost of the audit, because once the list of problems is developed the company has to fix those problems and then the auditor will retest the system and make up another list of problems and the system will have to be fixed and then retested until both the company and the auditor are satisfied with the results of the testing. Figure 4: Impact of SOX

The diagram above shows the impact of SOX throughout the company structure. This diagram is from a paper entitled IT Governance and Sarbanes-Oxley: The Latest Sales Pitch or Real Challenges for the IT Function? 26

ARC Morgan has done a study in 2005 based on SEC filings of 280 publicly held companies to determine actual costs of Sarbanes-Oxley compliance versus expected costs16. Expected costs of Sarbanes-Oxley compliance have been projected at $1 million per every $1 billion in revenue, but actual costs have been determined to be slightly less consistent. From the data provided, ARC Morgan determined this cost schedule: Figure 5 Average Company Annual Average Cost of Section 404 Sales in US $ Compliance for External Resources Only 0-250 Million $1.56 Million

250-500 Million $1.71 Million

500-750 Million $1.78 Million 750-1 Billion $2.03 Million 1-2 Billion $2.4 Million 2-7 Billion Insufficient Data 21

7-10 Billion $10 Million

As you can see the expected implementation costs were accurate for larger companies, but for smaller companies the cost was almost 6 times what was expected. However most companies who were required to file with the SEC were not able to put an exact dollar amount on how much SOX compliance was costing. Most companies stated that General and Administrative fees went up due to work performed for SOX compliance, but did not give an actual figure. Of the companies who did give actual cost figures, most stated that the majority of costs were incurred in the second half of the year, specifically the forth quarter. The fact that most companies waited until the second half of the year to focus on compliance may be the cause of such high costs due to the shortage of external resources. A high demand for auditors caused an increase in auditing costs because of higher fees charged per hour. 17

Data as collected by CRA International of a group of Fortune 1000 clients as well as a group of smaller public companies. Year-One average auditing costs for smaller companies (market capitalization between $75 million and $700 million) comprise 35% of the total Section 404 implementation costs of $1.5 million. Year-One average auditing costs for larger companies (market capitalization over $700 million) comprise 26% of the total Section 404 implementation costs. Costs for year two are expected to decline for both large and small companies due to first-year implementation measures that are not needed to be repeated in the second year. The number of key controls tests by the auditors is also expected to fall 19% in larger companies of 669 in year one to 540 in year two, and is smaller companies 22% from 262 in year one to 206 in year two.

Year-One Section 404 Implementation Costs for Smaller Companies Average Section 404 Audit-Related Fees as a Percentage of Total 39% Decline Average Issuer Cost

35% $1.5 Million

$0.9 65% Million Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost Year 1 Year 2 Expected Change Year 1 to Year 2

Year-One Section 404 Implementation Costs for Larger Companies Average Section 404 Audit-Related Fees as a Percentage of Total 42% Decline Average Issuer Cost $7.3 Million 26%

$4.3 Million Average Issuer Cost (excluding Average Section 404 Audit-Related Fees) as a Percentage of Total Average Issuer Cost 74% Y ear 1 Y ear 2 Expected Change Year 1 to Year 2 The top three reasons auditors are expecting costs to drop are:  Reduced documentation  Increased efficiency due to progress on the learning curve  Problem solving efforts that should not recur As Sarbanes-Oxley becomes a part of the everyday life of the business, and compliance is no longer an issue, the cost will not be a factor and SOX will have added the benefit of corporate responsibility and increased financial disclosure. SOX will hopefully be a complete success and the possibilities of corporate fraud such as Enron or WorldCom will become a thing of the past. But as Mr. Jerry Pisarek said, (see Case Study of the Utility Company), “if someone wants to break the law, they will find a way to do it.” 18

Global Effects: Europe down on SOX

In 1998 data protection laws were passed in Europe requiring employee permission for disclosure of certain information. In order to comply with Sarbanes-Oxley, which any company traded on the US Stock Exchange must do, certain privileged information is required. Therefore compliance with certain aspects of the Sarbanes-Oxley Act is in direct breach of the Data Protection Act of 1998. Section 8.1 of the registration form for SOX compliance states that the company must provide information at any time in the future, but consent must be given by employees, and that consent cannot be promised. Compliance costs in Europe are directly comparable to that of the United States, because all companies being publicly traded on the US Stock Exchange must file with the SEC and the SEC requires SOX compliance. Many European companies are threatening to de-list from the US Stock Exchange, because of costs for compliance along with costs of maintaining a US listing. But as with the US compliance costs are expected to decrease in year two and year three. 23

SOX costs have been a continuing concern for all publicly held companies. Year-One costs were estimated to be $1 million for every $1 billion in revenue, but for smaller companies, costs are actually much more than estimated. The main costs associated with SOX compliance are the implementation and testing of new system controls and auditing. Auditing costs account for as much as 35% of total compliance costs. The good news is costs are expected to decrease up to 42% in year two. The main reasons costs are expected to drop are: reduced documentation, increased efficiency, and fewer problems to fix.

SOX is also affecting companies outside the US, because all companies traded on the U.S. Stock Exchanges must comply. Many European companies are threatening to de- list from the US Stock Exchanges, because the benefit of being listed is no longer outweighing the cost of maintaining the listing and complying with Sarbanes-Oxley. SOX requires all companies to provide certain information, and some of this information is protected by Europe’s Data Protection Act of 1998, so SOX compliance is also causing issues for this reason. 17

Our Case Studies

For our cases, we interviewed people from three companies. Our questions focused on Sarbanes-Oxley Act, and the issues with its (Sarbanes-Oxley) implementation and compliance. For each case we will provide the following information: - Company overview. - Facts about IS Department. - Effects of SOX on the company.

Case 1

Our first interview was with Mr. Jerry Pisarek, a Business Performance Specialist with a Utility Company.

Company Background19: - One of the main utility companies. - 9,300 employees. - Revenue = $6.78 B ( 2005 ) - Gross Profit = $2.28 B - Net Profit = $628 M - Distributes electric energy to 2.3 M customers. - Distributes natural gas to 900,000 customers.

Mr. Pisarek works for the Energy Delivery Department that is responsible for the transmission and delivery of energy. Mr. Pisarek department includes IS Department in its structure. The system they use is called TRIS (Time Reporting Information System). TRIS keeps track of the payroll but also holds other records related to the everyday operations of the company. 24

Mr. Pisarek gave us the following facts about IS Dept.: - 3,500 employees. - Includes IS in department structure, through TRIS (Time Reporting Information System). TRIS keeps track of the payroll but also holds other records related to the everyday operations of the company. - Structure of Energy Delivery Department:

CEO

Director Managing Supervisor of of Supervisor Accounting Energy Delivery Energy Delivery

Cost Cost Accountant Business Performance Accountant Supervisor Specialist

Mr. Pisarek informed us that the main difference in his department before and after SOX is that now he has to delegate to his superiors certain security clearing decisions that previously he would make by himself. Also Mr. Pisarek added that SOX has increased the costs for his department and also the amount of documentation kept by the company has substantially increased due to SOX requirements.

The current route for a security clearance request before a decision is made:

cost his or her immediate business performance supervisor of accountant → supervisor → specialist (Mr. Pisarek) → accounting →

→ (and sometimes to the managing supervisor of energy delivery).

Then the approval or denial must travel confidentially back down this same chain of people. The movement up or down this chain may be delayed due to employee illness, outside travel or vacation, for example. Furthermore, Mr. Pisarek receives about 30 of these requests per month.

Costs of SOX Mr. Pisarek estimated that the entire utility company’s cost of compliance with the Sarbanes-Oxley Act is $3 – 5 million annually. Costs have increased in his department 25 due to SOX, but he was unable to estimate the amount due to the ambiguity of the man hour costs.

He also discussed another cost related to SOX, the substantial increase in the amount of documentation kept by the company, which requires the employees to work extra hours. (more hours, more money the company has to pay to its employees)

How has the utility company met SOX costs? To this question Mr. Pisarek answered that the Information Systems contribution has been crucial to timely implementing and meeting SOX requirements throughout the company.

The Future of Sarbanes-Oxley? When asked about how SOX will effect firms in the future, Mr. Pisarek agreed with the view that Sarbanes-Oxley Act, has increased the accountability of the companies but also he mentioned that no matter what the business community does, “the bad guys “ will always be a step ahead. He ended the interview by adding: “All we have to do is make it harder for them (bad guys)”.18

Case 2 For this case we interviewed Ms. Lori Kirk, a IS Manager at Solutia Inc. Following are some general facts about the company:21

- Solutia is a Specialty Chemicals Company. - Annual Sales $2.7 B (2004). - $1.9 B in assets. - 5,700 employees located in 60 manufacturing sites, throughout 27 countries.

As we see, Solutia is a company with a considerable global presence. The company has three main product lines: 21

1) Performance Films for: - car windows. - computer screens.

2) Specialty Products such as: - avionic hydraulic fluid. - heat-transfer fluids. - plastic products.

3) Integrated Nylon which are used to make: - wear-resistant carpets. - vibrant upholstery fabrics. - tires.

Facts from Ms. Kirk about her department: 26

- IT annual budget is $29 M. - IT Department has approximately 100 employees. 20

VP Business Operations CEO

CIO VP IT IS Manager

When we asked Ms. Kirk about the issues that Solutia faced during the implementation of SOX (Sarbanes-Oxley), she went into detail to explain that the implementation process went on for almost 2 years (2003 – 12/31/2004). Solutia implemented SOX through 4 phases: 1) Planning (2003)  this phase took most of 2003 to be completed. It was a lengthy process for the simple reason that planning would provide the guidelines for gathering an enormous amount of documentation in order to meet the requirements of SOX. The planning had to be detailed, clear and well-timed.

2) Awareness (2003)  the rest of year 2003 was used to spread the news to the employees, making them aware of the new rules, of the extra hours they would be required to work. In Ms. Kirk words: “It was important to keep employees informed. Let them know about the changes, because after all they would be the one to implement those changes”.

3) Intensive Documentation (2004)  this was a relatively long phase. It was needed to record a very substantial amount of data and information. Ms. Kirk was quick to state that: “Everybody stepped up, giving their best, and this phase went by more smoothly that anticipated”.

4) Testing (2004)  Because of the careful planning, total awareness, and the great effort put by the employees during Documentation, testing was a success and the company kept its time table of implementing SOX by the end of 2004.

At the present, Ms. Kirk explained the company goes through four phases during of the yearly process of compliance with SOX.

- Update narrative and control documents  always ensure that your information is up to date, correct and meets the requirements.

- Test quarterly the control environments  it is done often (4 times a year) for the simple reason that it is important to make sure that the right testing mechanics are in place. 27

- Annual management testing (internal)  this is a control mechanism put in place by the company to ensure that requirements were met, as Ms. Kirk put it: “ensuring that everybody was doing, what they were saying, they were doing”.

- Annual external audit  “this is like the cherry in the cake” Ms. Kirk said. “It validates the hard work done at Solutia year around to keep compliance with SOX”.

When we asked Ms. Kirk about the impact of SOX at Solutia, she gave us the following information:

- Costs went up, extra people were hired, and existing employees were working more hours.

- The compliance with SOX is time consuming. It is a lot of data to be recorded and organized.

- Ms. Kirk herself : - spends 25% of her time on average on issues related to SOX. - during the last quarter as the SOX compliance dateline approaches (12/31 of each year), Ms. Kirk spends 75% of her time on SOX.

Overall Ms. Kirk said SOX has had a positive effect on the industry making higher management more accountable, as a result the whole organization is more accountable. Specifically at Solutia, the level of accountability after SOX hasn’t changed because the company (Solutia) prides itself that has always done an excellent job in making accountability and transparency two of the main priorities in their business practices. 20

Case 3 For this case we interviewed Mr. Mark Meiner, Business Development Director at PricewaterhouseCoopers. We choose this company to learn about the effects of Sarbanes-Oxley from a different viewpoint, that of an auditor.

PricewaterhouseCoopers was formed in 1998, when accounting firm Price Waterhouse merged with another accounting firm, Coopers & Lybrand.22 This private partnership is one of the largest accounting firms in the world, with about 775 offices in 148 countries, and approximately 30,000 employees in the United States and 130,000 worldwide. The company is structured with PricewaterhouseCoopers International Limited as the umbrella over a large network of smaller independent companies. This unique structure allows the company to operate on both local and global levels, a key quality, as in most countries around the world “the right to practice accountancy is granted only to national firms in which locally qualified professionals have majority or full ownership” 23. 28

Hierarchy -- PricewaterhouseCoopers LLP – US: 24

Chairman and Senior Partner: Dennis M. Nally Firm Partners (~3000) CIO: Ken Cooke

Managers Business Development Directors

Primary services:  Accounting services  Auditing  Tax  Consulting.

Clients  Primarily mid- to large-sized companies  Mostly audit clients  Usually from the following sectors: o financial services o industrial/consumer products and services o technology o entertainment.

As a business development director at an auditing firm, what is your experience with Sarbanes-Oxley Act? According to Mr. Meiner, the Sarbanes-Oxley Act affected clients for all areas of PricewaterhouseCoopers: Assurance/Audit, Tax, and Advisory. Fees increased by 50% for most of their audit clients. In addition, he estimated that 25% of the SOX-related costs were accrued due to the Act’s requirements for documentation of control systems. Also, 225 of their clients noted 275 control deficiencies each. Mr. Meiner estimated that the new or revised controls required to fix the deficiencies contributed to ~ 25% of SOX costs in year 1.

For PricewaterhouseCoopers’ clients, SOX impacted information technology primarily by creating a need for increased software development and thus, for increased IT budgets. Some specific software needs included tools to track SOX projects, IT tools to automate the way control structures are reviewed, and controls to monitor access to the IT applications.

Benefits of SOX For audit clients: gave companies a greater awareness of their control structures and the ways they mitigate risk across the enterprise. For non-audit clients: made them start thinking about some of the issues that SOX addresses. 29

Are Sarbanes-Oxley dealings always boring and tedious? Mr. Meiner emphasized that, during the first year of SOX compliance, companies rushed to become compliant. Many of them had underestimated both the cost and time required to do this. The interesting question for the second year of compliance is: “how will companies do it better (in year 2)?” The process needs to be made less costly and more efficient. 24

Conclusion After going through the documentation about ISO, CMM, ITIL and SOX we wanted to stress the following points:  ISO – International Standard Organization It is a global organization used to determine standards across all industries. If your company is planning to go global, compliance with ISO standards gives you the best chance to succeed.

 CMM – Capability Maturity Model This model provides a sequential path towards improving business processes, and thus increasing quality of products and services. A company may use it as a means to be considered for U.S. government contracts, a way to identify itself as a credible provider, or as a guideline.

 ITIL – Information Technology Infrastructure Library It is not only a standard; it is a framework that helps companies find the best applicable practices in regard to the IT systems, they (companies) are using.

 SOX – Sarbanes-Oxley SOX has created new documentation requirements for all publicly held companies, creating a new business environment that demands greater financial disclosure, and greater accountability from the companies.

After interviewing one high level business manager, one high level IT manager and one auditor, it was evident that even though SOX increases companies’ costs, it is an appropriate measure in order to regain the trust of the public in corporate America. For a company to succeed, not only should it meet customer needs but also maintain a high level of accountability and transparence in order to make it more difficult for greedy, irresponsible executives to harm the welfare of the organization.

In the future, we look for companies to develop tools and standardized processes to document information related to SOX compliance on an ongoing basis. In addition, we anticipate companies will combine their efforts to meet many requirements of Sarbanes- Oxley with work to meet other pertinent regulations, to save time and duplication of effort. Finally, similar to the actions of the director of internal audit at Yankee Candle25, we also expect other companies to frequently update their external auditors on the 30 companies’ ongoing attention to and improvement of internal controls, in an attempt to decrease the time and costs involved in the internal control evaluation. REFERENCES:

1 www.wikipedia.com 2 encarta.msn.com/dictionary_/standard.html 3 Griggs, M., and Sauter, V., “Quality Management in the Software Industry” , University of Missouri Working Paper, 2004. 4 www.iso.org 5 Baumont, L.R., “ISO 9001, The International Standard for Quality Management Systems”, ISO Easy, Middletown, 2000. 6 Persse, James R., Implementing the Capability Maturity Model, John Wiley & Sons, Chichester, 2001. 7 www.sei.cmu.edu/appraisalprogram/profile/pdf/CMMI/2006marCMMI.pdf 8 ITIL Foundation for IT Services Management, H1846 (Version J.00, HP Educational Training, pg1-16). 9 www.secinfo.com/$/SEC/Location.asp 10 www.sec.gov/news/testimony/090903tswhd.htm 11 www.sec.gov/news/testimony/022603tssmc.htm 12 www.sec.gov/news/press/2004-21.htm 13 www.sec.gov/news/press/2003-89a.htm 14 www.sec.gov/news/testimony/022606tssmc.htm 15 Hayworth, D.A., and Pietron Leah R., “Sarbanes-Oxley: Achieving Compliance by Starting with ISO 17799” Information Systems Management, Boston: Winter 2006. Vol 23, Iss.1, pp. 73-87. 16 www.sec.gov/news/press/2003-89a.htm (viewed 3/21/06) 17 Sarbanes-Oxley Implementation Costs. What Companies are Reporting in their SEC Filings”, February 2005 (www.auditnet.org/articles/Sarbanes- Oxley_Implementation_Costs.pdf). 18 Pisarek, Jerry, Business Performance Specialist, Utility Company, interviewed in person by Lauren Eilers, Michele Hummel and Eno Veshi, March 12, 2006. 19 www.finance.yahoo.com 20 Kirk, Lori, Information Security Manager, Solutia, interviewed in person by Lauren Eilers and Michele Hummel, March 29, 2006. 21 www.solutia.com 22 biz.yahoo.com/ic/57/57443.html 23 www.pwcglobal.com 24 Meiner, Mark, Business Development Director, PricewaterhouseCoopers, interviewed by telephone by Michele Hummel, April 5, 2006. 25 Wagner, Stephen, and Dittmar, Lee, “The Unexpected Benefits of Sarbanes-Oxley” Harvard Business Review, April 2006, Vol. 84, Iss. 4. 26 Kaarsy-Brown, Michelle L., and Kelly, Shirley (Graduate), School of Information Studies, Syracuse University, NY USA (http://csdl2.computer.org/comp/proceedings/hicss/2005/2268/08/22680236a.pdf) viewed 4/28/06 31