Expand +



Business oversight or IT security: Where should we put our resources?

by Scott Priest, Editorial Director

October 5, 2011

The ERP world spends the majority of its energy these days talking about mobility, cloud computing, and in-memory computing. Similarly, you see the same sorts of stories day in and day out in the regular news. The recurring theme: job creation. So it was no surprise to see in yesterday's Wall Street Journal an opinion piece that offered two ways to create jobs. What was a surprise was one of the areas that Bob Greifeld focused his argument:

"First, we need to consider revising the 2002 Sarbanes-Oxley accounting-reform law -- specifically Section 404, which requires costly external audits in addition to the traditional audits of a company's financial statements. Sarbox is the most visible sign of overregulation in this country, and the primary excuse for foreign companies to forgo a U.S. public listing.

In 2010, Congress took a first step by exempting companies with a total market capitalization of less than $75 million from the requirements of Sarbox 404. Expanding this exemption to include companies with a market cap of up to $700 million will significantly reduce the costs of going public for many firms. In addition, making the 404 audit a biennial event for those companies who receive a clean bill of health will reduce the costs of larger companies without depriving investors of the assurances pr ovided by 404."

Sarbanes-Oxley, of course, made an impact on the SAP (and wider ERP) community. In some ways, it was a driver for SAP to build out its GRC portfolio; at the very least, it increased reporting and auditing needs. I'm so used to hearing people complain about how they have to deal with it in their systems that I forget that it's something you could potentially do without entirely. 

Norman Marks mentioned Sarbanes-Oxley in one of his recent blog posts (which are required reading) as a sticking point for one of his former employers:

A global manufacturer of hard drives with a single instance of SAP’s ERP. However, all other applications were integrated with custom software and great reliance was placed on spreadsheets. We had a material weakness for SOX when an interface from the ERP into a SAS application to calculate the warranty reserve (the largest number on the balance sheet) was not updated to reflect a product reorganization.

Of course, many of you out there have experienced similar issues. Whether it's merely increased auditing costs, or employee time spent reporting the correct information, or testing the connections of various systems that need to speak with each other, there are clear effects on the business procedures in the ERP world as a result of Sarbanes-Oxley.

We've seen the unregulated (or underregulated) world, and it's not pretty either. Greifeld argues that removing (or at least pulling back) Sarbanes-Oxley would allow companies to breath a little more -- and also further invest into their own businesses in the form of jobs. We saw in the 2008 recession that there isn't always a 1:1 relationship with this sort of thin g -- you can give companies money, but you can't always tell exactly what they're going to do with it. What if they kick out dividends? What if they spend it on research and development projects at existing buildings, with existing employees? Would it still be valuable to repeal it if the unemployment number didn't move?

Maybe it's unrelated entirely, but I know one area I'd like to see invested in more, whether it's resources diverted from Sarbanes-Oxley or elsewhere: IT security. In that same blog post, Norman talks about the dangers of systems that are so sprawling and disparate, but he talks mostly in a reporting and business-driving standpoint. Seemingly every day I read stories like this one in InformationWeek, and they never get any less scary to me:

Out of the last 50 forensic investigations that information security company Mandiant has conducted, 48 of the businesses involved didn't know they'd been breached until informed by law enforcement agencies, Mandiant CEO Kevin Mandia told the House Intelligence Committee on Tuesday.

How could so many businesses not know when they'd been hacked? According to Mandia, advanced attacks--once reserved for use against government agencies--are now being used with greater frequency against businesses. Attackers have also become expert at using malware to compromise legitimate networks, then using them to launch botnet-driven attacks against other targets.

Forty-eight out of 50 is a pretty whopping percentage. Our mobile culture and connectedness to devices and the Internet is only accelerating. No one wants their personal data stolen, but what about businesses? If hackers are getting better at getting information out of businesses -- and can do so without businesses even knowing for a time -- what kind of damage could they do? I don't really want to think about what a well-organized attack on major companies could do. But I can imagine that things could happen now that we are not at all prepared for.

Before we get to that, I'd like to see more investment in IT security. It's like any other battle between lawbreakers and the law (use whatever example you'd like -- steroid users in baseball vs. the testers; terrorists vs. governments, etc.). Hackers will always be ahead of those who put up security, and as long as we are as interconnected as we are, there is going to be risk. But that doesn't mean we can't improve the technological components to at least making hacking more difficult -- and at least figure out a way for more than 4% of companies to know they've been hacked in the first place.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!