The Key to Compliance

In the wake of the Enron and Worldcom accounting scandals, the regulations an enterprise implements to ensure its integrity are open to increasing scrutiny. This has given rise to a growing number of initiatives such as Basel II, the Sarbanes-Oxley Act and the new Companies Act, all designed to ensure that high-standards of corporate governance become part of day-to-day business culture.

Basel II
Basel II, the forthcoming protocol for the financial sector, is designed to replace the 1988 Capital Accord. It recognises that managing and controlling financial risk and operational risk, such as IT, is an integral part of corporate governance and, as such, obligates companies to assess their vulnerability and make it public.

Basel II is based on three main areas that allow banks to effectively evaluate the risks financial institutions face: minimum capital requirements, supervisory review of an institution’s capital adequacy, and internal assessment process and market discipline through effective disclosure to encourage safe and sound banking practices.

Financial organisations that do not provide appropriate details must set a side 20 per cent of their revenue in order to cover loses or risk being prevented from trading. The first phase of Basel II will come into effect at the end of 2006, with the more advanced elements planned for implementation at the end of 2007.

Sarbanes-Oxley Act
The furthest reaching of these regulations is the Sarbanes-Oxley Act, which requires companies to comply with challenging new standards for the accuracy, completeness and timeliness of financial reporting, while increasing penalties for misleading investors. The Act, which applies to all companies (and their subsidiaries) on the US public markets, protects the interests of investors and serves the wider public interest by outlawing practices that have proved damaging, such as overly close relationships between auditors and managers. The law includes stiff penalties for executives of companies that are non-compliant including fines of $5m dollars, and up to 20 years in prison per violation.

Companies Act
The forthcoming Companies (Audit, Investigations and Community Enterprise) Act is designed to help UK firms avoid the much-publicised accounting and auditing problems experienced by companies such as Enron, Worldcom and Parmalat. The Bill, which made mention in this year’s Queen’s speech and will be debated in this session of Parliament in order to come into force early next year, will impose new measures to ensure that data relating to trades, transactions and accounting throughout an organisation is fully auditable.

With reference to the Companies Act, Department for Trade and Industry minister Jacqui Smith has said: “We want the UK to have the best system of corporate governance in the world. There is no denying that financial markets around the world have been badly shaken by the corporate failures of the last few years.

“This Bill completes a comprehensive package of measures aimed at restoring investor confidence in corporate governance, company accounting and auditing practices here in Britain. Its aim is to raise corporate performance across the board and beyond.

“The Bill tightens the independent regulation of the audit profession and strengthens the enforcement of company accounting, both concerns highlighted by the Enron and Worldcom scandals. It gives auditors greater powers to get the information they need to do a proper job, and increases company investigators’ powers to uncover misconduct.”

Security
Basel II, the Sarbanes-Oxley Act and the Companies Bill all highlight the fact that board directors and executive management have a duty to protect the information resources of their organisations. As such, network security – preventing unauthorised access to information and data – is of the utmost importance, and the most effective way of achieving this is by deploying an effective provisioning solution that allows the enterprise to determine who has access to which applications and when.

However, implementing an identity and access management programme that ensures the correct level of security and internal controls over key information and data can be a difficult task for many large organisations.

Often, systems and access policies in use today were developed many years ago when security was not necessarily the highest priority. Not only are these legacy systems now unsuitable for use, but, since being implemented, many of the policies associated with them have not been reviewed, and access is granted either manually or by way of “home grown’ development.

Furthermore, many of the systems were not developed to cater for temporary changes such as the provisioning and de-provisioning of contract workers or account for a member of staff on leave. Adding to the problem is the fact that, often, companies have myriad systems and access policies, which have merged with another organisation’s policies, systems and architectures.

These issues are now major problems that need to be addressed urgently. As well as the need to comply with corporate governance regulations, the situation has also given rise to an increased security threat; a fact highlighted by the Financial Services Authority’s Financial Crime Sector Report: “Countering Financial Crime Risks in Information Security’.

Secure Enterprise Provisioning
The latest enterprise provisioning technology allows organisations to alleviate these problems through centralised management of IT systems and applications, and the users who access them. Enterprise provisioning solutions, which automate the granting, managing and revoking of user-access rights and privileges, solve the problems created by complex user bases and IT infrastructures by enforcing policies that govern what users are allowed to access and then creating access for those users on the appropriate systems and applications.

The solution can execute provisioning transactions dynamically, based on the nature of the request and then initiate the appropriate approval workflows as defined by the appropriate policy. It will also provide robust reporting that enables the IT department to better manage user access rights from a global view. For example, systems administrators can view who has access to particular systems or the status of any individual access request (add, move, change, delete) in real time.

The best of the new breed of provisioning systems enforce organisational policies designed to ensure that financial enterprises comply with regulatory requirements by governing who can access particular systems and the information they contain. Reporting and auditing capabilities enable the organisation to demonstrate compliance by listing who has access to protected systems and reporting on how the access was granted and that appropriate approvals were obtained, thus demonstrating that proper policies designed to comply with regulations are being followed. The software can also demonstrate that users who have left the organisation have had access revoked from all the systems to which they were previously authorised.

These capabilities not only make regulatory compliance straightforward and easy to manage, but ensure increased productivity. Users can be connected to the resources they need to be productive in a fraction of the time, cost and effort previously required. Enterprises can compress the user set-up process from weeks to minutes and application integration from months to just days.

In addition, the IT department’s own productivity will increase dramatically as resources are freed up from the time-consuming tasks of managing user access and building integrations to managed systems and applications.

By ensuring regulatory compliance and at the same time reducing IT costs, secure enterprise provisioning solutions are sure to evolve from the great opportunity they currently present to a critical element of the IT infrastructure of successful businesses.