Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
SYS-CON.TV
Sarbanes-Oxley and Web Services
Act now to get an early grasp of the inevitable

This article makes the case that Web services provide a significant benefit to Sarbanes-Oxley compliance projects, and that they will therefore be used extensively on these projects. We begin with a very brief primer on the Sarbanes-Oxley Act, then describe the connection between SOX and Web services, including an outline of how most Sarbanes-Oxley projects are conducted, and where Web services fit in. Finally, I offer some specific actions you can take today to get yourself ready for Sarbanes-Oxley

A Sarbanes-Oxley Primer
The Sarbanes-Oxley Act of 2002, which applies to all companies traded on U.S. stock exchanges, was enacted into law in response to financial scandals such as Enron, MCI, and others. The law puts into place tough requirements and penalties to ensure that companies' financial statements accurately represent their business position. There are numerous sections in the Sarbanes-Oxley Act. However, the three that concern us here are Sections 302, 404, and 409. As shown in Figure 1, these are successively steeper hurdles that are being phased in over time.

  • Section 302 states that CEOs and CFOs must personally sign off on their companies' financial statements. Few specific controls are required by Section 302. The point of it is to establish CEO/CFO accountability for the rest of the Act's sections, with the possibility of prison for noncompliance.
  • Section 404 mandates that well-defined and documented processes and controls be in place for all aspects of company operations that affect financial reports. Furthermore, executive management and a company's auditors must each state in writing that these processes and controls have been examined and are effective. Any findings of ineffectiveness must be publicly disclosed. For companies whose net worth exceeds $75 million, this rule goes into effect beginning with fiscal years ending June 2004. In other words, right now.
  • Section 409, which is not yet in force, will soon require real-time public disclosure of all events that could materially affect company financial performance. To comply with this rule, companies will first have to recognize in real-time that significant events have taken place (e.g., a cash-flow problem), and then get that information into a public reporting system.
Sarbanes-Oxley and Web Services
At first glance, the connection between Web services and Sarbanes-Oxley is not obvious. After all, what do Web services have to do with financial reporting? Indeed, most of today's Sarbanes-Oxley compliance projects are being run by finance departments, with little or no IT involvement.

But recall that Section 404 dictates that controls be in place for all material impacts to financial statements. In other words, every significant business transaction - most of which span multiple corporate systems - must be modeled and inspected for risk; if risks are found, they must be mitigated. Furthermore, Section 409 requires real-time recognition and disclosure of material events. How will these requirements be met?

As Figure 2 implies, most public companies are large, distributed organizations, with diverse systems that have been built up independently over time. To bring information from these systems together, such as for producing financial reports, multiple strategies are generally used, often including point-to-point connections and manual systems. For example, a distribution center in Ohio might send a file or a set of transactions to a headquarters accounting system in Dallas. Or spreadsheet summarizations might be used to consolidate output from multiple plants. Even pencil-and-paper manual controls are common.

These point-to-point and manual systems often get the job done, but they are not up to the requirements of Sarbanes-Oxley. They can expose an organization to problems such as:

  • Inconsistent policy and control implementations
  • Rekeying errors across multiple systems
  • Omitted or double-posted transactions due to failed processes
  • Inconsistent or nonobjective manual reviews and approvals
  • Lack of reconciliation between unintegrated systems
  • Unusual events not flagged for follow-up
In a nutshell, these point-to-point and manual controls (a) fail to document the specific links between systems; (b) do not enforce controls with enough rigor; and (c) can be extremely error prone. The simple truth is that most corporations cannot achieve the requirements imposed by Sarbanes-Oxley without a strategy for automating the integration of the diverse business processes and systems throughout the enterprise. Web services and other integration technologies can be that link, providing the capability to establish control and documentation, reduce risk and error potential, and lower control costs.

Sarbanes-Oxley is often viewed as a burdensome business regulation that provides little or no business value. Consider, however, a different view: Sarbanes-Oxley compliance efforts can transform an enterprise into one that ties together every person, computer system, and business process; one that routes information to and from the right people, in the right places, at the right times. In other words, the Sarbanes-Oxley Act can be seen as a compelling event that provides the impetus to accelerate business responsiveness, streamline supply chains, and enable better decisions. If this isn't a job for integration and Web services, what is?

IT and Sarbanes-Oxley
If Web services are so important to Sarbanes-Oxley compliance efforts, why aren't we seeing them (and other integration technologies) in more of today's compliance projects? Indeed, most of today's Sarbanes-Oxley compliance work is being driven by finance organizations, company auditors, or both. IT is rarely involved, except to execute the plans created by Finance/Audit. The reason for this conspicuous absence is twofold.

The first reason is simply a deadline issue. For most companies, Section 404 requirements must be met in the current fiscal year, and executives face jail time if their firms are found out of compliance. This means that finance organizations are scrambling just to get their systems documented and to plug the biggest risk areas, usually with manual fixes. Prison is a powerful motivator for getting a job done, even if the solution is not particularly elegant on the first round.

A second reason that IT is not yet involved in many Sarbanes-Oxley projects is that these projects tend to follow a natural progression of three phases, and the value of integration and Web services is not evident until the third one. In other words, many companies simply haven't gotten around to the point where Web services are needed. The three phases common to most Sarbanes-Oxley compliance projects are:

  1. Assess and prioritize subject areas: Financial statements are reviewed to identify line items at risk for fraud or error. These items become candidates for immediate evaluation and, where necessary, remediation. For example, salaries might be deemed a low-risk item since they are tightly controlled by a small group of people. Revenue recognition, on the other hand, might be deemed high risk because of loosely defined recognition procedures. This phase is really about analysis and prioritization.
  2. Document and evaluate business processes: The business processes deemed most critical in phase 1 are documented and then evaluated for fraud and error potential. Several technology-based solutions are available to enable companies to graphically model these processes and to use these models to evaluate missing or inadequate control points. But this phase is still mostly financial analysis.
  3. Remediate and improve control systems: As control weaknesses are discovered in business processes, system changes and/or automation are added. This is where Web services come in.
What Do Web Services Bring to the Table?
As projects enter this third phase, Web services and other integration technologies become key implementation enablers. Using Web services, for example, manually prepared spreadsheet summarizations can be eliminated in favor of direct system-to-system communication, yielding tightly controlled audit trails for Section 404 compliance. Similarly, real-time alerts can be defined via Web services to recognize and report on unusual events, to comply with Section 409. All told, Web services address three of the most important business drivers in Sarbanes-Oxley compliance projects:
  • Control enforcement: Automated control of both computer-driven and people-based systems is far more effective than written procedures, since such controls cannot easily be subverted. For example, in the event of a credit risk override, a real-time alert sent to the risk management staff can prevent a poor decision from becoming a business disaster.
  • Real-time reporting: The real time reporting requirements of Section 409 are coming soon, and businesses must have automation in place to handle them. For example, Section 409 will require real-time public disclosure of material events such as significant write-downs or bad debt recognition. Automated alerts provided by Web services can ensure that such events are communicated immediately to the appropriate executives.
  • Cost reduction: Initial Sarbanes-Oxley compliance costs may be high simply because many of the controls put in place will be manual or one-off efforts. To reduce these costs, IT organizations will need to drive these controls into automated enterprise-class systems. For example, the cost of evaluating customer credit risk can be reduced by integrating credit history and external credit checks into the order processing system.
Actions to Take Today
If you are involved in Web services development at a public corporation, be assured that Sarbanes-Oxley is a force headed in your direction. Within the next year, many of your company's systems will need to be tied together in new ways, and Web services can be a critical architectural enabler. Be ready for these changes. Following are a few ideas for actions you can take today.
  1. Get involved: Learn about the Sarbanes-Oxley efforts in your organization. Identify the people in your finance organization working on Sarbanes-Oxley (they are there, I promise), explain how IT will be important to them in the near future, and ask to get involved proactively.
  2. Service-oriented architectures: Build your systems with a service-oriented architecture to maximize flexibility and adaptability. When the Sarbanes-Oxley projects come your way, you'll be ready.
  3. Build-in auditability: Remember that Section 404 doesn't just demand integration; it requires controls over that integration. Controls generally translate to auditability: the ability to know exactly what happened, along with when and why. Build these capabilities into your systems today.
  4. Tools: There are many solutions on the market today that claim to help with your Sarbanes-Oxley efforts. For the most part, they are designed for phases 1 and 2, which are primarily carried out by finance organizations. The tools that will be most helpful to you in implementing phase 3 (remediate and improve control systems) are Web services infrastructure and integration tools. Look for standards-based tool sets that are staying on the leading edge of Web services technologies.
  5. Choose your partners carefully: Chances are, your systems integrators and auditors have already been chosen by your finance organization. Choosing your technology partners, however, will probably fall to you. Be sure that your provider is a public company, itself subject to the Sarbanes-Oxley Act. It should understand Sarbanes-Oxley "personally." It should also possess an unblemished track record of conservative financial practices without pending shareholder or other lawsuits, and should have pre-existing partnerships with your Sarbanes-Oxley advisors (e.g., auditors and systems integrators).
Final Thought
It's important to recognize that compliance with Sarbanes-Oxley is not a one-time event or project. This is a process that will be ongoing for many years to come. Sarbanes-Oxley compliance is here to stay, and it will impact every major system in every public corporation for the foreseeable future.

It's sort of like Y2K, only this time there is no end in sight.

About Andrew Astor
Andy Astor is co-founder, president and CEO of EnterpriseDB. Prior to EDB, he was a vice president at webMethods, Inc., where he was responsible for technical marketing, corporate acquisition integration and standards leadership and evangelism. While at webMethods, he was elected twice to the Board of Directors of the Web Services Interoperability Organization (WS-I), and he served as that organization's Marketing Chair. A frequent speaker at industry conferences, Andy is also on the International Advisory Board for SOA Web Services Journal.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

SOA World Latest Stories
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand usin...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publ...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will d...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus ...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one l...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021


SYS-CON Featured Whitepapers
ADS BY GOOGLE