Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Jürgen Obermann, CEO of GFT inboxx GmbH: Eurosox – Time for a new approach to compliance

October 2008 by Jürgen Obermann, CEO of GFT inboxx GmbH

The 5th September 2008 marked the deadline for European organisations to transpose two new directives – the Statutory Audit Directive and the Company Reporting Directive – into domestic law. Commonly referred to as EuroSOX, this latest initiative is the European Commission’s eighth guideline for the protection of shareholders, brought in with the aim of ensuring the reliability of annual accounts and consolidated financial accounts of companies, in the wake of recent high profile corporate fraud cases, such as the Parmalat scandal.

Despite the publicity around the introduction of EuroSOX proclaiming the drastic requirements expected from IT, there is surprisingly little said in the EU guidelines as to the concrete IT requirements necessary for organisations to become compliant. Thus suggesting that the current hype regarding ’EuroSOX compliance in IT’ has been somewhat exaggerated. After all, companies operating globally have already had to abide by the International Financial Reporting Standards (FRS) or the United States Generally Accepted Accounting Principles (US-GAAP) if they wish to adhere to international legal regulations.

The impact on IT

Aside from the obvious changes necessary in IT, EuroSOX will additionally lead to some indirect IT requirements. These ultimately derive from requirements that qualified auditors have to meet, though they are mainly general requirements regarding the quality of systems, processes and data management, as have already been prescribed for years - e.g. in accordance with Basel II.

In implementing EuroSOX, companies should not look on this as just another compliance regulation to be abided by, but rather as an advantageous tool which should be used to encourage greater business transparency.

Best practice approach to EuroSOX

As far as EuroSOX and other compliance rulings are concerned, IT departments should not interpret individual regulations and laws such as EuroSOX, Basel II etc., but should instead concentrate on a holistic approach. This is as proven in recent research commissioned by GFT inboxx which found that 94% of IT managers in Europe have insufficient knowledge of the legal requirements regarding archiving of e-mails.

IT departments must concentrate on their core tasks. They are not in a position to tackle the legal details of individual laws. This is a job for legally trained and specially qualified expert staff. By concentrating on the combined, generic requirements of all compliance guidelines, IT departments can tackle the issues at a higher level.

The requirements that should be met by an IT department can be roughly divided into three basic tasks, however these are not mutually exclusive:

1. Generic best practice data management and data handling – making sure that a consistent approach is taken across the board.

2. Long-term safeguarding and processing of all information. Preparation for possible disturbances (disaster recovery), secure long term archiving of all information and ensuring access at all times within the parameters of storage times are of the utmost importance in this context.

3. Transparency, which is above all facilitated by creation of powerful search functions and analytical methods regarding all information in the company.

The first task is very much open to interpretation and is broad in nature. In the event of any doubt, any weak points coming to light as a result of audits and inspections can be resolved in this context. Items two and three, however, are clear and not open to interpretation. An email document either exists or it doesn’t. Either powerful overall search is possible or impossible. Inspections will thus concentrate on these points. Thus in the short term there is a need for action from the IT department in this respect.

Recommendations for IT departments

1. Do not tackle individual legal regulations such as EuroSOX – leave the interpretation to the specialist departments.
2. Don’t take a siloed approach. Instead concentrate on implementing the common requirements for all compliance guidelines:
a. Transparency of IT processes;
b. Audit-proof long-term archiving and planning for disaster recovery
c. Creation of an overall search and analysis platform to facilitate e Discovery
3. In the short term focus on (b) and (c). They are rigorous requirements that cannot be avoided.
4. Use this as an opportunity to create a business case for other IT projects


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts