Regulatory Compliance

“...Basel II and Sarbanes-Oxley are driving substantial investments in IT…”
A study of 1,700+ banks from 63 countries, conducted by AIM Software, the Vienna University of Economics and sponsored by Reuters. Detail

Data quality and management is a key issue for IT risk management in financial industry, and the regulatory compliance is a driver to apply good data solution management. Recently the AIM Software also performs another survey in 2004 that conclude increasing awareness in global respondent to apply the ISO standard for their data management.

The areas where most banks reported plans to substantially improve data quality within the next two years were the Middle-East (79%), CEE (84%), Asia (88%) and Central & South America (92%).

The focus of banks' efforts lies in the automation of reference data and corporate actions processing, the areas from which the largest costs originate. In fact, one out of ten institutions still employ more than 50 people for reference data management. "The survey enables companies to get a comprehensive overview of the status quo in their industry. Banks can deduce where they have to catch up with their regional benchmark and how trends like ISO 20022, STP and Reconciliation are evolving,"

Sox compliance is very expensive. I agree, and it’s become more expensive if you put wrong approach in to. Here is an example how much people pay for Sarbanes Oxley Act Compliance. It remind me during early implementation of ERP (Enterprise Resources Planning), the fact said that only several number of implementation that success.

According to Warren Buffett, the CEO of Berkshire-Hathaway spent $24 million on auditing this year; a figure he says would have been closer to $10 million without SOX. (DealBreaker . A Wallstreet Tabloid, March 2007)

Investors are taking companies private at a record pace. On Monday, it was Sallie Mae, the mammoth school-loan company, in a $25 billion deal. Do private equity firms know something the rest of us don’t? (Investors Business Daily, April 2007)

Enabling audit log is an issue to application performance, everybody agree about that, especially IT department guys. But when you ask the audit log issue to IS auditor then absolutely they will said that audit log is mandatory for any regulatory compliance.

Here is the major issue why audit log usually become major finding in every audit engagement:

1. Enabling audit log produce a lot of data files.

IT engineer in telecommunication managing MSC or HLR device will feel very difficult if should maintain the log retention for a long time. IT officer from manufacturing company will find difficulties when enabling all audit log function

2. Reviewing audit log, need special skill and even special tools.

Even if we have a very large storage to store the audits log. We still need tools to analyze the pattern in audit log. Large data without good interpretation is nothing.

Confuse about a lot of Sarbanes Oxley (SOX) version? here is a simple comparison between Sarbanes Oxley (SOX), Japanese SOX and Canadian SOX