THE BUSINESS ISSUE

Worldwide financial scandals such as Enron in the US and Parmalat in Italy – and the heightened corporate oversight they inspired – have profoundly affected IT management. The US Sarbanes-Oxley (SOX) legislation imposes up to 20 years in prison for non-compliant CEOs and GMs, and the European Union is looking into establishing a similar system. Since business managers can now be held legally responsible for inaccurate financial statements, the "powers that be" have a highly vested interest in verifying the reliability of their financial information.

SOX, Basel II, Operational Risk, and other new regulations have one point in common: they all enforce preparation for precise technical audits. While the basic idea of these controls is simple on paper, implementation can be prohibitively complex if companies do not have the tools they need. In fact, companies must be able to meet audit requirements on a sustainable, ongoing basis.

Traceability
Compliance with regulations is unavoidable, and IT can no longer stay out of the fray. Information systems must be able to demonstrate rigorous organization and transparency. Companies must be able to demonstrate each step that led to a result, and they need to be able to rerun the process. This means that saving data alone will no longer suffice. Compliant companies must also save the corresponding processing (programs, scripts, etc.).

It is now imperative to have all information needed to reproduce a given process at hand. This implies archiving documentation in phase with application changes, preferably by having a tool that can generate this documentation on demand. Just imagine how much space this documentation would take up on paper!

Instead of being a burden, these new laws are in fact an opportunity for companies to finally implement structured, professional management of their information system –which is, after all, one of their primary assets. We are betting that these new norms will lead to the kind of quality levels that are already taken for granted in industry.

THE ARCAD APPROACH

The ARCAD-Skipper and ARCAD-Observer suites are the perfect match for your IT compliance needs. All application changes are processed via an organized and secure system, with clearly identified versions that allow traceability every step of the way.

Furthermore, documentation generated in phase with development can be integrated into the modified system itself to maintain information on your previous versions. ARCAD-Observer’s graphical interface supports real-time information searches, making it easy even for auditors and other non-development staff to use.

In addition to managing technical audits, ARCAD’s solutions enable you to implement a solid, secure architecture – in which all software changes can be archived and traced – so your system will meet the basic requirements for quality procedures.

SOX
SOX impacts corporations with American parent companies and public capital. It is highly likely that European directives with the same goal of company account transparency will be finalized. This law is being implemented in the field through a number of projects that have led to legal definition of IT best practices. The focus is now on "IT governance."

In the United States, the IT Governance Institute has published the CobiT (Control Objectives for Information and related Technology) framework to assist companies with SOX compliance. You can examine it here. For information on how ARCAD addresses CobiT objectives, please visit our “Best Practices referentials” page.

BASEL II
The Basel II accords apply to financial organizations, and they are intended to cover three types of risk:

• Credit risk,
• Market risk, and
• Operational risk.

For information systems, operational risk management is the main issue. Operational risk is defined as "direct or indirect losses resulting from inadequate or failed internal processes, personnel, or systems, or by outside events." Under the Basel II accords, operational risk management must include capital coverage of these risks. However, proof of solid internal mastery of these risks allows companies to release a part of this capital, which is required by default.

This last point provides clear evidence that demonstrated, effective IT controls will be a major factor in minimizing levels of immobilized capital. Implementation of tools and procedures for the organization and traceability of information system change – along with application mining and retro-documentation – will become strategic factors in business management. Furthermore, the cost of these tools is usually negligible when compared to the amount of capital they free up.

In addition, since most financial organizations have based all or part of their IT on custom software, they are relying on information that is often difficult to retrieve from suppliers.

Once again, ARCAD’s solutions stand out as tools that enable a company to set up a controlled, rigorous organization of their information system, while shaking off supplier constraints. Even better, by adopting these solutions you free up capital and make it available for other projects.

ADVANTAGES

Not only do ARCAD’s solutions address the expectations of development and production teams. Just as important, they also guarantee the security and traceability required by the law and by auditors. The entire application lifecycle is covered:

• Referencing of software components,
• Managing incidents and user requests,
• Development version control and software deliveries,
• Test automation,
• Multi-environment and multi-machine transfers, and
• Transfers to production.

Mounting regulatory pressure is making it easier for IT managers to convince their general management of the added value of ALM solutions. Just one more good reason to tool up.