Friday, January 23, 2004

Riding the Waves of New Regulation


The above 4-page pdf from Butler Group is a nice summary of what organisations need to do to meet a raft of regulatory compliance issues. As you can see, SOX is only one of several regulations that need to be complied with.

Geoff and I went to a presentation on corporate compliance at the Chartered Institute of Management Accountants on Wednesday evening. UK regulations also require that listed companies submit a statement about the integrity of their internal controls. The document that mandates this is the new Combined Code, published by the Financial Reporting Council. See:

Bill has just sent me a copy of a 110 page paper about SOX 404, but I'll read that one myself, rather than lumber everyone else with it :-)

Ashby's Law of Requisite Variety says that these regulations cannot be met by a centralised system. The sane picture would look like this:

1) A network of inexpensive, secure servers would be distributed around the organisation. Access to these would be controlled by PKI infrastructure, and they would be remotely managed and monitored by the provider.

2) Consultants with appropriate access to these servers would be able to configure them to capture relevant information and develop task-focussed ICT provision for workers.

3) Each server would know the rules for aggregating information and passing it to the next level of authority.

4) At the top level, all the necessary info for reporting purposes would be available in real-time. Access to this would be authorised to the regulatory bodies.

5) There would be an alert mechanism in each server, which would fire a message when it detected activity outside agreed parameters.

6) The rules in each server would be set up by negotiation between each working group and its managers.

By an odd coincidence, this is the scheme according to which we have designed our technology platform :-)