System-i Podcasts


< Back

Protecting Software Assets as a SOX Compliance Strategy
March 1, 2007 08:00 AM

How is SOX linked to Software? This article will explore how protection of software assets is a strategic way to help companies meet their Sarbanes-Oxley compliance objectives.

By Saul Marcus
Saul Marcus
Intellectual Property Management
Iron Mountain

Today’s executives face many challenges stemming from far-reaching regulatory requirements and guidelines such as Section 404 of the Sarbanes-Oxley (SOX) Act. This Act instructs executive management of publicly held companies to evaluate and report on the effectiveness of their internal controls over financial reporting, and have independent auditors substantiate the effectiveness of these controls. These controls include the application software and information technology (IT) processes that sustain a company’s day-to-day operations.

Fundamentally, compliance is focused on the integrity of financial statements. However, regulators now recognize the significance and broader scope of information systems and applications that materially affect financial status and reporting. Examples of these types of applications include:

• Supply Chain applications that affect the delivery of products, and hence revenue recognition;
• Enterprise Resource Planning (ERP) systems that provide data for a balance sheet;
• Service delivery applications or shipping systems that feed revenue recognition;
• Contract Management systems or Sales Force Automation applications that impact strategic accounts and revenue

Many public companies treat SOX compliance and software licensing as totally separate initiatives. However, by taking an integrated approach to compliance, inclusive of the IT department, the protection of software and other technology assets with help achieve and maintain compliance with SOX Section 404.

Why does IT need to worry about SOX?
Navigating the compliance issues around protecting strategic assets is not easy. Compliance is more than documentation; it also includes the control testing of systems, the tighter management of critical third party services, and the near real-time ability to report on all events that “materially affect” the business.

Although compliance efforts involve the entire company, IT often becomes the backbone of any corporate compliance effort. These compliance requirements have confronted IT executives and managers with new challenges. The new regulations will require IT to coordinate closely with other business departments, namely Finance and Legal.

There is an upshot of compliance mandates. As companies incorporate best practices to meet regulatory requirements, they are also creating the basis for a solid business continuity strategy.

Which Software Assets need to be protected?
If a certain software application were gone, would its loss have detrimental effects on the productivity of your company’s employees or their ability to deliver service to customers? If you answered “yes,” you should consider the software mission-critical, and it needs to be protected – both to keep your business operational and to help ensure compliance with government regulations.

Mission-critical applications are the customized applications that run your business – applications such as those that manage your supply chain, enterprise resource planning, sales force automation, and payroll. Companies that meet the following criteria are required to protect business-critical software assets.

Is your company:

• Publicly traded?
• Operating in a regulated industry?
• Using at least one strategic application to meet regulatory certification?
• In danger of incurring losses in the millions of dollars if a key application vendor goes out of business?

These types of enterprises are at a risk of non-compliance in terms of protecting the applications that comprise their strategic assets. Smart business practices, such as placing the software source code for mission-critical applications into a technology escrow account, have now become a key component of regulatory compliance.

How can Technology Escrow help me with my Compliance Efforts?
Escrow management is evolving to meet the challenges presented by compliance regulations. Technology escrow has long been an established best practice for vendor management and business continuity. Now, technology escrow can become a valuable component of a corporate compliance strategy as well.

Escrow is an important tool in on-going vendor management, particularly with today’s more broadly defined information systems. Technology escrow can help document, control, and protect these information systems for compliance. Current escrow tools can also provide the real-time data required by management and compliance auditors. Even better, it can help management ensure there are no surprises when the auditors arrive. Another benefit of an escrow service with real-time data access is the ability to quickly generate regular reports and an audit trail.

How are Companies using Technology Escrow to meet Compliance Initiatives?
Fidelity National Information Services is an example of how one company is helping its clients achieve compliance with the Sarbanes-Oxley Act by offering them a technology escrow service. Fidelity National Information Services (FIS) is a leading provider of core processing for financial institutions.

“FIS provides a host of services designed to help our clients manage their businesses,” says Lenny Smith, director of division operations for the company’s Integrated Financial Solutions division. “One way we can do that is to help them navigate the ever-increasing challenges of regulatory compliance.

The Sarbanes-Oxley Act was signed into law as a result of a series of corporate financial scandals; and many regulatory bodies recommend—and in some cases require—that companies develop specific plans for how they would continue business if they experienced an event that had significant, negative financial consequences. As part of this Act, organizations must establish a plan of action in the event a software vendor fails and discontinues the support and maintenance of its systems.

“Our technology escrow service will help simplify their ability to meet vendor management oversight responsibilities.” To offer the service, FIS has entered into an agreement with Iron Mountain Incorporated, a neutral, third-party provider of intellectual property management services. By subscribing to FIS’s technology escrow service, institutions are assured that the source code for the software they license would be available in the event FIS was unable to conduct its normal and ordinary course of business.

“At FIS, it is our pledge to support and maintain the technology we provide,” said Smith. “As regulators direct financial institutions to conduct vendor risk due diligence analysis and make preparations for potential vendor failures and subsequent discontinuation of software support, we want to ensure this is an easy process for our clients.”

As companies continue to grapple with the compliance issues brought about by increased business regulations, protecting software assets should be an integral part of compliance strategies. Business managers should investigate the latest tools available through technology escrow to help protect the software that runs their business.


Saul Marcus
Intellectual Property Management
Iron Mountain

About Us Subscribe Editorial Register

© 2014 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY