Bank "maps" its way through SOX maze

Putting the right systems in place to deal with all forms of legislation and regulation is the key to dealing with the Sarbanes-Oxley Act, according to investment bank Dresdner Kleinwort Wasserstein (DrKW).

Stephen Ashton, director of global IT business management for DrKW, said complying with the act has been a major activity.

Ashton said: "It's an enormous job. Between 10 and 15 per cent of our back office staff are working on compliance and regulation. It's significant in terms of the burden on general business and on the IT function. And it is ongoing and it's not going to stop."

Guidance on what companies need to do to be compliant is still developing, adding to the work.

SOX has made companies place more emphasis on the reliability, security and accuracy of their systems. Companies need to understand how their back office systems support financial data processing - and show that they have the right IT governance in place.

Ashton said the aim is to automate much of the compliance work: "We need to find a way to embed these processes in our day-to-day business. Because that's the only way we are going to get the impact and the costs down."

DrKW is using Tideway's Foundation product to identify dependencies in its IT systems and create a view of its IT environment.

One of the areas where large organisations struggle is in understanding all the complex systems they operate, Ashton said. The Foundation product helps the bank find out what its IT environment is and what the dependencies are, and to do that in an automated way rather than using spreadsheets.

He said: "It creates a lot of management information for us in an automated and efficient way. We get exception reports that turn into work programmes."

Even though SOX has created lots of work, it is still only one piece of regulation, warns Ashton. "Any global organisation has a framework of regulation and legislation to deal with. SOX is the one that has had all the focus."

For example DrKW is setting aside the same amount for MiFID as it has for SOX.

Ashton added: "What we need to create is an appropriate control environment.

"That's where things like ITIL (IT Infrastructure Library) and Cobit (Control Objectives for Information and related Technology) come in. They set the framework of standards that apply to IT that we should be following to make sure we comply with regulation."