September Issue of the Taos Newsletter: Sarbanes-Oxley (SOX)

Interview with Shawn Farshchi, Vice President of Technical Operations and Chief Information Officer of WebEx Communications Inc.

Taos: When did you realize the impact that SOX would have on your IT department ?

Shawn: Information about Sarbanes-Oxley came up through the ranks of IT. It showed up on our radar well before finance discussed it with us. We knew it was coming but we waited until finance dealt with their processes and was ready to deal with IT before we made a concerted effort to address it.

Taos: Can you give us an overview of the SOX efforts you have under way?

Shawn: We are using E&Y (Ernst & Young, ed.) as our pre-auditor with KPMG for the final audit. Our audit is this year, so we are pretty far along in our process. We have five full time people driving process and every single line manager is responsible for their section.

Taos: What do you see as the strengths a pre-auditor brings to the table?

Shawn: Consultative mode: our pre-auditor tapped into what everyone else was doing, and was able to assist, especially in creating efficiencies in document production. IT shops are good on developing SOPs. Our pre-auditor was able to focus our energy and efforts to get the most out of the effort. Their ability to develop test plans was also very helpful and productive.

Taos: Were you able to prioritize in order to focus effort in particular areas?

Shawn: No we did not break it into different priorities. All aspects of compliance are important and we worked on them together. We did prioritize by high, medium and low impacts, but pursued all avenues to ensure compliance.

Taos: Where do you think you have work to do?

Shawn: We’ve had a good handle on this since we had been through a SAS-70 and WebTrust certification recently, so very little was surprising about this process. We found all of our issues had already been addressed and that mostly it was a matter of tidying up access control, change control and code management. We found mostly just consistency issues.

Taos: Did you look at any of the software applications on the market to help you with SOX?

Shawn: Yes, we did look at some of them and they all appeared overly complicated. Maybe because we are a smaller company, it seemed most of these applications were aimed at a much larger enterprises and really were not designed for us.

Taos: Do you use a document management system or do you use something internally built?

Shawn: We do use a document repository system where documents are checked in and out. This also helps provide our audit trail for the auditors to ensure that we actually are using these processes and the documents we’ve created.

Taos: Where/how do you store the information on actual process to feed the audit trails?

Shawn: Our Remedy Ticketing System, it logs all requests and resolutions. We also use system logs and various other tracking devices.

Taos: How will you audit processes going forward and maintain your SOX compliance?

Shawn: SOX will become the responsibility of our security team, as well as every line manager. The security team will be responsible for constantly updating and maintaining our readiness. They will be performing the internal testing next year.

Taos: What are some of the problems you have heard other companies have encountered?

Shawn: Well we have had it pretty easy. We are very centralized with just one primary data center for IT. Companies with multiple data centers scattered around the country have to go through an intensive SOX effort for each data center. It is also a problem for a company that has made multiple acquisitions. Integrating the disparate groups into a compliance effort can be very difficult.

Taos: How much do you estimate the SOX effort will take?

Shawn: I estimate about 3,000 hours including consultant effort. I believe this is typical of almost any small or medium sized company.

Taos: We heard that Sun was spending multiple millions on their SOX efforts.

Shawn: Yes, I heard others were actually taking a hit of several cents per share this time around to account for the cost of SOX compliance. With so many mergers out there, bringing compliance to all of these distributed organizations must be an incredibly painful process.

Taos: Do you see SOX audit preparation as an advantage – an opportunity to professionalize your IT operations?

To staff it has certainly reached overkill proportions in day-to-day operations. At my level it gives me repeatability; repeatability I can count on rather than the heroic efforts of individual staff. I do not mind it at all. I worked in a nuclear power plant once and SOX is very similar to the NRC (nuclear regulatory commission, ed.) requirements. Every single thing you did was documented and that was just what you did, it was expected of you and built into the organization. There was a huge audit trail.

Taos: What advice would you share with your fellow CIOs as they go through their preparation?

Shawn: Ensure that you have already worked everything out with finance; the significant financial processes identification, agreement upon which systems IT support them, and narrow your scope down to just what is absolutely necessary. Otherwise you will spend a lot of time chasing down unnecessary paths. Also, everyone in IS should own their processes; push the accountability through the organization. Lastly, SOX is associated with considerable cultural change in an organization. Documentation can be tedious and IT people are notorious for not documenting details and resisting it. IT managers need to follow the process consistently for change to happen.

Shawn Farshchi is the Vice President of Technical Operations and Chief Information Officer of WebEx Communications Inc. which is a leader in the multimedia business communications industry. He has over 22 years of development and services management experience at companies such as DHL Airways, Broadvision and GTE Sprint. Mr. Farshchi has also served in a variety of technical and management positions at Bechtel Power Corp., GTE Spacenet, Oracle, Pacific Gas and Electric, and Syntex Corporation.