Association of Support Professionals—Tech Support Benchmarks & Best Practices

		member login \| privacy policy \| contact us
	Home \| FAQ \| Awards \| Reports \| Forum \| Jobs \| Chapters \| Join \| Order

Forum Questions

Have a question?
Send it to
Jane Farber.

Forum Archives

www.ASPonline.com

ASP Forum

Sarbanes-Oxley Certification

"Some of our bigger clients are beginning to ask for Sarbanes-Oxley 'certification' for patches and upgrades. This is beginning to feel like Y2K all over again. What are other software companies doing about these requests?"

—Gretchen from Great Neck

This is a great topic and one that I have run into as well. This isn't unique to the US as major companies around the globe are now being asked to be compliant. Some general insight I can share since I work for a software company is that the majority of the compliancy issues are actually related to processes versus software patches or modification. We have a billing system so as you can imagine our calculations, system integrity, etc., are under great scrutiny. Thus far we have yet to have to make a patch to our software for anything related to Sarbanes Oxley. We are currently going through the certification process with several of our large customers. I encourage any of your readers that are going through this process to first educate themselves on exactly what is required, understand when objections are raised—it may be more related to the business process versus the application that supports it. With our customers we have asked for "very detailed" reports on compliancy where they feel we are out of spec or need to modify our application. Thus far, as I said earlier, we have seen minimal impact as our customers adjust there own policies, procedures and work flows to manage this issue. We are still early in the process, but I believe for the majority of us this will have minimal impact if your application security is solid, and you product is properly documented.

—Mike Verner mverner@entriq.com
Solution Center Manager, Entriq
760/795-2679

We are starting to get requests like you mention on the website for Sarbanes-Oxley compliance. We are considering hiring a "compliance officer" for the company that would deal with these types of requests as well as other government regulatory matters. We have considered developing our own Sarbanes-Oxley compliance manual that would be standard that we could give to customers upon request so that we don't have to reinvent the wheel each time. We are also considering the idea of charging for this service as it is extremely time consuming. We feel that it is important to respond well though to important customers as it could shape the future of our business with them as a vendor. It also could be something that squeezes a lot of smaller vendors out of the playing field since this will expose their weaknesses and/or be more than they will have resource to respond to.

Just some thoughts.

—Bradley Bennett bbennett@infogenesis.com
Vice President of Operations, InfoGenesis
805/681-8600 x440

[Does anyone else have some advise? Send an email to membership director Jane Farber at jfarber@asponline.com, and we'll post your feedback.]