As resources for legacy languages disappear, companies are confronting a new risk equation: compliance vs. application modernisation.
Compliance raises the stakes on application modernisation
Since the advent of Sarbanes-Oxley Act (SOX) regulations in the United States in 2002, executives have come to realise the far-reaching impact of this regulatory framework on a company's IT systems. But as resources for COBOL, and other legacy languages, continue to disappear, the risk is running higher than ever for legacy applications holding key financial and/or personal data. Most of these applications are specific to the parent organisations themselves, designed to ease operations and give the company a competitive edge. Companies are now confronting a new risk equation: compliance vs. application modernisation.
Who's At The Controls?
SOX recommends "firms place a high priority on enhancing the overall effectiveness of auditors work on internal control, particularly with respect to the depth and substance of their knowledge about companies' information systems." General controls can be assessed through design walk-throughs, code reviews, interviews to ensure that procedures are followed, sample testing to ensure that documents and records are kept concerning processes and procedures, and so forth.
While most organisations have been able to achieve Sarbanes-Oxley compliance, to do so they have had to deploy an unprecedented amount of resources and carry out exhaustive and tiresome auditing processes. Many deploy specialized software designed specifically to meet the necessary regulations and controls by automating much of the required implementation. Even if a company is OK with the resource load of auditing- and paying for third party systems- they still have to deal with how this activity trickles down into legacy applications.
One Deadly Question
SOX Section 404 says companies must prepare reports - to accompany their annual reports filed with the SEC - assessing the effectiveness of their internal control structures and financial reporting procedures. Compliance with Section 404 is where most public companies' SOX efforts are aimed today. On the surface, those efforts seem like something for financial departments to tackle. But in its execution, SOX is all about IT. If your core financial application is being audited, one deadly question could ruin everything: is this number accurate?
If you're running legacy applications, this means that you have to produce change records, design specs, access records and more- just to begin with. And what about security?
Businesses often segment their networks by installing internal firewalls with restrictive rule sets in order to isolate systems with sensitive information from other systems that are exposed to risk. This works both ways: workstations and internet-facing systems are exposed to the risks of malware phishing, drive-by download malware, and direct attack so they should try to shield legacy systems that contain sensitive information from these other systems on the network; on the other hand, legacy systems themselves are a risk due to the potential of un-patchable vulnerabilities so we want to isolate other sensitive internal systems like databases from the legacy systems.
For organisations that are running out of time for compliance, options can include moving the software and its database to a new server and using full-disk encryption. Make sure the network communications on the legacy system are secure through SSL tunnels. These might not be long-term solutions, but many companies have been able to get exemptions and pass an audit if they truly show that they are securing data this way while they implement long-term fixes.
Impact on Application Modernization
On an application modernisation project, SOX auditors tend to be interested in how accurately the data was migrated and the financial controls associated with backloading the new environment. For example, you may be required by SOX to assess the "validity" of the data -- meaning you are migrating the data correctly (the $100 in the legacy system is carried forward as $100 and not $101), but how do you know the legacy system generated the $100 properly under the legacy controls? If you all migrated data and the applications to another platform, that would be the focal point of your controls testing process. Historically, you may need to prove the accuracy of migration and balances as of the changeover date. In some cases (unless a read only copy was left on the mainframe), there may not be an application or existing data to test.
Dealing with SOX underscores the importance of understanding what's in legacy systems- from technical inventory to business logic and security, a holistic picture is necessary to make the right decisions for your application modernisation project- but also to stay compliant now and in the future.