Expertise

Research

COA is a subset of the OpenWare Technologies Architecture and is based on the Compliance Oriented Architecture developed by RedMonk. COA enables the management of compliance standards as services and supports the following:

      Sarbanes Oxley

     HIPAA

     Straight-Through Processing and T+1 For Financial Services

     Basel II (international capital adequacy)

     Section 508 of the Rehabilitation Act (Use of IT by the Disabled)

     EPC (RFID & Barcode)

     EMV (Europay, Mastercard & Visa)

     
Compliance isn't simply a matter of buying an expensive software package and then forgetting about optimizing your workflow and processes. Compliance integration projects should make information readily available to internal decision makers and SOA Service Administration; not just auditors.

Sarbanes Oxley

The Sarbanes Oxley Act of 2002 was passed in the wake of several corporate scandals and failures as an attempt to improve visibility into the financial management of public firms. It provides an update to many of the provisions of the Securities Exchange Act of 1934, including new provisions for oversight (establishing the Public Company Accounting Oversight Board) and increased fines and penalties.

Impact for IT Professionals:

* Section 302 – Corporate responsibility for financial reports: This provision requires significant workflow management to assure that financial officers who sign annual and quarterly financial statements can attest to the accuracy of the information in those reports. Changes in the reporting systems and their controls must be tracked and reported in addition to the data.

* Section 404 – Management assessment of internal controls: This provision requires management to attest to the effectiveness of their internal controls, which in turn implies that processes used to develop, manage and report on information systems are consistent and accurate.

* Section 409 – Real time issuer disclosures: This provision requires firms to disclose—in a timely manner—information that pertains to material changes in operations. As most systems that would capture or create this information (ranging from ERP and GL to BI and data mining) are under the control of IT, compliance relies heavily on IT.


Key Dates:

6/15/2006: Section 404 filing deadline for non-accelerated filers (generally, firms with a market cap less than $75M)

3/15/2005: The SEC extends compliance deadlines for SOX Section 404 for non-accelerated filers to June 15, 2006.

11/15/205: Section 404 filing deadline for accelerated filers (generally, firms with a market cap greater than $75M).

2/24/2004: The SEC extends deadlines for compliance with SOX Section 404. Accelerated filers, which previously had a June 15, 2004 deadline, are given a new deadline of Nov 15, 2004. Non-accelerated filers are given a new deadline of June 15, 2005.

How small and medium businesses can achieve compliance through SOA/COA

Until now, the chances of a small or medium size business accomplishing a Compliance Oriented Architecture were not good. Finding a skilled IT services firm that focuses on helping SMBs achieve loosely-coupled SOA/COA is good news indeed. OpenWare relies heavily on an open source framework developed by RedMonk http://www.redmonk.com/COA_Final.pdf .

More on RedMonk 

Analyst firm RedMonk Inc., of Bath, Maine, recently advised enterprises to take service-oriented architectures a step forward and begin architecting services with regulatory compliance in mind. In its report, RedMonk said companies need to distill common services from regulations that may apply in a given industry and architect those services once and reuse them across an enterprise.

"By breaking down the barriers between disparate compliance requirements and distilling out a core set of services, organizations can organize their thinking around compliance-specific services; implementing them according to their own unique needs," wrote report authors James Governor and Stephen O'Grady.

Peter Underwood, vice president of software development for Wall Street Access, a New York brokerage, said compliance can effectively be balanced with an existing service-oriented architecture.

"SOA massively simplifies compliance," Underwood said. Wall Street Access has to comply with Securities and Exchange Commission regulations at nearly every level of its business. Audits are mandated at each of those levels, and particular services have to be architected with compliance in mind.

"Injecting compliance components into an SOA makes immense sense," Underwood said. "It saves a tremendous amount of time and expense. You don't, however, have an SOA of compliance services."

RedMonk may be trying to signal a change in that thinking. IT shops too often address compliance projects in silos, which lead to redundancy and complexity, RedMonk said. The analysts advise IT shops to merge implementation teams working with the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, BASEL II projects and others and avoid giving in to individual regulatory demands when architecting services.

"Rather than implementing monolithic applications designed to tackle a single regulatory challenge, enterprises should implement a flexible and dynamic architecture that consumes compliance services as required," the report said.

The benefits of an SOA extend to these compliance-oriented architectures, including fewer redundant purchases, which result in lower licensing fees, greater productivity from service reuse, quicker time to market for services, better management and a flexible architecture that adapts to constantly changing regulations.

RedMonk adds that a compliance-oriented architecture brings IT and business goals in line. It also soothes integration challenges down the line and ends "departmental fiefdoms."

However, a recent survey conducted by London-based Economist Intelligence Unit Ltd., discovered that only 27% of C-level executives seek out the input of IT when it comes to compliance projects. Compounding the problem is the impending November deadline for SOA compliance, which will result in a bevy of point apps that will not interoperate with the rest of an IT architecture, RedMonk warns.

C-level reluctance to include IT is foolhardy, since as RedMonk points out, compliance is a fundamental strength of IT and because most software and systems conform to some set of business objectives.

Compliance-oriented architectures, meanwhile, are specialized SOAs that support many compliance requirements.

"SOA is simply a tool for addressing technical problems," according to the report. "It yields value only through imbuing the architecture with specific business requirements manifested as services."

RedMonk predicts more SOAs will address specific business needs, but it deems the most important will be those that address regulatory compliance.

Excerpted from http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci1004126,00.html