Sarbanes-Oxley. HIPAA. FDA 21 CFR Part 11. Domino users are having a hard time sorting through all the regulations that are adding to their workloads. The new rules, which legislators have drawn up to make businesses more accountable to investors and consumers, are also turning IT workers into internal watchdogs -- by making them track documents, e-mails and instant messages.
To help make the transition to compliance, many Domino shops are hiring compliance experts, adding new databases, and purchasing new software. Compliance is fast becoming a cottage industry for IBM Lotus and its business partners.
But before you pour your resources into new software, you might want to check your existing Notes/Domino infrastructure. You may discover that you already have what you need to satisfy the letter and the spirit of the new rules, says Gartner Inc. analyst French Caldwell.
"People shouldn't be doing another 'Y2K' over this," Caldwell said.
Most enterprises are already using business process management and records management tools.
"The existing tools will often do the job," Caldwell said. For example, businesses only need a spreadsheet application to comply with Section 404 of the Sarbanes-Oxley Act of 2002.
Congress passed Sarbanes-Oxley in the wake of the Enron accounting scandal. Section 404 of the act requires corporations to establish internal controls for financial reporting and produce annual assessments of the effectiveness of those controls.
Even if Section 404 can be satisfied with a spreadsheet, the new rules mean more work for IT.
"CEOs have primarily seen the CIO's job as keeping the lights on," Caldwell said. "Compliance will require more of a business role than perhaps many IT managers are used to."
Domino tools can help
While CIOs are adjusting to their growing role in corporate governance, they are also looking outward for help complying with the government mandates. And for IBM Lotus and Domino developers, this means a whole new source of revenue.
IBM Lotus last month released Lotus Workplace for Business Controls and Reporting to help companies comply with Section 404 of Sarbanes-Oxley. The product includes WebSphere Portal and DB2 Content Manager, and it uses control catalogs provided by the accounting firm KPMG LLP.
But the new Lotus product takes compliance a step further. "We see [Sarbanes-Oxley as a] tremendous opportunity to provide [Domino users] with a holistic view of their controls," said Jeremy Dies, marketing manager for IBM Lotus Workplace.
Domino users can use Workplace for Business Controls and Reporting to make lemonade out of lemons: The product not only tracks documents, but it ties them to user-designated business processes for analysis.
"Just documenting your controls gives you no insight into your business processes," Dies said. "Why not use it to produce new business information?"
Dies added that Workplace for Business Controls and Reporting meets the requirements of COSO Enterprise Risk Management Framework, which deals in part with assessing control environments and for the ongoing monitoring of information and communications.
IBM Lotus is planning to develop additional compliance tools based on the COSO framework, which is being developed under the direction of IBM consulting arm PricewaterhouseCoopers. Dies did not specify which regulations IBM Lotus is designing tools for.
Homegrown compliance tools
Users and consultants are, meanwhile, creating their own compliance products in Domino.
"Domino definitely has the functionality to comply with regulations, but you have to reorganize your databases first," said Toronto-based Domino consultant John Sun.
Sun has created a Notes tool for complying with FDA 21 CFR Part 11, a rule governing the creation, modification, archiving and retrieval of electronic records in the health services and pharmaceutical industries. Sun's database manages the electronic records and electronic signatures at contract research organizations that perform clinical trials for pharmaceutical companies. Sun said he has completed the Notes client for his database and that a Web portal is in the works.
Dealing with IM retention
Federal officials are still fine-tuning the precise rules for Sarbanes-Oxley and FDA 21 CFR Part 11. But the rules for Section 404 of Sarbanes-Oxley have become clear enough for firms to come up with tools and guidelines for compliance. (And Gartner is rolling out a Sarbanes-Oxley IT assessment framework soon.)
The next piece of Sarbanes-Oxley to hit Domino users will be Section 409. Section 409 of Sarbanes-Oxley requires the real-time reporting of events affecting a company's financial performance.
That will have a major impact on users of IBM Lotus Instant Messaging (formerly Sametime), as Section 409 is seen as applying to IM, said Nathan Freeman, an open source developer with OpenNFT.org.
"There's going to be a whole compliance push to capture and retain IM data," Freeman said. "And Sametime doesn't do that out of the box."
The section will require users to make new investments in third-party software, or do some serious in-house development.
Several third-party solutions exist to capture IM data. Freeman said he is developing a hardware-software package that will consolidate, index and store that information on removable media.