FUD In The Sarbanes-Oxley Tool Space
A member of a Sarbanes-Oxley Listserv
I belong to caught my attention today. He sent out a report that he "found"
called "Sarbanes-Oxley
Tools: Why Do They Fail?".
Written by Rohit
Tripothy, formerly with Ernst
and Young in India, this document
is so full of biased opinions and misstatements of fact, it is hard to
know what criticisms of the tools are valid and which should be discounted.
This epitomizes fear,
uncertainty and doubt. In fact,
the whole tenor of this "report" made no sense, until I
did some research and found out where he works now. I will discuss that
in a bit. Right now, I want to focus on some inflammatory statements he
makes such as "Java
2 Enterprise Technology (J2EE) which has now been widely recognized as
a very slow platform due to interpretation based architecture"
and "J2EE based
application server along with Lotus Notes based architecture will ensure
that the tool will have application performance issues."
What made this whole paper suspect for
me was the misstatements he made about IBM
Workplace for Business Controls and Reporting.
These misstatements required either total ignorance or lack of research.
The author states that "It was a late entrant to Sarbanes-Oxley compliance
market when it launched a Lotus Notes based compliance tool called IBM
Workplace for Business Controls and Reporting in October 2003." Well,
my biggest objection to the product when it came out was that it WAS NOT
based on Lotus Notes, and was exclusively J2EE. In addition to repeatedly
referring to former Lotus Development Corporation head Jim Manzi as "Jim
Monzi", here is what he had to say (and I will leave it to the community
to dissect this):
IBM as a company needs no background. It was a late entrant to Sarbanes-Oxley
compliance market when it launched a Lotus Notes based compliance tool
called IBM Workplace for Business Controls and Reporting in October 2003.
IBM under previous Chairman Lou Gerstner's leadership made a hostile acquisition
of Jim Monzi's Lotus Development Corporation for USD 3.5 Billion at 64.50
USD per share in 1995 when the Lotus stock was trading at only
USD 32 per share. It seems that IBM is till now trying to protect its investment
in Lotus technology. In 1995 Lotus was a great concept when Internet Standards
were evolving, but it no longer holds true in the new millennium. Lotus
Notes was indeed one of the first to offer enterprise level collaboration
and
messaging capabilities. However one of the biggest flaws of Lotus notes
was its performance. The other problem was its scalability. Lotus Notes
operates
on a proprietary protocol and on a non standard web TCP/UDP port 1352.
As a result Lotus Domino/Notes based architecture needs a company to install
the whole server infrastructure at every location where Notes services
are needed. This causes another compound problem of trying to ensure uniformity
of separate database in every location through replication mechanisms.
Subsequently ultra lightweight collaboration/messaging technologies have
evolved, but with the amount of investment made by IBM, it seems stuck
to a 1995 pre-web days technology.
The leadership for IBM's Sarbanes-Oxley solution has been provided by Larry
Bowden who is Vice President, IBM Workplace Software Solutions and works
from Somers, NY. Previously Larry was Vice President of Portal Solutions
and Lotus Products for IBM's Lotus Software brand, so the tool has distinct
Lotus
Notes based flavor. Mr. Bowden was also instrumental in aggressively pushing
WebSphere Portal product line in his earlier role. It was quite natural
that
WebSphere Portal product crept into IBM's workplace for business controls
and Reporting. WebSphere is another J2EE based application server
technology. As said earlier, all J2EE based technologies are expected to
have performance issues inherently. We
now have a unique combination of
Lotus Notes which is by itself slow, and J2EE WebSphere Portal on top of
that. Larry holds a BS
degree in engineering and an MBA, both from the University of Denver."
Now For The Punchline
You really have to read the full "report" to get a feel for how
he slashes every product on the market, leaving nothing standing. In fairness,
he does attack one vendor that I have criticized on this blog for much
of the same reasons. Notwithstanding, it turns out that there is one product
not mentioned: the one released in October 2005 by his current company.
(Note that I am still waiting for a reply email from hm to confirm if
he is still working there). To me, this is the start of crossing an
ethical line. The author should have:
1. Dated the report;
2. Published a disclaimer indicating the company he is currently working
for; and
3. Included referenced documentation for the statements and claims that
he makes.
Finally, the author lost all claim to any ethical high ground by quoting
a Listserv posting by a colleague, in its entirety, without obtaining the
permission of the author and ISACA. If you ever see a copy of this report,
just toss it away and make your decisions based on your own due diligence.
Bottom line is that, from my perspective, the author, and paper, has zero
credibility.
