CRN: Do you see a lot of confusion out there in the VAR channel?
MacArthur: It’s absolutely enormous. One of the biggest confusions is ... a VAR is reluctant to get involved in risk and compliance because they think their job is to make the customer compliant, and it isn’t. The big difference is their job is not to make the customer compliant – it’s to reduce the cost of compliance and allow it to be monitored.
So for example, all US publicly held corporations operating out of Australia have to meet Sarbanes-Oxley 404 Internal Controls. (Section 404 requires a company to take responsibility for establishing and maintaining an internal control structure and procedures for financial reporting). The deadline for that was the 15th of November last year.
So those subsidiaries of US companies or US corporations operating out of A/NZ right now have a problem, and that is how to reduce the cost of meeting those compliance requirements. So firstly they have to figure out an infrastructure play that’s going to deal with that around storage, server integration and so on. And the second thing they’ve got to work out is, ‘How can it be monitored efficiently by their auditors?’ Because Ernst and Young [for example] may come along every quarter and plug into that company and make an assessment about its risk and compliance strategy and how it’s meeting Sarbanes-Oxley.
The core business of a VAR is to reduce the cost of meeting certain business requirements. So what we’ve done is formalise the program which a vendor such as IBM [or] HP can get involved and demonstrate a business case to the VAR. I want to make the VAR a successful business. We focus on that and go to IBM and say, ‘Look, take your [MDF] funds and invest in this way, it will pull through your product and gives the VAR a solution sale’.
CRN: If this gap is not filled, what are these VARs going to potentially come up against if they don’t have the skills that are required?
MacArthur: If you talk at the top end of the market -- Deloitte, CSC, Accenture, Cap Gemini -- these players already get it. The mid-market is going to have to figure a way. The first thing that will happen is internal IT departments will do it themselves.
So the CIO will turn around to the head of compliance and say, ‘Our VAR doesn’t have a clue about this’. If you’re talking from an end user point of view, most CIOs will ask, ‘What can I do to extend my department?’ So one option is to say that the internal IT department will win the business. The second is hosters, IBM’s on demand strategy or HP’s Adaptive Enterprise strategy. You imagine ‘compliance on demand’.
It will become a combination of hosting, outsourced services, so a lot of the hosting and outsourcing companies will realise that there’s a big play there. Now if I’m a VAR suddenly there’s nobody to sell to. I’m not going to sell to the hoster.
The end user is buying the service and I’m potentially being taken out of the play. So what were trying to do is say, ‘No you don’t have to be taken out of the play, just focus on what is a true business case and maybe even team with a CPA firm’. The end user wants the accounting advice and to reduce the cost of compliance.
CRN: What about the businesses that do not have an IT department? There are a lot of VARs that service those types of businesses.
MacArthur: This is where the VAR could see managed services. One of the things about Sarbanes-Oxley is that the US subsidiary company has to be audited every quarter, which means you’ve got to run a whole series of reports.
That means VARs have the opportunity to develop a managed service proposition in conjunction with a CPA to help them run those reports and give the report to the audit firm and say, ‘OK we’ve run the reports for you and we’ll do so every quarter and at the same time, we’ll do a health check on the system and we’ll charge you a fee for that’. It’s giving the VAR a much more optimistic outlook.