Compliance Readiness--A Way of Life
By Paul Reymann, CEO, ReymannGroup
Over the past few years, organizations have undertaken massive efforts to implement Sarbanes-Oxley Act (SOX) Sections 302 and 404 requirements. Yet many organizations face other compliance requirements in addition to Sarbanes-Oxley--HIPPA, GLBA, FISMA, and others.
For companies that are publicly traded, financial service providers, healthcare providers, government agencies and others, noncompliance with new rules carries significant risk and sanctions. Common among these laws and rules are requirements that companies are proactive in strategically managing business and IT processes, applications, information, technology, facilities, and security. Management is now accountable for creating a risk management environment that recognizes the bonds between technology infrastructure, business processes, reputation, compliance, and effective internal controls. A company's ability to comply with these mandates materially affects its day-to-day success and long-term performance.
Common Compliance IT Threads
Many compliance requirements and rules are mandated across multiple laws and adopted industry initiatives. Fundamentally common among many of today's compliance mandates is the need for technology solutions that help enable a company to:
- Pass audits
- Proactively comply
- Assure data integrity
- Continuously manage risk
- Ensure business continuity
- Improve operating efficiency
- Detect, reconcile, and report material events
- Protect sensitive customer and corporate assets
- Prevent or respond rapidly to fraudulent activities
Each compliance requirement carries associated costs; companies that are subject to multiple requirements must find ways to reduce their compliance costs. The effort to comply with multiple regulations simultaneously creates process challenges--overlap of compliance efforts between multiple groups; differing audit perspectives and requirements; priority setting; and potential confusion resulting from implementing overlapping controls.
By focusing on the common aspects of these laws, organizations can avoid duplicate efforts and streamline their compliance program. Here's how to create a robust and coordinated IT compliance program that leverages best practices to support operational excellence:
Create a culture of accountability
Achieving compliance begins with commitment from the organization's top executives, and achieving IT control begins with the CIO. When the CIO insists on defining processes and instituting a culture of effective controls and accountability, an organization will be able to achieve its compliance goals, as well as attain new levels of operational excellence. Auditors call this the "tone from the top." Management must say and do the right things to reinforce the need for controls to be successful.
Optimize Internal Audit Resources
With a culture of accountability established, organizations can then optimize their use of internal audit resources, in addition to trusted partners and technologies. Auditors and audit technology can provide early insights into areas of strength. They can also help identify weaknesses that create a competitive disadvantage and potential noncompliance. And they can highlight other risks to daily operations. Organizations of all sizes are discovering that material audit findings and problems increase their audit costs, expose them to higher reputation and compliance risk, and lead to financial reporting errors and delays.
Best Practices Enable Compliance
Regulatory requirements frequently offer a high-level process and risk-focused framework for achieving compliance-not detailed, actionable practices. Therefore, CIOs, compliance officers and other senior executives must rely on industry-recognized best practices and internal control methodologies to help them identify appropriate steps to enable compliance. Standards that are commonly referenced include those issued by The Committee of Sponsoring Organizations (COSO) or defined in the Control Objectives for Information and Related Technology (CobiT). Payment Card Industry (PCI) Data Security standards have been defined to help establish effective controls throughout merchant networks. These and other standards create new operations, technology and information security mandates--as well as new challenges.
Specifically, these regulations and best practice standards require that organizations assure security, prove effectiveness and separation of controls, document changes, and be able to provide underlying detail. However, for some organizations, this can be more challenging than it appears. According to a recent KPMG survey, IT controls dominate the significant deficiencies, and material weaknesses identified through the SOX 404 assessment. Change controls account for most of these weaknesses.
Audit Technology is an Enabler
Effective change control auditing requires automated preventive controls, independent detection, proactive corrective capabilities, and real-time reporting in order to meet regulatory control, evaluation, and disclosure requirements. Companies can implement technology to support such processes and make it easy for people to do the right thing.
- Preventive: Use a change management/authorization system such as Remedy or Service Desk that guides the change process, tracks the status of changes, and creates an "audit trail" of authorizations.
- Detective: Use an automated, independent detective control like Tripwire or random change audits to monitor the production environment for changes, compare changes with authorizations and detect "out of band" changes.
- Corrective: Implement process and technologies like provisioning systems or backup/restore programs to put things back when unauthorized change is detected.
Perform Pre-audit Reviews
Adopting a "no-surprise" stance, many companies now perform pre-audit reviews to help identify problems and weaknesses early and allow sufficient time to correct problems. Many of these pre-audit reviews focus on the information technology infrastructure and use audit technology solutions to quickly identify the areas of most concern and prioritize remediation resources. While internal and external audits will always find some area of improvement, pre-audit reviews help effectively manage formal audits and limit material findings.
Self-assess Your Readiness
Use this Compliance Self Assessment Checklist to jump start your efforts to assess your organization's compliance readiness and opportunities for improvement--any negative responses suggest areas of exposure that may require additional attention:
1. Does your Board and management set the "tone at the top" and communicate compliance and ethics values, mission and vision to all staff effectively?
2. Is your compliance program integrated with your overall business strategy?
3. Do you assess compliance risks and does this process integrate with your enterprise risk management (ERM) efforts?
4. Is there a senior position in the organization which provides oversight and leadership for the compliance and ethics efforts and does this position have sufficient organizational status to be effective?
5. Is your process for updating policies and procedures effective?
6. Do you provide comprehensive training and conduct performance evaluations for each job to ensure compliance responsibilities are understood and adhered to, and that necessary skills are learned and employed?
7. Are employees, agents, and other stakeholders able to safely raise issues regarding compliance and ethics-related matters?
8. Do you scrutinize the source of compliance failures?
9. Has the organization been consistent when taking action against violators of the Code and Program?
10. Is there an ongoing process in place to monitor the effectiveness of the compliance and ethics program? And is there a process for determining which issues are escalated to the Board and for informing the Board when issues are resolved?
It is imperative to develop a culture of compliance throughout your enterprise that enables business units and auditors to work together to implement and maintain the most cost-effective IT control infrastructure. CIOs and senior managers need to assign resources (whether internal or outsourced) to significantly shorten compliance attainment times, enhance the organization's overall compliance posture, and minimize business disruption.
With increased privacy and security awareness among consumers, businesses and elected officials, best practices are being incorporated into new laws and regulations that mandate higher operations, security, and risk management standards. Today's organizations must be able to prove that their corporate governance, internal controls, network infrastructure, business processes, and operations are safe, sound, and secure. New laws and rules now dictate how businesses must govern, work, communicate, and securely interact throughout the internal corporate structure and with external parties such as customers and strategic resource partners. Such mandates directly impose obligations on the CIO to ensure that effective IT controls are established throughout the organization. Operational excellence is no longer a prudent business decision--it's a way of life.
Paul Reymann is one of the nation's leading financial institutions regulatory experts and co-author of Section 501 of the Gramm-Leach-Bliley Act Security rule. Fortune 500 companies have leveraged Mr. Reymann's subject matter expertise to develop successful go-to-market strategies for information security and technology products and services within key vertical markets.
Mr. Reymann is recognized in the prestigious 2006 Heritage Registry of WHO's WHO. He is referenced frequently in industry news and magazine articles. He is also the author of numerous articles and papers on technology risk, transactional web sites, customer information, network security and other technology and safety and soundness topics. You can reach Paul at paul@reymanngroup.com [1]or (410) 956-7336.