When compliance auditors dig deep, a company's technology
infrastructure, processes and policies need to stand up to intense
scrutiny.
Companies are looking to technology to prove that they are
compliant with Sarbanes-Oxley (SOX), Europe's Basel II,
HIPAA and a host of other industry- and country-specific
regulations. Ultimately, automating compliance efforts should lead
to a company's being able to legally defend how it's managing and
protecting information, according to James Kobielus, principal
analyst with Sterling, Va.-based Current Analysis Inc. Companies
should consider how their processes and infrastructure will stand
up to "forensic analysis," he said.
"You don't want your CEO to end up in jail, so you need to be
able to build a case and defend it convincingly," Kobielus said.
"Compliance ultimately comes down to governance of internal
processes. That workflow and the underlying audit trail are your
last line of defense against prosecution."
Despite big promises from vendors, analysts agree that
automating regulatory compliance requires more than one kind of
software or technology tool. It takes an infrastructure of data and
process management software to effectively comply with
regulations.
This year, companies will spend 10% to 15% of their IT budgets
on compliance efforts, according to Stamford, Conn.-based Gartner
Research Inc., and U.S. companies will spend more than
$1.9 billion on technology for SOX compliance, according to
Boston-based AMR Research Inc. Companies should look beyond finance
department tools or software bearing the SOX compliance label,
according to Michael Rasmussen, vice president with Cambridge,
Mass.-based Forrester Research Inc.
"Compliance efforts should really be distributed throughout an
organization," Rasmussen said. "Sarbanes-Oxley is a driver today,
but in reality there are a lot of other compliance initiatives
which will require a common management infrastructure."
On the positive side, though, compliance requirements may drive
companies to fund much-needed updates to their processes and data
management infrastructures, according to John Hagerty, vice
president of research with AMR.
"The No. 1 side benefit of automating compliance activities is
that you also streamline and standardize business activities.
Technology reduces ambiguity, makes processes cleaner and makes you
more efficient," Hagerty said.
Critical components of a compliance technology
toolbox
- Information and application security: Protecting and
securing information is the bottom-line requirement of many
regulations and tends to be the biggest concern of IT groups
working on compliance initiatives, Hagerty said. Tools for
intrusion detection, encryption, and information and application
security are essential for any compliance effort, he added.
- Identity and access management: All compliance mandates
require control over access to sensitive information, Kobielus
said. These tools provide user authentication, authorization and
role-based access controls.
- Configuration and change management: Most regulations
also require companies to lock down the configurations of critical
software assets in order to maintain security and access controls,
Kobielus said. Change management tools are important for allowing
IT to maintain control over internal systems.
- Controls automation or continuous monitoring: This
software acts as a "checks and balances" system governing
compliance-impacting processes, Hagerty said. For example, it might
continuously monitor finance systems to ensure that all invoices
over $10,000 are reviewed by a supervisor before being paid. Then
the tool would generate an alert if an employee were to skip a
required step.
- Business process management (BPM): Regimented, auditable
workflows are a requirement of many regulations, including SOX,
Hagerty said. Compliance requires the rigid documentation and
enforcement of processes. BPM software helps create, manage and
monitor the execution of processes, he said.
- Governance, risk and compliance management: These tools
are commonly associated with SOX compliance and help companies
create and document corporate policies, according to Hagerty. They
help manage the general rules that govern a company's operations
and provide a compliance framework.
- Document and records management: Most regulations
dictate what information a company must keep and for how long,
Hagerty said. Some of these tools just manage the rules and
policies for document storage, while some act as actual document
repositories.
- Business intelligence (BI) and corporate performance
management (CPM): Fundamentally, compliance is about reporting,
and reporting is the core of BI, Kobielus said. Analysts agree that
BI features such as reporting, scorecarding, dashboards and
analytics help companies uncover and react to issues that could
affect compliance. CPM tools that manage internal activities also
help companies stay on top of compliance-related efforts.
- Data management essentials: A solid data management
strategy should be at the core of any compliance effort, Kobielus
believes. A data warehouse and
data quality tools are critical for
integrating information and cleansing it for financial
reporting. And,
master data management ensures consistency
and accuracy -- both compliance fundamentals, he said.
- Professional services: It's difficult to understand
compliance requirements, Kobielus said. So -- just as one might
look to a tax professional to explain the tax code -- compliance
professionals are almost essential for interpreting different
regulatory requirements.
Prioritizing compliance software investments
The list of compliance-supporting technologies can look a lot
like a sophisticated data management infrastructure, so where does
a company with limited time, money and people start investing?
It's about narrowing down the scope of efforts and focusing on
the most important data and processes first, Hagerty said. Initial
SOX-compliance efforts were prone to overkill and exaggerated
responses, he said, owing to lack of guidance from governing bodies
and understandable fear of potential repercussions.
"In the absence of guidance, folks assumed the worst and did the
most," Hagerty said. "Now people are reducing their scope and
asking what activities are really related to compliance."
That means assessing where the real problems lie, prioritizing
efforts, and synchronizing compliance automation plans with data
management roadmaps, Hagerty said.
It also means that companies should be discerning when it comes
to purchasing compliance software. Some companies have run into
unexpected scalability problems or found that a product doesn't
help them as much as they thought it would, Forrester's Rasmussen
said, adding that it's critical to really understand the
requirements of regulation and do a proof of concept.
"There's a lot of confusion, bad marketing and messaging
happening out there," Rasmussen said. "Read the regulations, try
out the product, and find out whether it will really help do what's
required."
This article originally appeared on SearchDataManagement.com.