US provides compliance lesson for UK managers

IT directors could be forgiven for dreading the words "corporate governance and compliance".

IT directors could be forgiven for dreading the words "corporate governance and compliance".

The past few years have seen a slew of regulations - including Sarbanes-Oxley, International Accounting Standards and the forthcoming Basel 2 - that have significant implications for IT systems. They require IT directors to pull together data from scattered systems and check their accuracy. Failure to supply adequate information to meet the regulations could lead to prosecutions resulting in substantial fines or imprisonment.

At a discussion earlier this month, set up by Organisation and Technology and Research, David Spinks, director of operational risk at software supplier EDS, suggested practical ways to ease the pain of compliance projects. He said UK companies should learn from the experience of US firms, which he claimed had underestimated the amount of work needed to comply with the Sarbanes-Oxley legislation.

"Companies have not given themselves enough time or resources to comply with Sarbanes-Oxley," said Spinks, who worked in the UK nuclear industry assessing risk before he joined EDS.

He advised IT directors to look for the overlap between compliance projects to avoid running numerous separate projects. "The biggest thing you can do is go to the board and say please can we do [compliance] in one project," he said.

He recommended that firms use industry standards Coso (Committee of Sponsoring Organizations of the Treadway Commission) and Cobit (Control Objectives for Information and Related Technology) to assess business risks to help them manage their compliance projects.

Read more on IT risk management