Credit Suisse is pioneering the automation of IT risk controls to meet its compliance obligations around the world.
The move to automate follows three years of preparation by the global investment bank to cross-reference all of its key IT controls against a single framework.
Credit Suisse will use the automated platform to process the IT controls it has established to comply with regulations such as Sarbanes-Oxley in the US and Basel 2 and the forthcoming Markets in Financial Instruments Directive in Europe.
"Mapping IT control frameworks onto a single framework and automating regulatory outputs is a fantastic move by Credit Suisse," said Forrester analyst Bill Nagel. "Not only will it allow them to satisfy the requirements of auditors but it must have boosted transparency internally to give the business a clearer view of the value that IT provides."
The bank, which has operations in 30 countries and more than £600bn in managed assets, built the automated IT controls platform with Swiss compliance specialist BIT-map.
The bank is already using it to track some group-level controls, and it expects to roll it out across its private banking operations in Europe, the Middle East and Asia by the end of the year.
"Our original deadline under Sarbanes-Oxley was April 2005, but later that became 2006," said Andrew Brice, Credit Suisse's head of IT risk and IT security risk control.
"Through our Sarbanes-Oxley activities we started to leverage our other compliance initiatives and to trace the connections between them. We soon realised the benefits of mapping them all as one."
Brice said the bank's IT governance framework was based on Cobit (Control Objectives for Information and related Technology), which was identified early on as the best overall IT governance framework for its purposes.
"By mapping all of the work going on across our operations to meet a raft of different regulations, we found what you would expect: a lot of duplication of effort and a lot of manual processes."
The bank has worked since 2003 to automate manual controls wherever it can to cut down on unnecessary testing, but Brice said there was still some way to go.
"In many ways we are still in the first phase of establishing best-practice IT controls. We are still primarily using spreadsheets to correlate and filter, and we still have to modify and update them as the frameworks change. But a lot of the core work on integrating IT frameworks with regulatory and business needs is there now, and IT is aligned much more closely with the business and has a higher corporate profile than previously," he said.