Stronger IT governance is needed across the industry, a BCS conference has been told. Although IT has never before had such an important role in business, there is less control over it now than there once was, attendees said.
IT governance frameworks, such as Cobit, ITIL and Coso, have an important role in the IT landscape as a result of legislation such as the US Sarbanes-Oxley Act and the Patriot Act, which can land firms with heavy penalties for non-compliance. European regulations with implications for IT include Basel 2 and the Markets in Financial Instruments Directive.
It is because of regulations such as these that governance and compliance have become a large industries, employing many thousands of people, the conference heard.
As well as facilitating adherence to Financial Services Authority initiatives, compliance can improve the integrity and management of a firm's data, attendees said.
IT compliance in the financial services sector promotes shareholder and customer value, and helps avoid financial scandals such as those that occurred at Enron and WorldCom. But too much governance bureaucracy can become a costly tick-box exercise.
The average bank needs between £15m and £25m to implement a typical IT-compliance programme, the conference heard. This prohibitive expense means that some smaller financial firms may shun IT governance best practice.
This lack of commitment to governance, and in turn to compliance, can result in disparate IT systems being used as a cost-cutting measure, attendees said.
Packaged compliance systems are now a common sight in the IT industry. However, the ever-changing nature of compliance means that there is still a demand for experts, even though compliance education has not yet been formalised.
Research suggests that no single technology or supplier can provide an IT system that solves all the problems that compliance presents. As a result of this, a multitude of systems and technologies are needed to achieve this goal, attendees said.
They suggested that a move towards standardised IT compliance systems would reduce the need for specialists across the industry and would result in more efficient governance practices. Compliance should be seen as an outcome and a value driver, not as a function in its own right, attendees said.