Making Compliance Worth the Pain

Many companies are just now starting to recover from the “SOX hangover”, caused by large amounts of effort and money required for their initial SOX (Sarbanes-Oxley Act) compliance efforts. Many are likely wondering whether there was any actual gain to the company in all this effort—other than complying with the letter of the law.

In fact, a recent analyst report suggested that 37% of those surveyed felt SOX compliance served no useful purpose for their company.

These reactions are not surprising at all. Yet, this approach is counterproductive, and IT executives who adopt this view are missing out on a major opportunity to improve their business performance in a number of dimensions. And, for every executive who feels this way, there is a competitor who doesn’t: One who recognizes the potential leverage they can gain from their compliance.

These executives will gain significant competitive advantage.

The Compliance Lifecycle

It is possible to view the typical compliance lifecycle of many enterprises as having three phases: First, initial compliance is achieved, often by the “brute force” approach of simply creating or documenting internal manual controls sufficient to meet the needs of the regulation.

The second phase involves automation of the internal controls, resulting in an infrastructure that is significantly more efficient, as well as more secure, than the non-automated control environment.

The final phase often involves leveraging the activities performed for compliance to actually improve the performance of the business.

Rather than simply meeting the letter of the law, IT managers can use this effort to create a more efficient, effective, and competitive IT operation.

So, how can organizations most effectively leverage their compliance activities to improve their business? The first step is to truly embrace compliance.

These regulations are not going away, there are new ones coming down the pike all the time, and existing ones are extremely unlikely to be weakened in any significant way. Therefore, compliance is here to stay, and the quicker organizations can make it a part of their corporate “DNA”, the quicker they can start to improve their business.

Start by decentralizing the compliance process so the actual internal controls are managed as close to the data as possible. Let the process owners create the controls documentation and ensure controls are working effectively.

This work will, of course, be audited by any number of internal and external IT auditors, but the successful implementation of any compliance effort must be the responsibility of the involved business units.

This decentralization of controls should be part of a centralized and consistent compliance strategy. If every organizational unit attempts to meet the requirements of a given regulation in their own way, the result will be confusion and a much harder auditing effort.

So, ensure there is a strong, centralized compliance strategy and monitoring process, but let the actual controls be individually managed and measured by the effected groups.

Next, make sure that everyone views compliance as part of their responsibilities.

Compliance isn’t something done by the external auditors who come in periodically and review progress. It should be done daily by everyone in the enterprise whose job responsibilities touch any of the defined internal controls.

Improving Business Performance

This all sounds fine in theory (of course), but how can you actually improve business as a result of a long and arduous compliance effort? The actual details of how you could improve the business is often specific to each enterprise, but let’s look at some of the typical, and very compelling, business improvements that can be made.

Risk Reduction. Many companies have discovered that SOX compliance efforts have resulted in a stronger set of internal security controls. For example, control over user access to protected applications and data is stronger and more consistent across the entire enterprise.

Reducing the IT risk also serves to reduce overall corporate risk. A lowered corporate risk of financial impropriety makes the company more attractive to investors as well as acquirers.

It also has the tangible financial benefit of lowering personal liability insurance costs for directors and officers. Ultimately, it can also reduce the effort required, and therefore the cost, of ongoing external audits.

Improved Efficiency. Compliance generally serves to expose and correct weak or non-existent internal controls. So, before you conclude compliance is merely a black hole of resources and money, you should consider how these activities, expensive though they may be, can actually help to reduce IT costs moving forward.

Improved Business Process. One of the most important benefits of an enterprise’s compliance program is the opportunity to analyze internal controls and business processes in depth.

Compliance generally requires a deep understanding as well as documentation of these processes in order to ensure their correct and successful operation. Many times, the result of this analysis is the identification of inefficient, redundant, or ineffective internal controls and processes.

Correction of these problems can often greatly streamline the business operation, as well as improve the overall security of the entire IT infrastructure.

A secondary, but nonetheless important, benefit of compliance is to improve the accountability of the organization.

Analysis of internal processes should include the identification of clear responsibility for each phase or step in a given business process. As we all have seen in our daily work environments, clear accountability typically brings about improved performance, and compliance is no exception to this rule.

Improved Decision-Making. One of the primary goals of the security controls required for SOX compliance is to ensure that the wrong people do not get access to, and cannot modify, any protected financial or corporate information. But, a side-effect of a strong set of access management controls is often that the right people can now get access to this protected information quicker and more easily.

When access to critical business information is more timely, the result is better planning, better budgeting, and overall better decision-making. And, to state the obvious, better and more efficient decision-making can improve the overall competitive position of a company.

This is one of the important areas that is often overlooked by people who are responsible for corporate compliance efforts. They often become so focused on meeting the letter of the law, they overlook the potential benefits to the company compliance activities can bring.

When they experience more efficient processes that lead to streamlined and more effective business operations, the benefits of their long, painful compliance efforts finally become clear.

Sumner Blount is director of Product Solutions, eTrust Security Division, for Computer Associates.