The awful truth about compliance

Nevertheless, "the world of 'I trust you' is gone," says Ted Frank, CEO of Axentis, producers of governance and compliance solutions. Frank is dismayed at the lack of "a good, clean definition of compliance" within the enterprise. At a recent symposium of approximately 100 potential customers, he asked for a show of hands of how many believed they had such a definition. Not a single hand went up.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Return to special report DOWNLOAD PDF Click here to download InfoWorld's special report Compliance

"You can keep trying to whack the mole, or step back and put together a plan that says, 'We're going to effectively manage risk,' " Frank says.

Risk management 101

At a time when IT managers are running their departments as a business anchored to the bottom line, their work is inextricably linked to the wider effort of implementing internal control processes that help ensure the accuracy of their company's financial statements. "If I'm the IT guy," Frank says, "I'm not going to build a darn thing without first bearing in mind how it fits into all the processes associated with risk management" -- namely, risk assessment, document retention (including e-mail), reporting, and auditing.

Today, risk assessment comes into play at every turn. No matter how lean the bank account or how thinly spread the resources, companies are developing their own strategies to mitigate risk.

A minimalist approach should start with assigning ownership of compliance activities to staff. At many Fortune 500 companies, you'll find well-established compliance teams that have been deputized with real authority and a direct line to the corner office. "One thing that wasn't done well in the first year [of Sarbanes-Oxley, 2002], something companies are starting to get right, is assigning ownership of controls -- knowing how processes will be monitored, day in and day out, and who's on top of them," says Robin Baker, vice president of corporate strategy at Certus Software, which specializes in enterprise governance software.

From there, a formal change management process is crucial. Strict governance laws are putting pressure on IT to automate internal processes because a software-driven approach can drastically reduce mishaps caused by human error or intentional fraud. Although no legislation mandates that a company's systems of checks and balances must be automated, to satisfy auditors, the trick is to formalize processes. For example, say the rules are changed so that managers who at one time could approve expenditures of as much as $500 are now empowered to sign off on $1,000 expenditures. The formal process would be in a verifiable system that guarantees that the change would be authorized by a designated individual and that when the change is entered into the system, there's no chance of an extra zero being typed in without alarms going off.

The next piece of the puzzle is document management software, which ensures that information is identified, indexed, and labeled at its point of origin and then is sent to the appropriate storage medium. Within this category, e-mail and IM activity should be treated in kind. Baker also stresses the importance of a compliance calendar: "You should schedule and know where you are at the macro level with all the deliverables and dependencies," he says.