The awful truth about compliance

Corporate America is doing its best to understand and meet regulatory demands, but many companies are losing their way

At a time when IT managers are running their departments as a business anchored to the bottom line, their work is inextricably linked to the wider effort of implementing internal control processes that help ensure the accuracy of their company's financial statements. "If I'm the IT guy," Frank says, "I'm not going to build a darn thing without first bearing in mind how it fits into all the processes associated with risk management" -- namely, risk assessment, document retention (including e-mail), reporting, and auditing.

Today, risk assessment comes into play at every turn. No matter how lean the bank account or how thinly spread the resources, companies are developing their own strategies to mitigate risk.

A minimalist approach should start with assigning ownership of compliance activities to staff. At many Fortune 500 companies, you'll find well-established compliance teams that have been deputized with real authority and a direct line to the corner office. "One thing that wasn't done well in the first year [of Sarbanes-Oxley, 2002], something companies are starting to get right, is assigning ownership of controls -- knowing how processes will be monitored, day in and day out, and who's on top of them," says Robin Baker, vice president of corporate strategy at Certus Software, which specializes in enterprise governance software.

From there, a formal change management process is crucial. Strict governance laws are putting pressure on IT to automate internal processes because a software-driven approach can drastically reduce mishaps caused by human error or intentional fraud. Although no legislation mandates that a company's systems of checks and balances must be automated, to satisfy auditors, the trick is to formalize processes. For example, say the rules are changed so that managers who at one time could approve expenditures of as much as $500 are now empowered to sign off on $1,000 expenditures. The formal process would be in a verifiable system that guarantees that the change would be authorized by a designated individual and that when the change is entered into the system, there's no chance of an extra zero being typed in without alarms going off.

The next piece of the puzzle is document management software, which ensures that information is identified, indexed, and labeled at its point of origin and then is sent to the appropriate storage medium. Within this category, e-mail and IM activity should be treated in kind. Baker also stresses the importance of a compliance calendar: "You should schedule and know where you are at the macro level with all the deliverables and dependencies," he says.

Cover those bases, and you can move on to pass what Scalable's McBride calls the "village-idiot test," which demands that your company have, at a minimum, an IDS at the perimeter, virus and malware protection at the end points, and vulnerability-scanning tools. "You can't just pull a router out of the box and install it," he says. For example, to get at least a C or better, McBride explains, any Wi-Fi system would have to be fully encrypted and have hardened configuration settings.

The struggle for simplicity

Seldom are regulations prescriptive, which means neither Sarbanes-Oxley nor HIPAA nor SEC 17a-4 tells you exactly what to do to achieve full compliance -- contrary to popular belief, no provision gives instructions on which media to use for document storage, for example. And there's some confusion brought about by ambiguity in the language -- a good example of which are the words "rapid and current" in section 409 of Sarbanes-Oxley, which refer to disclosure of significant changes in financial condition or operations.