Lessons learned on the road to compliance

No one is doing jail time for failing to comply with the recent flood of federal regulations -- yet.

So, it’s too early to know exactly how the feds will deal with executives who don’t bring their enterprises in line with all the new mandates. (Sarbanes-Oxley is indisputably the 800-pound gorilla, but it shares the zoo with HIPAA, the Patriot Act, and SEC 17a-4, to name a few.)

But it’s never too soon to learn from the experience of IT implementers who have been grappling with regulatory compliance issues for years. They’ll tell you the road to compliance is fraught with nonbudgeted expenses, steep learning curves, and plenty of gotchas. To better navigate around the worst pitfalls, here are some major considerations to bear in mind. After all, why learn the hard way?

Build a leadership team and deputize its members

Bad things happen in a leadership vacuum, so it’s important to have a well-defined compliance team that has real authority and a direct line to the corner office.

John Hagerty, an analyst at AMR Research, cites a large pharmaceutical company that allowed the finance team to try to tackle Sarb-Ox compliance. The CFO assured the CIO that everything was under control, thanks to some great auditing software. As deadlines swiftly approached, finance turned it all over to IT. When the CIO got his first look at the “great” software, he saw nothing but a desktop tool based on Microsoft Access -- hardly up to the task of satisfying external auditors.

A knowledgeable compliance team could have nipped this in the bud. In this case, the CIO gave in to the temptation to put too much trust in the finance people. Julie Marobella, an analyst at IDC, sees this scenario all too often. “I hear CIOs say, ‘Compliance? Piece of cake. The finance department is taking care of it.’ I worry about those people,” she says.

This was not the case at Energen, a drilling and natural-gas company. Sage Wagner, the SAP security lead, says the company’s CFO got out in front early. “Our CFO called a meeting of the entire IT staff and said, ‘My neck is on the line here. If we can’t deliver on compliance, you are out of a job. And if your boss is not giving you the support or the tools you need, come to me!’ ”

Wagner says this blunt speech was necessary. “Nine months ago it was pandemonium around here. We all complained, and we weren’t ready for Sarb-Ox,” he says. “It is very different now. We’re getting it done.”

Wagner says it’s a mistake to think you can just allow your Sarb-Ox strategy to evolve. “You have got to have a consistent approach, and that takes leadership,” he says.

Building a compliance leadership team also brings fringe benefits. McDonald’s built a global Sarb-Ox team. “Our work on Sarb-Ox controls has helped us streamline some business processes, and we also now see that we need to work toward a consistent, global sign-on procedure,” says Chris Jensen, the team’s senior project specialist.

External auditors are not your gurus

External auditors play an almost godlike role. It is the auditors who will scrutinize Sarb-Ox 404 reports, for example. These are the documents signed by the CEO and CFO that affirm the systems behind the numbers are sound.