Compliance is an inescapable reality for IT execs these days, and it’s fair to say that they have something of a love/hate relationship with it. Compliance can tie up IT resources that could be put to more productive use elsewhere, and audits can sometimes be a wasteful and confounding process that has CIOs grabbing for the Bromo-Seltzer. As one audit-weary Canadian IT exec was heard to say recently, “My issue is understanding what auditors are looking for. If you want me to sing along, it might be helpful if you hummed a few bars.”
Yet many CIOs also see compliance as a catalyst for streamlining and organizing processes, leading to reduced complexity and lower costs. Burdensome as it can be, they see compliance as a good thing for both IT and the organization.
However they view it, the fact of the matter is that they’ll have to deal with it whether they like it or not. Sarbanes-Oxley (SOX) legislation is the tip of the iceberg. There’s an alphabet soup of regulation in the US, and Ontario’s Bill 198 began coming into effect in December, 2005. The Canadian Securities Association and the Ontario Securities Commission now have the authority to create their own regulations, and failure to meet their standards can bring financial penalties and even prison sentences.
IT compliance will be a struggle for some organizations because they have fallen behind in documenting and testing their IT controls. As well, companies may have resisted taking IT personnel off tasks of perceived greater urgency just to document processes.
To get ahead of the compliance wave, many CIOs will choose a framework like ITIL or ISO 17799, audit their IT controls for flaws, and then correct those flaws with adequate documentation and testing.
Cutting into complexity
No organization manages its IT systems to make them more complex, but somehow it just happens. Newer equipment and software is layered on legacy systems, and the systems themselves are in continuous evolution. Mergers, acquisitions and new lines of business may introduce more complexity. Even when the will is strong and the budgets are plump, consolidating IT operations is complicated because it is difficult to phase out applications and maintain data at the same time.
“SOX, and presumably Bill 198, have the potential to generate a lot of documentation and we know that the first and second years can be literally horrible as that sorts itself out,” said Gary Baker, a Partner in Enterprise Risk at Deloitte & Touche LLP in Toronto.
Phil Deck, CEO of Waterloo, Ont.-based MKS, a provider of application lifecycle management products, has had lots of opportunity to study companies that face IT compliance issues. In his experience, companies that are already well managed and have worked to simplify business processes face a much lower hurdle with SOX.
“Most people were not as well documented as they should have been, but the ones with good processes did not have a big challenge,” he said. “Those with loosely integrated acquisitions or little coordination between divisions had a lot of work to do.”