Compliance is an inescapable reality for IT execs these days, and it’s fair to say that they have something of a love/hate relationship with it. Compliance can tie up IT resources that could be put to more productive use elsewhere, and audits can sometimes be a wasteful and confounding process that has CIOs grabbing for the Bromo-Seltzer. As one audit-weary Canadian IT exec was heard to say recently, “My issue is understanding what auditors are looking for. If you want me to sing along, it might be helpful if you hummed a few bars.”
Yet many CIOs also see compliance as a catalyst for streamlining and organizing processes, leading to reduced complexity and lower costs. Burdensome as it can be, they see compliance as a good thing for both IT and the organization.
However they view it, the fact of the matter is that they’ll have to deal with it whether they like it or not. Sarbanes-Oxley (SOX) legislation is the tip of the iceberg. There’s an alphabet soup of regulation in the US, and Ontario’s Bill 198 began coming into effect in December, 2005. The Canadian Securities Association and the Ontario Securities Commission now have the authority to create their own regulations, and failure to meet their standards can bring financial penalties and even prison sentences.
IT compliance will be a struggle for some organizations because they have fallen behind in documenting and testing their IT controls. As well, companies may have resisted taking IT personnel off tasks of perceived greater urgency just to document processes.
To get ahead of the compliance wave, many CIOs will choose a framework like ITIL or ISO 17799, audit their IT controls for flaws, and then correct those flaws with adequate documentation and testing.
Cutting into complexity
No organization manages its IT systems to make them more complex, but somehow it just happens. Newer equipment and software is layered on legacy systems, and the systems themselves are in continuous evolution. Mergers, acquisitions and new lines of business may introduce more complexity. Even when the will is strong and the budgets are plump, consolidating IT operations is complicated because it is difficult to phase out applications and maintain data at the same time.
“SOX, and presumably Bill 198, have the potential to generate a lot of documentation and we know that the first and second years can be literally horrible as that sorts itself out,” said Gary Baker, a Partner in Enterprise Risk at Deloitte & Touche LLP in Toronto.
Phil Deck, CEO of Waterloo, Ont.-based MKS, a provider of application lifecycle management products, has had lots of opportunity to study companies that face IT compliance issues. In his experience, companies that are already well managed and have worked to simplify business processes face a much lower hurdle with SOX.
“Most people were not as well documented as they should have been, but the ones with good processes did not have a big challenge,” he said. “Those with loosely integrated acquisitions or little coordination between divisions had a lot of work to do.”
That proved to be a major problem for many IT-specific SOX audits in the US, because in other areas of the company, like sales or administration, ERP and CRM systems already managed those activities with a good degree of process integrity.
“In the IT department, that really was not done, so you had a lot of home-grown solutions, poorly documented processes, no way of enforcing process, no way of getting good visibility into what people’s activities were,” Deck said. “IT has a much larger hurdle showing they have good process because sometimes they really don’t have a process. That has been a significant factor with virtually all of our customers in the US and in Canada.”
Complexity can even originate with the regulators themselves, as IT managers at Navtech Inc. of Waterloo, Ontario have discovered. The company creates and supports flight operations software and services for more than 250 airline customers around the world. Its products include aeronautical charts, navigation data, flight planning and crew planning.
Navtech IT director Russell Speers reports directly to his CEO. “The reality of what we are discovering as we try to comply with SOX is that it changes. It changed just last week. It’s shifting and mutating, so it is a little difficult for us to implement towards it. We were already well on the way to compliance, but they have in fact changed the envelope about what it means to comply. For smaller companies they are trying to find ways to make compliance more practical, but there is still guidance to come on exactly what that means.”
Containing the cost
Companies that use the ‘brute force’ approach to achieve compliance by bringing in the auditors for several weeks are missing the point. A well-managed approach starts with well-understood business processes and achieves compliance by managing them properly. As a white paper by the Canadian Institute of Chartered Accountants said of the US compliance experience, “Often there was simply no time to investigate or develop more robust knowledge-management solutions, and to train the teams of consultants on how to use them. As a consequence of this initial focus on achieving ‘success’, in many cases the solution implemented may have been sub-optimal.”
Jim Duggan, a vice president of Application Development Management Research at Gartner said, “We have a large number of firms whose initial approach was to just pay the bill and let the auditors establish all the traceability and so forth. In many cases that will suffice but it is an intensive, expensive process. Smart people say, ‘I need to have my processes in place so the auditors do the process, not the data’.”
“It is much more important to actually improve the underlying business process, with compliance as a secondary objective,” said Phil Deck of MKS, “It is still an important objective but if you try to just do compliance you may end up with a process that is just so broken in terms of its ability to work in a business context that people don’t cooperate with it.”
Deck believes well-managed processes require a high degree of employee buy-in. “If it is just about compliance with no other kind of advantage offered on a day-to-day basis then people aren’t going to be very cooperative,” he said.
There are added benefits to managing IT compliance, including a higher degree of visibility into the organization. As Deloitte’s Gary Baker said, “How can I use this single view of my enterprise? If your company is involved in mergers and acquisitions, this level of documentation will provide real benefits. What is the goal? The goal is to reduce testing cost to zero.”
Right on track
BNSF Railway Company operates in 28 states and two Canadian provinces. BNSF Technology Services Assistant Vice President, Jeffrey McIntyre, said, “Standardized processes and tools across our distributed teams and locations ultimately aid in our compliance efforts, but more importantly, it makes our development process more efficient and our staff more productive,”
When BNSF had to improve its software-development processes for SOX compliance, it looked beyond the immediate task to standardize its release-management and application-deployment processes, further automate development, and help create a corporate dashboard to measure enterprise-wide efficiency and effectiveness. As McIntyre said, “Being able to automate the development lifecycle, as well as meet those compliance requirements, was kind of the frosting on the cake.”
According to Jim Duggan of Gartner, “A lot of that process discipline flows into process areas other than strictly the critical measurements that SOX or 198 would call for. You can’t really have sufficient control over just those core measures unless you have the same controls on the rest of the software. It is much more expensive to say we will just do this for the financials. That attention to process is the next step they will have to go to and I will expect you to see exactly the same learning process with 198. There will be sticker shock from the auditors as people realize that money is not investment but rent.”
Y2K shone a bright light into IT operations but IT compliance brings a new level of ongoing scrutiny. “I think it is a big culture change for the IT department, said Deck. “In the nineties there was not a lot of questioning about the value of technology spending. People spent on faith. After Y2K, a lot of people realized technology spending was like any other spending. It doesn’t have a special exemption.”
Companies that wanted to scrutinize spending realized they simply couldn’t see what was going on in the IT department, because there was rarely a software infrastructure for control or monitoring. “There were dozens of desktop applications out there. They all had different repositories and different ways of extracting data from them, so to actually get a real picture of IT was hard. You could look into sales or purchasing or HR, but IT was different,” Deck said. “CIOs knew they needed a control infrastructure for operations.”
Jim Duggan agreed. “After Y2K, CIOs reported they were under more pressure about cost justification,” he said. One CIO indicated that the CFO told him, ‘If any other department in the business was as bad at meeting schedules and cost estimates as you are, the manager would have been fired years ago’. According to Duggan, CIOs have to be more systematic and better financially. “In a very real sense this is driving a cultural change,” he said. “It is saying we are going to fence the frontier – this is a business, not a barn-raising.”
For the CIO, IT compliance can and often does mean a major change in role. As Duggan said, “The old role for the CIO was leader of the technical effort. The two new roles are financial and project steward with responsibility to deliver on time and on budget, and that is being enforced more from a SOX and 198 perspective.” The other piece is the corporation’s need for technology guidance – an executive role. “To be worthy of it, you must be financially responsible. To earn the seat at the boardroom table, CIOs need to play by the same rules and standards as the rest of the people there: I manage repeatable processes; I am not managing artists, I am managing processes; and, I deliver.”
Many companies will fall under a variety of regulatory regimes, depending on their industrial sector, and each will have changing demands and deadlines. Shifting mandates, standards and deadlines will require a high degree of flexibility and control to remain in compliance.
In the rush to achieve ‘year one’ compliance, the temptation and perhaps the necessity to use existing tools is sometimes overwhelming, placing unsustainable stress on personnel who must perform manual tasks under deadline pressure to achieve a passing grade.
As Navtech’s Director of Software Development Michael Yeo advised, “Don’t do compliance for the sake of compliance. Figure out what is good for the business and the customers, and do that. We will make sure we hit the moving target as we go, but we are really focusing on doing what is right.”
–Richard Bray is a freelance writer based in Ottawa.