When compliance auditors dig deep, a company's technology infrastructure, processes and policies need to stand up to intense scrutiny.
Companies are looking to technology to prove that they are compliant with Sarbanes-Oxley (SOX), Europe's Basel II, HIPAA and a host of other industry- and country-specific regulations. Ultimately, automating compliance efforts should lead to a company's being able to legally defend how it's managing and protecting information, according to James Kobielus, principal analyst with Sterling, Va.-based Current Analysis Inc. Companies should consider how their processes and infrastructure will stand up to "forensic analysis," he said.
"You don't want your CEO to end up in jail, so you need to be able to build a case and defend it convincingly," Kobielus said. "Compliance ultimately comes down to governance of internal processes. That workflow and the underlying audit trail are your last line of defense against prosecution."
Despite big promises from vendors, analysts agree that automating regulatory compliance requires more than one kind of software or technology tool. It takes an infrastructure of data and process management software to effectively comply with regulations.
This year, companies will spend 10% to 15% of their IT budgets on compliance efforts, according to Stamford, Conn.-based Gartner Research Inc., and U.S. companies will spend more than $1.9 billion on technology for SOX compliance, according to Boston-based AMR Research Inc. Companies should look beyond finance department tools or software bearing the SOX compliance label, according to Michael Rasmussen, vice president with Cambridge, Mass.-based Forrester Research Inc.
"Compliance efforts should really be distributed throughout an organization," Rasmussen said. "Sarbanes-Oxley is a driver today, but in reality there are a lot of other compliance initiatives which will require a common management infrastructure."
On the positive side, though, compliance requirements may drive companies to fund much-needed updates to their processes and data management infrastructures, according to John Hagerty, vice president of research with AMR.
"The No. 1 side benefit of automating compliance activities is that you also streamline and standardize business activities. Technology reduces ambiguity, makes processes cleaner and makes you more efficient," Hagerty said.
Critical components of a compliance technology toolbox
- Information and application security: Protecting and securing information is the bottom-line requirement of many regulations and tends to be the biggest concern of IT groups working on compliance initiatives, Hagerty said. Tools for intrusion detection, encryption, and information and application security are essential for any compliance effort, he added.
- Identity and access management: All compliance mandates require control over access to sensitive information, Kobielus said. These tools provide user authentication, authorization and role-based access controls.
- Configuration and change management: Most regulations also require companies to lock down the configurations of critical software assets in order to maintain security and access controls, Kobielus said. Change management tools are important for allowing IT to maintain control over internal systems.
- Controls automation or continuous monitoring: This software acts as a "checks and balances" system governing compliance-impacting processes, Hagerty said. For example, it might continuously monitor finance systems to ensure that all invoices over $10,000 are reviewed by a supervisor before being paid. Then the tool would generate an alert if an employee were to skip a required step.
- Business process management (BPM): Regimented, auditable workflows are a requirement of many regulations, including SOX, Hagerty said. Compliance requires the rigid documentation and enforcement of processes. BPM software helps create, manage and monitor the execution of processes, he said.
- Governance, risk and compliance management: These tools are commonly associated with SOX compliance and help companies create and document corporate policies, according to Hagerty. They help manage the general rules that govern a company's operations and provide a compliance framework.
- Document and records management: Most regulations dictate what information a company must keep and for how long, Hagerty said. Some of these tools just manage the rules and policies for document storage, while some act as actual document repositories.
- Business intelligence (BI) and corporate performance management (CPM): Fundamentally, compliance is about reporting, and reporting is the core of BI, Kobielus said. Analysts agree that BI features such as reporting, scorecarding, dashboards and analytics help companies uncover and react to issues that could affect compliance. CPM tools that manage internal activities also help companies stay on top of compliance-related efforts.
- Data management essentials: A solid data management strategy should be at the core of any compliance effort, Kobielus believes. A data warehouse and data quality tools are critical for integrating information and cleansing it for financial reporting. And, master data management ensures consistency and accuracy -- both compliance fundamentals, he said.
- Professional services: It's difficult to understand compliance requirements, Kobielus said. So -- just as one might look to a tax professional to explain the tax code -- compliance professionals are almost essential for interpreting different regulatory requirements.
Prioritizing compliance software investments
The list of compliance-supporting technologies can look a lot like a sophisticated data management infrastructure, so where does a company with limited time, money and people start investing?
It's about narrowing down the scope of efforts and focusing on the most important data and processes first, Hagerty said. Initial SOX-compliance efforts were prone to overkill and exaggerated responses, he said, owing to lack of guidance from governing bodies and understandable fear of potential repercussions.
"In the absence of guidance, folks assumed the worst and did the most," Hagerty said. "Now people are reducing their scope and asking what activities are really related to compliance."
That means assessing where the real problems lie, prioritizing efforts, and synchronizing compliance automation plans with data management roadmaps, Hagerty said.
It also means that companies should be discerning when it comes to purchasing compliance software. Some companies have run into unexpected scalability problems or found that a product doesn't help them as much as they thought it would, Forrester's Rasmussen said, adding that it's critical to really understand the requirements of regulation and do a proof of concept.
"There's a lot of confusion, bad marketing and messaging happening out there," Rasmussen said. "Read the regulations, try out the product, and find out whether it will really help do what's required."