Emerging Trends in Compliance

March 2007 from IT Compliance Institute: – In this article, the author discussed emerging trends which included:

“The first several years of SOX involved a mad dash to get needed IT controls in place to ensure compliance. Firms typically first instituted manual controls, and have been steadily replacing those controls with automated ones, to create more easily repeatable, demonstrable, and cost-effective compliance.

Unfortunately, many of these controls are actually ineffective, claims Forrester Research analyst Michael Rasmussen in a recent report. The problem: “In a rush to avoid being fitted for orange jumpsuits, firms don’t devote nearly enough consideration to the adequacy of the controls that compliance teams are implementing.” Rather, many companies rely on one-size-fits-all checklists of controls—“because firms all want a ‘get out of jail free’ card that assures their executives that if they do these three things in order, litigators and regulators will leave their companies alone.”

As a result, he says, “many compliance teams have implemented controls that may not make sense for their businesses.” Thus controls are either overblown, which siphons off valuable IT time and resources; or more often insufficient, which leaves organizations vulnerable to attack, as well as potentially noncompliant with regulations. Hence as regulations mature, expect auditors to take a much closer look at whether in-place controls actually do the job...”

“Increased security spending will also be needed to comply with the Payment Card Industry Data Security Standard (PCI DSS) version 1.1, which was released in September 2006. The PCI DSS is a security standard that was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help mitigate emerging payment security risks, while facilitating the broad adoption of payment account data security. Simply put, PCI specifies minimum policies, procedures, data security, network architecture, and more for any merchant handling credit card data. Unlike SOX, which many deride as being so vague that many auditors aren’t even sure what it requires, experts say PCI is a model of clarity, clearly spelling out what companies must do…”

180 View – Hopefully it’s not as bad as Forrester claims. No doubt SOX has been expensive and in the end it’s unlikely that the benefits exceed the costs. However it’s another matter if the new SOX controls have been both ineffective and inefficient. We see a parallel in replacing ERP systems as a result of Y2K. The implementations were often done in a rush without consideration of optimizing business process at the same time, which is what ERP should be all about. In the same way, organizations rushed into compliance without concerns for efficiency and effectiveness. Expect a second wave of compliance to include business process improvement.