5 Smart Practices for IT Risk, Governance and ComplianceBy Doug Bartholomew | Posted 08-24-2007
5 Smart Practices for IT Risk, Governance and Compliance
Even if the Sarbanes-Oxley Act of 2002 had never come along, the panoply of compliance, risk and governance issues facing American corporations in the 21st century already was expanding quite nicely, thank you. The impact of "Sarbox" mostly was to shift things into overdrive.
"What Sarbanes-Oxley did was really a copy of what the Securities and Exchange Commission was requiring the exchanges to comply with already," says Bernie Donnelly, vice president of quality assurance at the Philadelphia Stock Exchange.
Indeed, banks and securities firms had been dealing with similar regulations for years, so Sarbox was no big deal for them. But for the rest of corporate America, getting financial systems and processes in order was a massive undertaking.
"Most companies initially did their Sarbanes-Oxley compliance efforts with a lot of human beings, and now they are trying to automate these activities as much as they can," says John Hagerty, vice president of research for governance, risk and compliance at AMR Research. And while most large organizations have their Sarbox houses more or less in order now, concerns over governance, risk and compliance, especially as they relate to the role information technology plays, aren't likely to become any less critical any time soon.
CIO Insight talked with CIOs and other executives as well as several compliance experts to identify the technology smart practices companies should follow to improve their governance and risk management.
Develop understanding of how
IT influences risk and compliance.">
1. Develop a comprehensive, corporatewide understanding of how technology inf luences risk and compliance.
"It's important to first incorporate risk into the overall framework and lexicon of how you manage the organization," says Jeffrey Weber, managing director of Protiviti's technology risk practice. Adds Joe Atkinson, a partner at PriceWaterhouseCoopers, "When it comes to compliance obligations, all well managed companies want to comply, but the challenge is that you don't have unlimited resources to do so. That's where having an enterprise vision is very important. It helps the company start to rationalize the allocation of resources."
Most experts agree that in this early stage of scoping out the extent of a company's risk and the processes and systems needed to ensure compliance with laws and regulations, IT must be involved from the get-go. "Regardless of the model you apply, IT must be at the table," Atkinson says. "The only way to be effective at this is with the appropriate application of IT."
Robert Worrall, senior vice president and CIO at Sun Microsystems, recommends the first thing any CIO do is "get the organization aligned around compliance. Most IT people do not recognize the need for compliance, so training is needed," he says.
From an organizational standpoint, Worrall has found it helpful for the CIO, especially in a large corporation, to delegate someone with both IT and compliance experience to focus on training. At Sun, he has assigned a senior director of compliance for IT, who is a former internal auditor of IT systems. "He understands how an auditor looks at things and he can respond in a language auditors understand," Worrall says.
Use technology to enforce
2. Use technology to enforce and monitor compliance rules and processes.
Most companies recognize that even the most effective processes can't be monitored or sustained over time without technology to automate them and provide structure. "We have made significant use of technology in the last 18 months to automate and bring greater efficiencies to our processes," Worrall says. "The technology brings more reliability and predictability to the processes we've designed."
Of course, a key element of any company's compliance efforts is establishing and maintaining effective control of access to information, especially financial data. "Access to data must be based on what the employee needs to look at," AMR's Hagerty says.
The reason is obvious-you don't want a "fox guarding the henhouse" situation that could expose the company to internal fraud. "For example, the person responsible for setting up the list of payers can't also be able to authorize a payment," Hagerty says. "There should be a preventive control in place, such as someone with the ability to say no-someone who can reject the payment."
One company that uses software to provide automated checks against such abuses is Macerich Co., an $830 million real estate investment trust and operator of shopping malls. The company uses Oracle Corp.'s Internal Controls Manager, as well as Oracle's financial, human resources and project management applications.
On the one hand, Macerich relies on the software to restrict access to key systems and parts of systems according to each employee's role. "For instance, an accounts payable clerk cannot cut a check as well as create an invoice," says Sean O'Donoghue, vice president of business applications and technology at Macerich. "That one person does not have full control of a transaction."
Of course, the system has to be set up by each company in a way that fits its employees' duties and functions. "It's a matter of thinking through and doing the homework up front," O'Donoghue says. "Otherwise, it can be a daunting task when you look at all the functions of the software that are available."
The system also gives Macerich another piece of compliance functionality by providing the company with an IT audit capability. "We use it to monitor our e-business suite," O'Donoghue says. "The software provides controls around our day-to-day processes, ensuring that someone cannot change the approval signature and the amount of a check, and then change it back as if nothing happened. The system gives us a full record of who changed something."
Sarbanes-Oxley was actually a plus for IT, O'Donoghue says. "IT always wanted these controls, and Sarbanes was the stick we were given to implement some things we'd wanted to do." He admits, though, that "sometimes the pendulum swings too far, and you can have too many controls. But I think that overall, having the controls in place has definitely helped us. Sure, it's more work on the front end, but less work later on."
Sun has developed its own product, Sun Identity Manager, to assign and track employee access to information. "It allows people to define critical access roles," Worrall says. "It also allows us to provision access dynamically, so when employees change roles and their authority changes, we're able to provision or de-provision accounts. In this way we can regulate access to our application environment."
When it comes to change management, though, Sun uses a third-party software package (which Worrall didn't disclose). "We needed a safe, reliable method for deploying new applications into production," Worrall says. "This way we have a database of all program requisitions into IT, and we also capture the impact on Sarbanes-Oxley that the demand for new applications and changes will have. This gives us a beginning-to-end view of changes in the IT environment."
Define requirements versus best
3. Define requirements versus best practices.
"My recommendation is to make sure you are not over-engineering to start with," says AMR's Hagerty. Others concur. "You need to look at what the regulators and auditors are asking for, and then create the process to answer that," says Donnelly at the Philadelphia Stock Exchange. The PSE gets some 1,200 change requests per year to its systems. "We used to go through the hard-copy paper trail for changes to our systems, but now we key in the change number and we can e-mail it to the SEC before they come down here for an audit." Today the PSE tracks all its application changes electronically using a system from Serena Software.
Any changes are monitored in the system via a CIO dashboard, which replaced a large whiteboard matrix. Donnelly says tracking changes to systems electronically is more reliable. "If you automate and get rid of the human element, you get rid of an array of potential violations." In the case of the PSE, even a change as simple as a new electrical switch being installed on the trading floor can pose a potential risk. "There is always a chance that a change like this could take out a whole floor," Donnelly says.
In the retail industry, the scramble is on for all companies that process 6 million or more Visa card transactions or 1 million American Express card transactions a year to comply with the industry's new data security rules. All large merchants and retailers that accept credit cards, such as Home Depot, Safeway, OfficeMax, Chevron and Target, have no choice, assuming they want to continue doing business with the card companies and their issuing banks and financial institutions.
In fact, many major retailers are still struggling to get their systems in shape to meet the Sept. 30 deadline for voluntary compliance with the Payment Card Industry (PCI) data security standards. "There are a lot of organizations working diligently toward compliance," says Scott Laliberte, director of Protiviti's global information security practice.
This is a case where what's required, at least by law, falls short of the standards the industry itself has set. The retail industry, led by the major credit card companies, has implemented 230 data security controls that retailers and service providers storing data for banks or merchants must put in place if they want to continue doing business with the card issuers.
"The credit card associations are trying to regulate this themselves along with their member banks," says Laliberte. The aim of the controls is to protect cardholder data from security breaches and fraudulent uses. The result: The likelihood of a data breach involving cardholder information drops," Laliberte says, "but there is no 100 percent security against having a problem."
The merchants must follow each PCI data audit standard, comply with that control, and have a qualified data security firm certify that they have complied. "Some companies are still in a mad scramble to meet the Sept. 30 deadline," Laliberte says. In addition to having an audit of their controls done by an independent agency, each merchant must submit to a quarterly network scan by a qualified vendor to check for network vulnerabilities.
One of the biggest IT hurdles merchants will have to clear to be PCI standard-compliant is the encryption requirement. "With high-volume processing systems, data encryption slows things down," Laliberte explains. "High volumes are not conducive to encryption." One retailer that had older systems had to replace them with new network equipment in 2,000 stores. Why? "The older equipment can't support these new data standards," says Laliberte.
Work in tandem with
finance and compliance groups.">
4. Work in tandem with finance and compliance groups.
"It really is a team event," Worrall says of Sun's governance, risk and compliance effort. "No day goes by where a compliance-related topic doesn't involve our CFO or controller, the CIO and the chief privacy officer. Our director of compliance attends meetings with these organizations to ensure that IT is acting consistently with all the other organizations in the company."
Laliberte concurs, adding that in the retail industry, the shift to meet the new PCI data standards demands a major, sweeping project affecting multiple parts of the company. "This is usually a pretty big effort," he says. "Often it will be driven by the internal audit department, with the CIO responsible for a number of projects needed to get the controls in place."
Leverage industry standards such
as COBIT. ">
5. Leverage industry standards such as COBIT.
COBIT (Control Objectives for Information and related Technology) provides a framework of controls that "define how well the IT organization should be managed," Sun Microsystems' Worrall says. Sun's CIO recommended implementing COBIT, which the IT group adopted with positive results. While the company's IT department uses ITIL (Information Technology Infrastructure Library) as a blueprint for operational procedures, it uses COBIT to define the way the IT organization should be managed.
"We are absolutely a big proponent of COBIT," he says. "As part of our multi-year roadmap of activities that we used to get us to where we are now with clear documentation and controllable processes, we used COBIT as an overarching industry framework."