|
 |
|
General Information
|
Add To My Personal Library |
February 24, 2006
• Vol.28 Issue 8
Page(s) 12 in print issue
|
Taming The Compliance Beast
Expert Advice On Sarbox, HIPAA & Compliance Efforts
|
 Just how big are the demands that Sarbanes-Oxley, HIPAA, and other laws put on corporate IT? “It’s big, very big,” says Carl Seider, team leader in business technology services for PNM, the Public Service Company of New Mexico. “It’s just amazing the different federal and state agencies that have some impact on what we have to do.”
It’s also expensive. In 2001 a government report showed that companies spent $800 billion per year on compliance, and that was before Sarbanes-Oxley had even been passed.
 First Things First
So where do you start? According to Michael Rasmussen, vice president at Forrester Research, it’s “knowing what you’re up against and building an action list—and not just a checklist from your neighbor.” Compliance efforts, he says, should fit the firms that perform them like a hand in a glove.
Of course, you may need outside help to get there. “You don’t want your internal audit team running your compliance program, or they’d be auditing what they’re doing,” says French Caldwell, a Gartner analyst and compliance expert. “But they could certainly help you begin to design the program.”
Most audit firms can help you structure your Sarbox efforts, so long as you don’t choose the firm itself that audits you. Caldwell also tells first-timers to look at groups such as the Information Systems Audit and Control Association (www.isaca.org). ISACA wrote the COBIT framework for IT governance and grants the CISA (Certified Information Systems Auditor) certification. That can be a useful tool for your team, or you might simply attend ISACA’s local meetings to share war stories and seek advice.
The Paper Tiger
Much of compliance involves paper—the millions of documents you need to protect, track, and audit. “We need to know that a document is seen by the right person at the right time,” says Cheryl McKinnon, director of industry marketing at Hummingbird, so there’s an audit trail “if a particular VP or the CFO has signed off on it.”
Hummingbird makes content management software that helps companies tame their paper tigers. PNM’s Seider keeps more than 63 million documents in a Hummingbird system, most of which follow compliance rules that say when to destroy, recycle, or shred them or simply send them to regulators.
“One of the very first things we look at when we take in documents electronically is the regulatory requirements for who looks at them,” says Seider. “How long do we have to keep them, and how detailed an audit trail do we have to have?”
That’s no small task when you receive 1.2 million documents per month, as PNM does. “One of the most important things about our implementation is that it’s not only an IT function, but the team consists of IT and records personnel.” Together, that team built a system that prompts a document’s author to define the document’s security; it even reminds the author about the regulations that apply to a given document.
Don’t Fall In A Hole
Sarbox and HIPAA are so big (and so feared) that some firms go overboard to comply with them. “The biggest problem is over-scoping,” says Gartner’s Caldwell. Some companies put controls “here, there, and everywhere,” he says, ignoring the narrow intent of the law. For instance, Sarbox was designed to address financial controls and audits and never mentions IT per se. But some auditors have been reluctant to limit their clients’ efforts, a problem that was common in the early days of Sarbox when little was known about it.
In contrast, some companies don’t go far enough, approaching Sarbox and HIPAA “as a project, not a process,” says Forrester’s Rasmussen. They don’t see compliance as part of their day-today operations, he says, and too often assign a project manager to an ad hoc job that won’t suffice in the long run.
Boon Or Bust?
A long-term view of compliance—a real effort to weave it deeply into the corporate fabric—can have a host of benefits, such as efficient process improvements. Gartner’s Caldwell notes that compliance and good IT governance often dovetail. “I’ve talked to CIOs who’ve implemented governance programs, some who’ve gone so far as to implement Six Sigma programs, and they’ve had a relatively less onerous task facing them with Sarbanes-Oxley,” he says.
And Hummingbird’s McKinnon says that compliance is rarely the sole driver of good records management. “There’s still the whole area of knowledge worker efficiency and the fear of the knowledge worker retirement bubble. What are we doing about capturing all that information and those best practices?”
It all leads to a single thought: Compliance and related problems are here for the long run. “We’re not finished, by any means,” says PNM’s Seider. “And I don’t know that we ever will be, because by the time that we get things just where we want them, I’m sure that one of the regulatory bodies will change its mind, or a state will deregulate, or there will be some other change in the industry. But it is a top priority for us,” he says. “The exposures of not dealing with this are huge.” 
by David Garrett
View the chart that accompanies this article.
(NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat to view these pages. Download Adobe Acrobat Reader)
|
|
