The new world of compliance

For most IT managers, the word “compliance” may not evoke any particular response. Within either human resources or finance, though, sneaking up behind a manager and even just whispering the word may precipitate a violent response. Word to the wise: duck!

Of course, in specific industries – such as telecommunications and finance – IT has always had a role in compliance activities. But compliance is now a concern for all IT, especially for IT departments in publicly traded companies.

Compliance refers to the activities required by regulators to ensure that two actions are being performed: verification and enforcement. In the case of human resources, for example, Equal Employment Opportunity Commission regulations require certain standards for the treatment of employees. These standards must be enforced within the organization, and verification or audits must be performed periodically to ensure that the standards have not been violated.

Another area with heavy compliance responsibility is finance. As might be expected, financial reporting required by various regulatory agencies – for example the SEC – is an important activity in finance departments. Until recently, financial reporting was pretty much a quarterly exercise with quarterly reports called 10Qs and then one major annual filing referred to as a 10K. These reports, required for publicly traded companies, are intended to provide fair disclosure of important financial information so that investors can make informed investment decisions. Typically, the chief financial officer was required to sign these filings and attest to the accuracy of the reporting.

Scandals such as Enron and WorldCom, of course, tainted the entire reporting process. Congress, in its infinite wisdom, decided to do something about the accuracy of reporting. The so-called Sarbanes-Oxley Act of 2002, or SOA, was passed to ensure that financial reporting could be trusted by investors. Aside from all of the verbiage in the act, the way it sets out to do this is twofold.

First, financial reporting now requires that both the CEO and CFO sign off on financial reports. This requires that CEOs, in particular, legally attested to the accuracy of the reports. Second, and more important from an IT perspective, CEOs are required to attest to the accuracy of the process used to generate the numbers in the first place. CEOs who lie get to go to jail and pay hefty fines. Their companies can be liable for significant penalties as well.

The latter requirement explains why SOA provides for a period of process review so that publicly traded companies can ensure that their financial processes are, in fact, producing good data. It also explains why most IT organizations have had to field lots of legal inquiries into the way in which data are generated, stored and accessed.

What should be apparent to many IT managers now is that the world has fundamentally changed. Activities that once seemed to be a best-effort exercise, such as access control, now assume significant importance. After all, if you can’t attest to the security of your data, you are in violation of SOA. IT organizations will increasingly come under scrutiny as CEOs realize that their ultimate fate hinges on the ability of their IT organizations to restrict access to financial data to those who are truly authorized to see and manipulate it.

What SOA does is reinforce that idea that most businesses today are fundamentally dependent on their networked infrastructure. IT, as the keeper of that infrastructure, is in an important position to ensure the viability of the corporation. Compliance is now part of that responsibility.