The rap against governance, risk and compliance (GRC) software is that the solutions either fall short of effectively managing the complexity of an enterprise's compliance programs, or
That has been the experience of Tommy Thompson, IT security compliance coordinator at The Williams Cos. Inc., a Tulsa, Okla.-based natural gas company. Thompson arrived at Williams four years ago to help sort out the IT component of the company's biggest compliance headache at the time. "It was, simply, Sarbanes-Oxley," Thompson said, referring to the 2002 act passed to protect investors from the kind of fraudulent accounting practiced by the last wave of corporate bandits. "Nobody even understood how to determine which IT controls were actually relevant to SOX."
During the past three and a half years, Thompson has used the ITG module of GRC software from OpenPages Inc. to understand not only which IT controls are relevant to SOX, but also the status of the IT testing environment at any given moment. He is able to remediate an exception or a control failure within a matter of days -- exceptions are down to 10 to 15 per year, a far cry from the 100 noted annually in testing of SOX controls four years ago. And that is about as close to perfect as Thompson wants to get.
"If you can get the exceptions that are noted on a yearly basis down to the teens, that is an acceptable risk, especially if they are not systemic and are little operational exceptions," Thompson said. "It is not cost effective to have a perfect environment because you can't manage to that."
With the IT piece of the SOX compliance strategy now incorporated into a "running machine," with real-time reporting and real-time remediation, Thompson is ready to do the same for the company's many other IT compliance areas, from Federal Energy Regulatory Commission (FERC) regulations and personally identifiable information (PII) to media disposal and data loss prevention.
"What I am trying to do -- from a risk-based management approach -- is to mitigate the key risks to the business, and you can't do that in a spreadsheet. You have to have a strong, configurable application with a very diverse relational database supporting it, in order to get all these parts relating to each other," Thompson said.
Analyst French Caldwell, who covers governance, risk and compliance at Stamford, Conn.-based Gartner Inc., said that because enterprise GRC is such a big undertaking, beginning with the immediate pain point -- in Williams' case, SOX compliance -- can be an effective strategy. He advises CIOs to start by isolating and articulating the GRC issues facing their businesses in the near term and then look at how technology investments in those areas might have multiple uses within IT and other parts of the business.
Making the case for the IT governance module in GRC software
Some of the work was under way when Thompson showed up. Williams had hired Protiviti Inc., a Menlo Park, Calif.-based consulting and auditing firm, to identify the SOX-related IT controls across the company. The firm discovered a "chaotic mess" of 900 IT controls, which were spread across five business units and germane to 42 applications deemed relevant to SOX compliance.
What I am trying to do ... is mitigate the key risks to the business, and you can't do that in a spreadsheet.
Tommy Thompson, IT security compliance coordinator, The Williams Cos. Inc.
"Every single application had a different control for maintaining version control, a different control for segregation of duties, for change management, and so on," Thompson said. "There was no cohesion between the control environment, internal audit or third-party audit."
A product from Protiviti that Thompson described as "basically an Oracle database with a GUI on the front of it," housed the mess, but in his view lacked the configurability to allow IT to fix the problems. "Remediation was done outside the system of record in manual Excel spreadsheets and by email, phone calls and meetings," he said.
As it became clear to internal auditors and the business that different GRC software was needed, Thompson muscled his way into the procurement process, insisting that IT not only participate in the vetting, implementation and configuration of the product, but would also pay 20% of the cost. "Even though at the time, the internal audit decision on a product was tied strictly to SOX, I pointed out that this was going to become more than SOX very quickly," Thompson said. A bakeoff that included products from Paisley, Agiliance Inc. and Archer led to OpenPages Inc.'s GRC solution.
Even for managing just SOX compliance, however, Thompson said he realized that the "linear spine" of the financial control management component of the OpenPages solution would not fully support IT testing. For IT controls, one control test plan would have to yield 30 or more test results, because there are that many applications adhering to that one control, Thompson explained. The temporary workaround required for managing the complexity of IT provided the use case for purchasing the ITG module from OpenPages.
Deloitte risk catalogue and ISO/IEC 17799 to the rescue
That was when the real work began, starting with taking all the IT controls Protiviti had found, standardizing them and mapping them back to the company's IT security framework, ISO/IEC 17799. Thompson also made use of the risk catalog developed by Deloitte, an OpenPages partner.
"Our first hurdle was realizing the data model was not exactly right," Thompson said. But he worked with the director of product development and one of the solution architects for about six months. "We tweaked the data model until it was working, and now we have got everything in the system."
But standardized controls did not solve the problem of multiple requests for the same controls -- e.g., the auditor for supervisory control and data acquisition or FERC calling for an access control list that the application owner had just given to the SOX auditor. Thompson's team then began integrating all the compliance requirements. "That way you have one test that you apply not just to many applications, but to the many mandated requirements as well," he said.
Triumphing over Sarbanes-Oxley Act Sec. 302
One of Thompson's big bragging points is what he was able to do with Sec. 302, the periodic financial reports required by all SOX-regulated companies. All those redundant controls that had to be signed off on had spawned more than 100 questionnaires. Thompson has chopped that down to 15, with his next goal to get down to only one for the entire Sarbanes-Oxley environment.
Even as it stands now, the 302 process is fully automated, kicked off every quarter and related directly back to the controls that have to be surveyed by the process owners. The process performers are notified automatically by email that it's time to fill out the survey. The login process to the system is automatic. As soon as the survey is filled out and submitted, it is routed for review to the process owner, who either signs off or sends it back until the report is finalized. The 302 process now takes days, instead of months.
The auditors love it, Thompson said. He estimated that IT invested less than $500,000, and has just been approved for roughly another $200,000 for extending the system to areas such as FERC, PII and the IT Infrastructure Library. That's when Thompson goes to the business side of the house and says, "Hey, look at what we're doing and how much money we're saving. Imagine what you could do if you start implementing this on the business side."
As impressive as the system has proved, Thompson warned that the complexity of the compliance environment does not really diminish. "What you do is to begin to reduce the chaos of the complexity," but only by managing the initial complexity can you tackle the new complexities that arise, he said.
"It is a continually evolving process," Thompson said, "and it is great job security, let me tell you."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.