Corporations complying with the Sarbanes-Oxley Act have produced hundreds of thousands of documented compliance system controls during the past two years. A concerted effort by management and independent audits have led to well-formed compliance controls that are aligned with corporate objectives while considering associated risks.
The results? Defined activities that minimize enterprise risks while still achieving regulatory compliance.
Lack of compliance tools for employees
Common issues employees face include:
- Keeping current with compliance requirements.
- Recognizing when to execute actions necessary for obtaining compliancy.
- Prioritizing controls based on their importance to the organization.
- Understanding the tests for compliancy, and how to record the results.
Daily workloads are filled with controls that require action from employees in order to fulfill management requirements. These controls require hours of training to perform, schedule follow-up, review, document, archive and audit.
The result of having numerous control activities to schedule, without a supporting monitoring system that has escalation built into it, can be a lack of visibility, slippage and increased risk to the company. Remaining in a compliant state does not take into account employee workload or allowance for a backlog.
While training is essential to keeping new control activities current, old activities may suffer and be pushed down in the queue. Loss of visibility frequently occurs and compliance controls go unattended. Equipment may not be calibrated in a timely manner, certification reviews may be late or missed and lagging security audits leave the organization exposed to data breaches. The most recent control receiving attention may not be the highest priority, or the greatest enterprise risk.
For an organization to succeed, employees must have access to tools that can trace controls.
Lack of compliance tools for management
Managers have limited options when it comes to overseeing the status of systems that require organizing many control activities. Most systems manufacturers have developed idiosyncratic methods of managing compliance from their perspective. With limited options and resources to bridge these differing systems, managers have become accustomed to using spreadsheets, emails and makeshift devices for tracking a vast numbers of compliance system controls.
Spreadsheets provide little help in integrating the actions required for maintaining compliance, managing employees and their tasks, and assessing current risk levels. Common issues managers face include:
- Tracking the productivity of employees responsible for control activity execution.
- Identifying the status of key business process controls activity at all times.
- Training employees on the business processes and systems that require compliance.
- Verifying that schedules are kept and activities are consistently performed.
- Verifying that documentation standards for completed controls are met.
Surprisingly, paper systems are the norm for following most compliance requirements. Managers often use paper systems rather than automated forms because of the vast number of one-off needs. Systems and data are kept in silos, where they are typically organized by department, making it difficult for executives to access necessary information.
Internal policies are often managed reactively; only when processes fail are their effectiveness evaluated. Such ad hoc policy management allows for oversight of the most important systems. There is little opportunity for creating systems that are predictive and preventative. This results in management losing necessary agility.
Solution requirements for compliance system controls
A number of software solution providers are responding to the need for comprehensive compliance systems, but they fall short in providing a holistic
Regardless of the system, the requirements for a compliance solution should remain the same:
- Manage the standards and controls over business units and processes.
- Create and preserve an audit trail that is secure, easily accessible and verifiable.
- Deploy notifications so the enterprise is proactive and preventive in its actions.
- Feature an easily accessed portal with an executive dashboard that has drill-down capability.
- Include a single system to support compliance efforts with the greatest speed and at the lowest cost.
Dean Lane is principal of Office of the CIO. He can be reached at email@example.com
Let us know what you think about the story; email: Karen Guglielmo, Executive Editor