January 16, 2007

Compliance 2007: The King's Sox Had Holes

For most of 2006 the term compliance was synonymous with the dreaded U.S. Sarbanes Oxley (SOX) law. The overwhelming majority of large organizations, especially multi-nationals, found themselves spending oodles of money on myriad projects all earmarked as necessary for “SOX Compliance.” Major trading countries and regions all took notice of how U.S. organizations were scurrying about trying to ensure that their top executives would not be clad in orange jumpsuits and headed to jail. Some countries such as Japan decided to go on the offensive and put the world on notice that they too would be passing legislation designed to bolster investor confidence and mend the sins of past malfeasance on the part of several executives and organizations.
Organizations have been facing a maze of regulations for quite some time; furthermore, it was not uncommon for the regulations to be technology-neutral in their guidance and perhaps even conflicting in their requirements. Laws and regulations could be based on the jurisdiction: federal (country level), state or provincial, or even municipal. Examples include the California disclosure law popularly known as SB 1386 and the Canadian Personal Information Protection Electronic Documents Act (PIPEDA). Organizations also found that they would be subject to regulations based on their size (revenue, market capitalization, number of employees), or their industry. For example, in health care there is HIPAA, more properly known as the Health Insurance Portability and Accountability Act of 1996; in financial services there is GLBA, or the Gramm Leach Bliley act of 1996; and for power and energy there are regulations promulgated by the North American Electric Reliability Council (NERC) that effect Canada, Mexico, and the United States.
An unintended result of this web of regulations is that top management is not necessarily totally clear on what the organization must do in terms of personnel issues, policies, and procedures. This can leave IT as the tail on the business dog. Top management must clearly describe business goals and objectives so that IT can implement them. In the case of compliance, IT is not able to sequentially address each and every rule, regulation, and law. Rather IT must employ IT as a tool for governance of the organization. IT, information security, and privacy technology in particular can be employed to enforce standards within the operation of the organization. These standards when taken together will ensure that the IT infrastructure the organization and its top management rely on to provide accurate and current information actually does so. IT can also be judiciously employed to ensure that the organization can function in spite of unforeseen interruptions whether they are acts of nature, intentional acts by adversaries, or accidents.
We are cautiously optimistic about the compliance outlook for 2007. We feel fairly confident in saying that U.S. law makers have been made aware of the negative effects of SOX and have hopefully taken notice of heightened IPO activity in financial markets outside the U.S. such as Hong Kong. This is likely to translate to a loosening of the perceived SOX stranglehold. The lack of a successful SOX prosecution may also be a factor emboldening executives to take a commonsense approach to running the organization which entails stated goals and objectives with respect to governance and which translates business objectives into IT standards, policies, and procedures that ensure the integrity of the IT infrastructure, which was the core intent of SOX in the first place.


Mike said...

Something I want to share over here is that companies complying with Sarbanes Oxley regulation can comply with many other regulations and standards also. A crosswalk poster between different regulations is a very useful tool, especially when it is available at no cost. This poster is crosswalk between: ISO 17799, COBIT 4.0, HIPAA, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec/ . This site has many other resources for Sarbanes Oxley.

John said...

Enforcement of compliance regulation is must for many organizations but implementing, establishing and maintaining of same is a tough task due to complexity and cost. www.Training-hipaa.net website provides a wonderful and valuable template suite which any organization, small or big, can use to meet their compliance requirements for HIPAA, Sarbanes Oxley (SOX), FISMA, ISO 17799 or any other regulation/standards requiring business impact analysis, risk assessment, disaster recovery planning (DRP), business continuity plan (BCP) and Testing & Revision of Plan.