Lessons learned on the road to compliance

No one is doing jail time for failing to comply with the recent flood of federal regulations — yet.

So, it’s too early to know exactly how the feds will deal with executives who don’t bring their enterprises in line with all the new mandates. (Sarbanes-Oxley is indisputably the 800-pound gorilla, but it shares the zoo with HIPAA, the Patriot Act, and SEC 17a-4, to name a few.)

But it’s never too soon to learn from the experience of IT implementers who have been grappling with regulatory compliance issues for years. They’ll tell you the road to compliance is fraught with nonbudgeted expenses, steep learning curves, and plenty of gotchas. To better navigate around the worst pitfalls, here are some major considerations to bear in mind. After all, why learn the hard way?

Build a leadership team and deputize its members

Bad things happen in a leadership vacuum, so it’s important to have a well-defined compliance team that has real authority and a direct line to the corner office.

John Hagerty, an analyst at AMR Research, cites a large pharmaceutical company that allowed the finance team to try to tackle Sarb-Ox compliance. The CFO assured the CIO that everything was under control, thanks to some great auditing software. As deadlines swiftly approached, finance turned it all over to IT. When the CIO got his first look at the “great” software, he saw nothing but a desktop tool based on Microsoft Access — hardly up to the task of satisfying external auditors.

A knowledgeable compliance team could have nipped this in the bud. In this case, the CIO gave in to the temptation to put too much trust in the finance people. Julie Marobella, an analyst at IDC, sees this scenario all too often. “I hear CIOs say, ‘Compliance? Piece of cake. The finance department is taking care of it.’ I worry about those people,” she says.

This was not the case at Energen, a drilling and natural-gas company. Sage Wagner, the SAP security lead, says the company’s CFO got out in front early. “Our CFO called a meeting of the entire IT staff and said, ‘My neck is on the line here. If we can’t deliver on compliance, you are out of a job. And if your boss is not giving you the support or the tools you need, come to me!’ ”

Wagner says this blunt speech was necessary. “Nine months ago it was pandemonium around here. We all complained, and we weren’t ready for Sarb-Ox,” he says. “It is very different now. We’re getting it done.”

Wagner says it’s a mistake to think you can just allow your Sarb-Ox strategy to evolve. “You have got to have a consistent approach, and that takes leadership,” he says.

Building a compliance leadership team also brings fringe benefits. McDonald’s built a global Sarb-Ox team. “Our work on Sarb-Ox controls has helped us streamline some business processes, and we also now see that we need to work toward a consistent, global sign-on procedure,” says Chris Jensen, the team’s senior project specialist.

External auditors are not your gurus

External auditors play an almost godlike role. It is the auditors who will scrutinize Sarb-Ox 404 reports, for example. These are the documents signed by the CEO and CFO that affirm the systems behind the numbers are sound.

It is only natural to want some guidance from your auditors on what should go into these reports, and experts agree you should seek it. Barry Cohen, vice president of applications management at Wells Real Estate Funds, says members of his team regularly met with auditors to receive help in navigating a maze of regulations that included Sarb-Ox, the Patriot Act, SEC 17a-4, and NASD 3110. “Your auditors can provide valuable guidance,” he says.

It is a distinctive feature of 21st century corporate governance, however, that your auditors can’t tell you what to do. In the ’90s, the big audit companies often played both sides of the fence, serving as technology consultants to the same companies they audited. Conflicts of interest forced auditors to shed their consulting businesses, and recent federal mandates strongly discourage auditors from acting as consultants.

That’s good for business ethics, but it can create major headaches. “It’s driving everyone batty,” AMR’s Hagerty says. “I hear so many IT executives complain that they can’t get any definitive answers from their auditors on what to do.”

“It’s a real gotcha,” says Irving Tyler, vice president and CIO of Quaker Chemical, which makes specialty chemical products for the steel, automotive, and aerospace industries. “You want to satisfy [external auditors’] requirements, but they can’t tell you how to satisfy their requirements.”

And what they do tell you may vary. “The big four audit firms all disagree on what is adequate for regulatory compliance,” Energen’s Wagner says. “In fact, there is often disagreement within the same firm.”

McDonald’s Jensen likens feedback from your auditor to listening to the oracle of the Federal Reserve, Alan Greenspan, for hints as to where the economy is headed. “He speaks and you try to interpret afterwards what he really meant,” Jensen says.

So, don’t expect definitive answers but keep asking anyway. “I know some IT executives who were afraid to talk to their auditors for fear of what they might hear,” AMR’s Hagerty says. “Avoidance is not a good strategy.”

There is no out-of-the-box solution

As was the case with Y2K, vendors are once again seeing a gold mine.

Sean Culbert, managing director at BearingPoint, heads that company’s global compliance consultancy team for the financial services industry. He says compliance tools can help, but warns against expecting too much from any one product. “I can’t walk into an organization and say, ‘Here it is, your ACME compliance kit that will solve all your problems.’ ”

Culbert points to the AML (Anti-Money Laundering) section of the Patriot Act, which requires financial institutions to review transactions for suspicious movements of cash. “I saw so many clients rush out and buy AML packages,” he explains. “Later … they realized they had one more piece of expensive software that didn’t fit into an overall compliance strategy.” Click for larger view.

Wells Real Estate Funds’ Cohen, saw competitors go out and spend a lot of money on off-the-shelf Patriot Act compliance tools. “AML and OFAC [Office of Foreign Asset Control] are two of the biggest compliance items in the Patriot Act,” Cohen says. “OFAC is about knowing who you do business with — you want to identify known terrorists and shut them out.”

Cohen and his team built their own Patriot Act compliance solution using software from Informatica, which extracts the necessary data. “We purchased WorldTracker, an OFAC checker from ChoicePoint,” Cohen explains. “And we use Informatica to pump data from our warehouse into the checker.” (None of the data left Wells, so the company was not affected by ChoicePoint’s recent security problems.) Cohen estimates he was able to do this for approximately one-tenth of the cost of packaged solutions.

Pay strict attention to a document’s shelf life

Regulations such as SEC 17a-4 primarily apply to the financial services industry and call for the retention of certain documents. Peter Gerr, an analyst at Enterprise Strategy Group, observes that many IT executives are still unclear as to which documents they should retain and for how long. “Some organizations have been ill-advised about this, and others have chosen to simply take a shotgun approach and retain everything,” he says.

The first thing to do is to get a clear idea of what you need to keep. Gerr stresses the importance of getting the business side on board in this. He also warns against taking the shotgun approach. It may look easier at first: If you just save everything, you’re covered, right?

Wrong. People do this primarily to avoid the time-consuming analysis required to implement an efficient archive that will satisfy the law. And these are documents that can end up in court. “I have heard horror stories,” Gerr says of companies that were hit with a lawsuit and subpoena. “They have to turn all this stuff over even though they aren’t sure of what they have. Meanwhile, the prosecutors have better search and retrieval tools, and the defendant is confronted in court with e-mails they didn’t know existed.”

Rein in your operational systems and user access

“Sarbanes-Oxley is still the big one when it comes to compliance and IT,” says Paul Hammerman, an analyst at Forrester Research. “[Sarb-Ox 404] is where you have to identify the control measures that will attest to the integrity of your financial statements.”

One of these controls is segregation of duties. IT must be able to demonstrate that, for example, the person who makes a purchase does not have the authority to take receipt and authorize payment. Hammerman says this is a particularly tough one for IT because it involves many systems — HR, ERP, and general ledger, to name a few — together with access policies and procedures.

Tyler says this can be an enormous undertaking if you approach it from a global security perspective. So, a little analysis up front — identifying just those systems and personnel that come into play — can pay off big. “Chances are, the majority of users in your enterprise don’t need access to any of the critical systems,” he explains.

Tyler and his team set out early to identify all connections between users and systems. This allowed them to eliminate the majority of personnel authorization profiles from their Sarb-Ox work. It was laborious, but it reduced implementation work by more than a factor of 10. “It is about security,” he says. “But do not approach 404 compliance as security with a capital S.”

The value of available solutions

When Energen’s Wagner got serious about Sarb-Ox 404, he started looking at authorization and access within his SAP system. “SAP security is very complex,” Wagner says. “You don’t want to try and implement your 404 controls from within SAP. There are a lot of things you just cannot do adequately with what they give you out of the box.”

Some will take this as a challenge, which is probably not a good idea. “I know some rogue DBAs who say, ‘Yeah I can build this fancy little database to automate all this stuff,’ ” he explains. “That is a formula for disaster.”

When you understand what is lacking and what is required, you can confidently go with one of the many products on the market. Wagner chose Approva and so far is pleased.

Quaker’s Tyler is currently testing software from Oversight Systems. “The Oversight engine historically came out of fraud detection,” Tyler says. “We think it can help us to automate a lot of the supervision and auditing for compliance.”

At McDonald’s, Jensen is using Risk Navigator from Paisley Consulting to better automate the monitoring and gathering of compliance data. “We can put our risks and controls together in a tree structure that links all the way up to corporate and all the way down to individual processes.”

Push back when necessary

To form a more perfect compliance, IT must seek guidance from management and auditors. It is important to note, however, that no one has all the answers. Sometimes it will fall to the IT chief to say no.

“I don’t know of any IT shop that has done everything their auditors suggested,” AMR’s Hagerty says. “If they did, it would be prohibitively expensive.”

At Quaker, Tyler dug in his heels a few times. “Our auditors wanted to look inside our firewall,” he explains. “We went back and forth and finally compromised by installing a monitoring system. They also wanted to delve into our application lifecycle management. We are still debating this one.”

Pushing back requires that you have full confidence in your compliance team. If you have that, the right pieces will fall into place at the right time.

“It is all about assessing risk,” Hagerty says. “It is often going to be a value judgment coming from IT: ‘Am I at risk or not?’ ”

Ultimately, Hagerty says, if you come clean and show your auditors that you have some weaknesses but assure them you’ll do what it takes to remedy any problems, it’s likely that everyone can sign off and go on to fight another day.