Compliance
Compliance is a costly
burden that all public companies must
endure.
Creating, validating, and auditing the IT Controls
mandated by section 404 of theCompliance
Act is a time-consuming requirement and can
represent hundreds of thousands of dollars in
IT staff expenses, internal auditors, and external
consultants. And the risks associated with errors
and omissions can be costly as well. Fortunately,
creating the IT Controls for most corporations is a
process that conforms nicely to the 80/80 Rule --
80% of IT budgets are spent on maintenance and
other undifferentiated activities, and 80% of that
amount is probably duplicated by other CIOs.
By collaborating with each other, enterprises can
share best practices, policies, expertise, tools, and
technologies on how they meet compliance audits
for IT Controls. Initial efforts include common
Risk Control Matrices and their accompanying
Narratives or Flowcharts. The goal is to identify
those controls that are common, to collectively
determine “Best IT Solutions” or Open BITS™, and
how to best handle new requirements for 2007. By
creating a
more standard approach, each member
can benefit from the collective expertise and
experience of the project members and can use
this information to negotiate with auditors moreeffectively. Those controls unique to each member
can also benefit from the collective review, and
in some cases be changed or eliminated after
learning from other members. Each member
expects to reduce the time and expenses
associated with demonstrating compliance to
Compliance consultants and auditors.
Activities of the Compliance project include:
- A collaborative environment in which enterprise IT and Compliance experts can interact with their peers and can invite external consultants and experts to participate.
- Confidential sharing of IT control Risk Control Matrix, Narrative, and Flowchart documents.
- Analysis of the appropriate frameworks and sources for controls (and their accompanying costs): COSO, COBIT, Compliance consultants, auditors, etc.
- Correlation of IT control documents, identifying common ground, unique enterprise requirements, and errors and omissions.
- Creation and sharing of best practices and policies for developing, validating, and auditing IT Controls.
- Publication to the project membership of recommended common IT controls, which can be used as a basis for negotiation with enterprise auditors.
- Analyses of tools, scripts, and other technologies that can be used to audit conformance.
