Governance and compliance: driving IT priorities; Recent regulatory and marketplace pressures are bringing corporate leaders to a new appreciation of just how critical IT is--not only for running operations, but for carrying out their fundamental leadership responsibilities.The surge of top-level concern about information technology (IT) can be explained in two words: governance and compliance. The past few years have delivered corporate leaders two rude awakenings about information and the technology that enables its production. [ILLUSTRATION OMITTED] The first is that boards of directors and executives are being held to higher standards than ever before. They are expected to be well-informed and knowledgeable about what's happening in the enterprises they oversee and manage, and they're being held more accountable for surprises and setbacks, frauds and failures. What's more, executives and boards must oversee compliance with a plethora of legal and regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. , some of which affect IT directly and many of which have implications for IT usage and management. Indeed, the Sarbanes-Oxley Act See SOX. of 2002 is particularly notable for its wide-ranging IT impacts. And, to execute on their responsibilities and meet raised governance expectations, corporate leaders urgently need accurate, reliable, timely and transparent business information. The second rude awakening is that many companies' IT infrastructures are not up to the task of providing the high-quality information desired for efficient and effective compliance and governance. It's as if a bright light has suddenly been turned on, and there, in plain view, are a number of pervasive issues concerning the state of IT. These are not new issues, but under the light of increased governance and compliance needs, their impact is profound. Spurred by governance failures and new compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). , business leaders everywhere are starting to critically examine their companies' approaches, philosophies and positioning concerning IT. And, it's not about how to lower IT costs; it's about better aligning IT with business needs--particularly governance and compliance needs. What Does IT Have to Do with Compliance? That there is a relationship between IT and compliance may be self-evident to some, but it's also complex and confusing. Some compliance requirements have a direct impact on IT management. Then, there are the many laws and regulations that affect the way IT is used to enable business processes. Records management laws and regulations, for example, have obvious IT implications, while other general and industry-specific compliance requirements that affect IT are too numerous to list. Increasing regulatory challenges have spawned a corresponding rise in compliance-focused IT offerings. Analysts covering the software and professional service industries are swamped "Swamped" is the seventeenth episode of The Batman's second season. It originally aired in North America on June 11, 2005. Plot Synopsis Killer Croc, a half-man, half reptile plans to submerge all of Gotham in water in order to facilitate his plundering of the city. with vendors clamoring clam·or n. 1. A loud outcry; a hubbub. 2. A vehement expression of discontent or protest: a clamor in the press for pollution control. 3. A loud sustained noise. , "We can help with compliance. Review our products now!" Conferences continue to draw attendees seeking understanding in how IT can enable compliance at their companies. But before looking at how additional software can help with new compliance demands, it is illuminating to first examine how well existing architectures, infrastructures and strategies meet the underlying legal and regulatory objectives. Consider many companies' experience in their first year of Sarbanes-Oxley Section 404 compliance. Financial reporting processes depend heavily on technology, so examining those processes for Section 404 compliance forced companies to perform a thorough review of financial systems, IT business processes and data. Based on Deloitte's experience, the news wasn't particularly good. Many companies found that their IT assets and approaches were actually barriers to--rather than enablers of--high-quality financial information. Perhaps the most common barriers arose from a combination of complex architectures, lack of standardization standardization In industry, the development and application of standards that make it possible to manufacture a large volume of interchangeable parts. Standardization may focus on engineering standards, such as properties of materials, fits and tolerances, and drafting and poor system integration, not to mention a profusion of manual financial processes. All these factors made addressing the act's compliance requirements more expensive and more time-consuming than necessary. Moreover, essentially all companies found that technology was not widely used for internal control purposes. Many controls were manual and detective rather than automated and preventive, and many organizations discovered that they underutilize or sometimes simply fail to use the control capabilities of their existing IT assets. Perhaps most distressing of all, first-year Section 404 readiness preparations frequently highlighted a pervasive lack of awareness, understanding and discipline around the use of IT. An important lesson here is that today's compliance challenges are really information challenges. At its core, the Act is about ensuring that data is turned into financial information in a way that enables accurate, reliable, transparent and timely financial reporting. And because business processes and information today are practically inseparable in·sep·a·ra·ble adj. 1. Impossible to separate or part: inseparable pieces of rock. 2. Very closely associated; constant: inseparable companions. from technology, the effectiveness of a company's IT infrastructure--including its governance structure, people and policies, as well as its software and hardware--can make or break its compliance efforts (see sidebar (1) A Windows Vista desktop panel that holds mini applications (gadgets) such as a calendar, calculator, stock ticker and Vonage phone dialer. It is the Windows counterpart to the Dashboard in the Mac. See Windows Vista and gadget. on next page). What Does IT Have to Do with Governance? The demands of corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. on information quality are, if anything, even more severe than those of compliance. Boards and executives need more than financial information to make sound decisions, set and execute strategies and oversee business performance. They need to understand their company's situation with respect to operations, employees, customers, vendors, strategic partners, government and regulatory agencies regulatory agency Independent government commission charged by the legislature with setting and enforcing standards for specific industries in the private sector. The concept was invented by the U.S. , analysts, investors and the general public. But do they have the information they need to gain this understanding? Are boards and executives as "decision-ready" as they seek to be? The answer right now is generally "no." Boards and management are inundated in·un·date tr.v. in·un·dat·ed, in·un·dat·ing, in·un·dates 1. To cover with water, especially floodwaters. 2. with data but often suffer from a lack of information or poor information quality. Research shows that a striking gap exists between the information corporate leaders feel they need and what they feel they actually get. In a 2004 survey by Deloitte Research and the Economist Intelligence Unit The Economist Intelligence Unit (EIU) is part of The Economist Group. It is a research and advisory company providing country, industry and management analysis worldwide and incorporates the former Business International Corporation, a U.S. , an overwhelming majority of corporate leaders said they considered factors such as customer satisfaction, product/service quality, operational performance and employee commitment to be "important" or "critical" drivers of success. But far fewer thought that they currently receive "good" or "excellent" information in these areas. (The report, In the Dark. What Boards and Executives Don't Know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. About the Health of Their Businesses, is available on the website of Deloitte Touche Tohmatsu Deloitte & Touche (also referred to as Deloitte Touche Tohmatsu, and branded as Deloitte.) is the second largest professional services firm in the world, and one of the Big Four auditors, along with PricewaterhouseCoopers, Ernst & Young and KPMG. at http://www.deloitte.com/dtt/whitepaper/0,1017,sid%253D1007%2526cid%253D62386,00.html.) How Will Governance and Compliance Drive IT Priorities? Governance and compliance are placing a premium on corporate leaders having easy access to high-quality information--information that is timely, relevant, accurate, reliable and transparent, as well as cost-effective and secure. Boards and executives can no longer afford to put up with data overload See information overload and overloading. ; out-of-date, incomplete or irrelevant information; conflicting versions of the truth; or a total lack of information about important areas of the business. What needs to happen to fix these problems? On a fundamental level, there needs to be more and better communication and, hopefully, real understanding between the business (defined broadly) and IT leadership. To be clear: this is not IT bashing bash v. bashed, bash·ing, bash·es v.tr. 1. To strike with a heavy, crushing blow: The thug bashed the hood of the car with a sledgehammer. 2. or about assigning blame. There's been much of that already. But, it does mean thinking differently about IT's role in corporate strategy and the ways technology can be used to advance, not just support, the company's business goals. Above all, it means recognizing that information quality has people and process elements, as well as technology components. Successful improvement depends on changing long-entrenched attitudes and behavior patterns: the lack of a strategic approach to information, resource and funding barriers, lack of process discipline and frustration with the magnitude of the problem, to name a few. One way companies are addressing these issues is by fostering greater collaboration, or at least communication, between the finance and IT department. Some are taking it to an extreme. Optimize magazine's third annual Defining the CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. report in June 2005 (Decoding de·code tr.v. de·cod·ed, de·cod·ing, de·codes 1. To convert from code into plain text. 2. To convert from a scrambled electronic signal into an interpretable one. 3. the CIO-CFO Relationship, by Ann Senn and Kenneth Porello) shows that a growing number of CIOs are reporting to CFOs--from 8 percent in 2003 to 15 percent in 2004 to 22 percent in 2005. To promote collaboration, companies might consider a cross-functional council to oversee information quality, complete with executive sponsorship and a charter outlining its mission, goals and success metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. . It's also crucial to identify stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. to be responsible for key information-related processes and, most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , to make them accountable for uncovering and solving problems. Once a company builds a solid foundation of collaboration and accountability, it's ready to start addressing the myriad drivers of poor information quality. Specific actions to take might include the following: * Reducing the complexity of application architectures. It's time It's Time was a successful political campaign run by the Australian Labor Party (ALP) under Gough Whitlam at the 1972 election in Australia. Campaigning on the perceived need for change after 23 years of conservative (Liberal Party of Australia) government, Labor put forward a to take a hard look at disparate and redundant systems, platforms, enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. (ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. ) instances and databases across the enterprise. It's true that standardizing ERP, integrating systems and consolidating databases can require a significant investment and take time to accomplish. The business case for doing so, however, is better than ever. The benefits now include not only operational savings from standardization, but also reduced compliance costs, lower risk of non-compliance and, perhaps most important, better-quality information for reporting, decision-making, risk management and governance. * Enhancing dashboards and portals to give corporate leaders an integrated view of performance and compliance. Simply gathering data about performance and compliance isn't enough for good governance The terms governance and good governance are increasingly being used in development literature. Governance describes the process of decision-making and the process by which decisions are implemented (or not implemented). . The data must be turned into information that is relevant and accurate, and the information organized and delivered to business leaders in a usable and timely fashion. Enterprises need a dashboard or portal strategies that give boards, executives and managers a single version of the truth In computerized business management, svot, or Single Version of the Truth, is a technical concept describing the sequence and structure of a database formed by a particular but arbitrary sequencing of records. . Financial, operational and risk (or control) information, brought together in a meaningful way, can empower corporate leaders to recognize performance or compliance problems before they become crises. * Automating controls. Automation reduces human error as well as the cost of manual testing (testing) manual testing - That part of software testing that requires human input, analysis, or evaluation. , improving Sarbanes-Oxley compliance effectiveness at the same time as it lowers compliance costs. Continuous monitoring using automated controls will provide valuable information. Also, automated controls helps strengthen fraud protection and can greatly improve general computer controls. * Standardizing and rationalizing data. Poor information-collecting, analysis and management procedures can generate mountains of conflicting, duplicative and/or irrelevant data. Consolidating data entry points and formalizing information flows can help control the problem, as can a critical review of exactly what and how much information should be gathered. * Improving IT governance. Effective policies, accountability structures, goals, metrics and training for IT processes throughout the enterprise can foster a culture of responsibility around IT that helps solve old problems and forestall fore·stall tr.v. fore·stalled, fore·stall·ing, fore·stalls 1. To delay, hinder, or prevent by taking precautionary measures beforehand. See Synonyms at prevent. 2. new ones. So can establishing a process to make IT decisions collaboratively, not just between finance and IT, but across all relevant business units and functions. If there's a single big "ah hah" in all this, it's that governance and compliance concerns are finally pushing corporate leaders to get information technology to truly deliver on its first name. There's plenty of technology, but information quality is often sorely sore·ly adv. 1. Painfully; grievously. 2. Extremely; greatly: Their skills were sorely needed. lacking, and boards and executives are no longer in a position to accept merely tolerable tol·er·a·ble adj. 1. Capable of being tolerated; endurable. 2. Fairly good; passable. See Synonyms at average. tol solutions. The idiom of the "elephant in the room Not to be confused with White elephant. The elephant in the room (also elephant in the living room, elephant in the corner, elephant on the dinner table, elephant in the kitchen, horse in the corner, 400lb gorilla in the room, etc. " seems appropriate here. Corporate leaders have known about the problems of poor information quality for years. Until recently, they could more or less ignore the elephant without suffering too much harm. But now, corporate governance and regulatory compliance have made the room smaller and more exposed, the elephant bigger and much more boisterous and the entire situation too critical to neglect any longer. And, given the importance of the need and the pervasiveness of IT in today's organizations, governance and compliance will likely continue to drive IT priorities for a long time to come. Lee Dittmar is a Principal with Deloitte Consulting LLP LLP - Lower Layer Protocol , a subsidiary of Deloitte & Touche USA LLP. He also serves as leader of the Enterprise Governance consulting practice and is co-leader of the Sarbanes-Oxley Steering Committee steer·ing committee n. A committee that sets agendas and schedules of business, as for a legislative body or other assemblage. steering committee Noun . He can be reached at ldittmar@deloitte.com or 610.479.3952. The views expressed in this article are those of the author and not necessarily those of Deloitte Consulting. RELATED ARTICLE: Sarbanes-Oxley's Impact on IT It is hard to believe that, two years ago, the conventional wisdom was that Sarbanes-Oxley compliance would have little or no impact on information technology (IT). It's obvious that nothing could have been further from the truth. IT is critical for achieving the goals of the [Sarbanes-Oxley] Act, and the impacts and implications for IT are significant and pervasive. Application-level controls and general computer controls have been a big part of the work in year-one projects. Many companies have used technology to help manage their 404 projects, provide a controls repository and an audit trail. But the biggest impact on IT lies ahead. Sustainable compliance has impacts throughout the IT application architecture, on IT governance and in IT business processes. Technology will enable the integration of financial and internal control monitoring and reporting, which will be important to most large and complex enterprises. Imagine an internal control system fully integrated with financial monitoring and reporting systems. Visualize a program that allows users to drill down from financial results to the underlying controls; or one that automatically flags exceptions, unauthorized entries and other anomalies. In most cases, the efficiencies gained by leveraging such technology will rapidly offset the implementation costs. The costs and risks of not automating to the fullest extent possible could be significant. --Excerpted from "What Will You Do in SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. Year Two?" by Lee Dittmar, and appearing in Financial Executive, November 2004 RELATED ARTICLE: takeaways * The relationship between IT and and compliance is evident, though it is a complex and confusing one. * A key lesson is that today's compliance challenges are really information challenges. Sarbanes-Oxley virtually mandates that data be turned into financial information that is accurate, timely and transparent. * In year one of Section 404 compliance, many companies found their IT assets and approaches were barriers to rather than enablers of high-quality financial information. * A start is to foster greater collaboration between IT and finance departments; more CIOs are reporting to CFOs. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion