Compulsion of compliance and regulations

By : |April 21, 2010 0

Information Systems Audit and Control Association (ISACA), the global body of Information Systems (IS) professionals in the field of audit and control had its annual conference recently. During the event, ISACA’s vice president Robert E Stroud, who is also CA’s vice president — Service Management, shared his views on compliance and governance in businesses and the role of GRC and malpractices across organizations to Pankaj Maru of CyberMedia News. Excerpts:

Are businesses willing to implement compliance and governance norms to make their business seamless and secure or is it that the governments are pressurizing the businesses to do so?

There are two drivers here, first is compliance, which means getting compliant with the rules and regulations such as Sarbanes Oxley, Basel II, Solvency II, EU Directive, Data Protection Directive, Data Privacy and others. This has led to a lot of governance and implementation across the industries especially in the US and European countries.

The second aspect has happened over time with the advent of IT systems and Cloud Computing, companies and their CIOs are looking at the governance of IT in their organizations in terms of on-time delivery, the ability to meet business requirements, cost and also how they might leverage outsourcing to reduce the cost.

So now with IT systems and processes in place the implementation of governance is more of internal rather than external. However, in the first instance, there’s no doubt that the governments force businesses to implement compliances and regulations such as Sarbanes-Oxley and others. And today various IT matrices have been added on to these compliances and for instance, now CIOs have quickly identified opportunities to automate various processes, which, earlier, was done manually.

This has led to automation for data collection which we now call the Governance, Risk and Compliance (GRC) industry. So, it’s the governments which bring the businesses under compliance and governance norms.

How is GRC industry reaching out to other verticals, apart from financial, banking and insurance sectors? And how much significant is the reach of GRC industry in today’s time?

I have actually seen an increase in the number of verticals doing compliance. If you look at just compliance then I think there are many verticals for which compliance is very important like the manufacturing vertical, where I believe compliance will become a very hot issue. Issues at Toyota are a perfect example where they had a massive recall of car parts. Now that’s a business problem but IT systems were involved in the making of every car.

So if you consider that a legislation is required to report any major faults in vehicles that bridges with regulatory bodies in a period of time, then that’s the control we can place in the system and automate the process. So that’s where the opportunities come in. And so manufacturing, health care or automobiles and many other sectors are following governance and compliance norms today. The idea is to just make a dashboard that will inform the executive management of the status in the near real time environment which allows them to take valid business decisions.

With businesses going digital, mobile and online, does the compliance, risk and governance environment become inevitable for them?

The reality of any business process, whether it’s done manually or automated, is that there are usually audit points and control points defined. As all the audit and control points today are performed manually or automated, the audit looks for sample data, goes through it, validate it and then sign-offs. But in the GRC environment, we already know that a process is under a strict chain of controls, which is well documented and approved, and is in place using IT systems that helps for implying data checks or for preparedness during the business.

And I strongly believe that if your environment is more complex such as mobile or Internet, investment in GRC with the right outcome ensures that the solution is not just cost effective but also reduces errors in businesses. And I think that the key aspect for businesses in digital environment is data accuracy and securing information.

Should the GRC system be blamed for any malpractices and wrong doings in any organization? Who should be accountable?

In any kind of GRC systems and IT processes, if you feed incorrect data and then your generated reports will be incorrect and this can be due to a number of reasons — one, if the parameters are defined incorrectly for collecting the data whether its manual or automated; secondly, any kind of human error — someone could just have made a human mistake and this things can happen time to time. And the third point, if somebody is absolutely going to perpetuate a fraud or not disclose accurate or correct data, then the resulting audit and control reporting is incorrect or wrong.

And if you have an automated process in place which are correctly articulated then the only way of doing that is by manually altering the data, by which the IT systems and processes will point out the flaws and identify them. Therefore, one of the benefits of automated systems is that you are going to have more accurate reporting and so the onus in this circumstance is on the team that is in-charge the reporting and controls externally to validate and for approving it.

So the GRC systems shouldn’t be blamed because it is the innovative nature of humans that breaches the well defined IT and security systems to carry out malpractices. And one can say its’ the humans and not GRC to be blamed for it.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.