What's Your Compliance IQ?
By John H. Capobianco, president and CEO of Lumigent Technologies, Inc.
Apparently, Bernie Madoff doesn't have Internet access in the Butner Federal Correctional Complex. Which might explain why he hasn't taken our Compliance IQ quiz (http://bit.ly/3xNCLx). Not that I would expect Madoff's score to be all that tweet-worthy. Anybody serving 150 years in prison for running history's biggest Ponzi scheme probably isn't staying current on compliance issues.
That said, the Compliance IQ quiz is just that, a quiz. You don't have to be an auditor to take it, although that would probably boost your score. Instead, we designed the quiz to provide a reality check on the state of compliance. It takes just a few minutes if you're well-versed in compliance, and a bit longer if you have to Google your way through it. Then, we'll let you know how you rank relative to your peers, and you can share the results with the Twittersphere, the blogosphere, or your boss.
For anybody with test anxiety, let me break down the quiz lessons to their bare-bones essentials: Compliance is a business issue, with ramifications that extend far beyond the walls of IT.
That's it. That's the bottom line. When you break compliance out of its traditional IT GRC niche — the general computer controls, operational controls, and other issues associated with IT governance, risk and compliance — and automate compliance processes elsewhere in the organization, you discover some rewarding opportunities, such as:
Cost savings. In corporate business and finance groups, automating the financial controls that monitor ERP, financial management and other primary business applications can dramatically drive down the cost of auditing as well as regulatory and internal compliance reporting. And that cost can be considerable, easily surpassing seven figures annually.
Confining compliance to IT GRC hides the opportunity to save money in other departments. IT GRC simply doesn't deal with the compliance challenges facing CFOs, controllers and other business executives. Implementing controls around privileged user access and the rest of the IT GRC lifecycle overlooks business-level needs.
IT GRC solutions manage, test and report on controls in place, but they are not controls themselves. So, organizations must assign employees to manually perform routine but time-consuming tasks such as controls testing and auditing data on controls that haven't changed since the last audit. I mean, do you really want to manually audit changes to your valuable business data like cost records and price lists? Of course not. Regulatory compliance software is the control system for the application, so it eliminates the manual labor and automatically produces the end reports that the finance groups need. And it saves a ton of money in the process.
Reform relief. With Madoff and other Wall Streeters fueling the flames of regulatory reform, streamlined auditing and reporting will become mandatory for organizations that don't want to get buried by reform-driven, legislated reporting requirements. After all, few people seriously question the ultimate outcome of the Financial Crisis Inquiry Commission findings — more regulation, more oversight and more accountability. All of which is going to impose a tremendous cost and workload on companies that fail to automate their compliance reporting. Those companies are going to wind up spending millions annually on manual reporting just to prove to auditors that they are complying with reform mandates.
By automating compliance processes, organizations will be able to meet reform mandates without shouldering onerous costs and workloads. Better, when companies automate using continuous monitoring technologies, they will gain the ability to know and prove what's happening — or not happening — to the source data and key business controls of financial applications, in real time. With an automated method for proving that data did not change, companies avoid costly, manual testing and review of unchanged data and controls. They also gain what the Committee of Sponsoring Organizations considers "persuasive information," something that provides…
Prosecution protection. While 150 years in prison is extreme, Madoff's sentence highlights a sobering fact: CFOs and CEOs are criminally liable for the information reported in their quarterly and annual reports. These executives can be prosecuted for mistakes or misrepresentations that may have been made either intentionally or accidentally. That means the figures in those financial reports must be accurate, supportable and auditable. Here, automated compliance systems that continuously monitor source data and key business controls give companies persuasive evidence, providing the accuracy that is paramount when a document is signed under the penalty of criminal action.
I'm not knocking IT GRC. I'm just saying it's part of a bigger compliance picture that includes complying with international, federal and state mandates; following corporate best practices; and maintaining client and investor confidence, among other things. Yes, you absolutely need IT GRC for privileged user access, security, etc. But you reap even larger rewards by tightly integrating business processes and regulatory controls with business applications. When you have continuous visibility into activities tied to specific business applications, you shorten ongoing audit processes, save time and money, ensure risk mitigation and maintain proper regulatory compliance — advantages that are available to anybody, regardless of their Compliance IQ.
John H. Capobianco is president and CEO of Lumigent Technologies, Inc., the GRC business apps company driving down the cost of regulatory compliance. For more information visit http://www.lumigent.com.
SOURCE: Lumigent Technologies, Inc.