Introduction
The repercussions of recent major corporate frauds such as the Enron and WorldCom scandals have given rise to an increasing number of new governance laws and regulations. These include Sarbanes-Oxley Act (SOX), Basel II, Data Protection Act and International Accounting Standards.
These regulations address issues in financial and reporting practices, data protection, privacy and risk management practices of international banks and prevention of fraud and money laundering. For example, Section 404 of SOX requires companies to report on the state of their internal controls to ensure accurate financial reporting and fraud protection, while Section 302 requires CEO and CFO to certify the accuracy of relevant financial reports.
Governance Regulations & Their Ramifications
Complying with these new regulations by governments and global regulatory authorities has placed great demands on company resources and finances. The new governance regulations affect many companies, big or small, international or local, in the world.
For example, SOX affects not only publicly held companies but also private companies including those that plan to go public and those that do business with companies governed by SOX. Many small and medium enterprises (SMEs) also implement compliance programmes because their customers, bankers, insurers or auditors require them to do so.
Cost of Compliance
Many companies find the cost of compliance to these governance laws onerous both in terms of financial costs and investment in time and resources.
According to AMR Research Inc., US companies will spend a combined USD 6 billion on programmes to comply with the Sarbanes-Oxley Act in 2006. In March 2006 survey by Financial Executives International (a professional association for senior financial executives), it was estimated that the average total cost of complying with Section 404 of SOX in 2005 was USD 3.8 million per company.
Key Stages of Compliance Managements
In a globalised economy where organisations outsource to and collaborate with global partners, regulations introduced in major economies such as the US and Europe can drive global trends of similar regulations affecting countries in other parts of the world.
There is a compliance “spill over” effect as companies in the US and Europe exert pressure on their overseas partners to adjust their business processes to meet their compliance requirements.
Penalty Avoidance
In the initial stage of compliance management, most companies in Asia and other parts of the world outside of the US and Europe, allocate their resources to implement compliance programmes to meet the minimum expectations of their customers. Their objective of compliance is to avoid ‘penalty’ or loss of business.
Optimize & Sustain
Given that compliance programmes are not one-off projects but are on-going imperatives to meet business objectives, companies realise that piecemeal approaches to the compliance efforts are not sustainable and will not yield the desired benefits.
An increasing number of companies are finding that embracing the spirit, and not just the letter of the law, can provide them with significant opportunities to optimize their operational efficiency beyond regulatory compliance.
These companies have found that when they integrate compliance into their business processes and where ownership of every process is clearly identified, the compliance programmes become sustainable with positive results shown in improved bottom line and reduced costs.
Leverage Compliance for Competitive Advantage
Many companies are leveraging compliance beyond meeting regulatory requirements. They are using compliance as a catalyst to improve their financial, data protection and reporting practices to increase their profits and reduce the cost of fraud. Compliance related business process improvement serves not only to mitigate risk but can also unleash the companies’ competitive assets.
Investing in compliance solutions can provide business value to sustain competitive advantage in the following:
• Ability to deliver relevant information to decision makers of all levels at all times;
• Capability for ensuring the privacy and security of sensitive information assets;
• Improvement in reporting capabilities and internal controls;
• Enhance image and branding of the company.
Demands of Compliance on Information Technology
Although most people would think that compliance is the main concern for finance and company directors, however Chief Information Officers (CIO) are playing a bigger role in developing and implementing regulatory compliance programmes. This is because most of today’s business processes and internal controls are automated and driven by information technology (IT).
Implementing programmes to comply with new regulations creates the need to change business processes which in turn require modifications to existing IT systems and applications. The constant changes in organisational structure and IT systems to meet the demands of new regulations and the changing business processes are posing great challenges for companies and their IT departments.
Challenges Facing Information Technology
In the May 2005 survey conducted by Mercury and the Economist Intelligence Unit (EIU), over 800 IT executives from US, Europe, Middle East and Africa (EMEA) and Asia Pacific commented on the challenges they were facing. More than 74 percent of US companies, 45% of European companies and 80% of Asia Pacific companies cited implementing programmes to comply with regulations as one of the biggest challenges facing their IT departments.
CIOs and corporate IT executives face many constraints when implementing compliance programmes. Tight budget is a main concern. In the EIU survey, more than 40 % of IT managers in the US and Asia Pacific and 35 % of EMEA respondents cited budgetary constraints as one of the biggest obstacles in achieving compliance objectives.
In addition, IT executives’ lack of awareness of wider business issues relating to compliance was also cited as major obstacles to compliance. The difficulty in finding and hiring IT professionals with business skills hampers the implementation of effective compliance programmes.
Role of IT Governance in Sustainable Compliance
Unlike finance which has traditionally been subject to regulations, accounting and auditing standards and internal controls, IT departments have never been regulated and are seldom subject to internal controls.
Because IT systems and applications tend to be technically complex, most CEOs and CFOs do not have a complete grasp of their companies’ IT architecture. This may lead to lack of understanding and support from the management for the companies’ IT compliance projects, resulting in risk of non-compliance and poor return on IT investments.
However, as most of the data and information that are needed for compliance are managed and stored in IT systems and most financial control processes are driven by IT applications, CEOs and CFOs must have complete confidence on the integrity of the companies’ IT infrastructure.
In order to mitigate the cost and risk of compliance projects, firms need to develop an IT governance framework that enables them to comply with new regulatory requirements without having to “re-invent the wheel” each time.
IT governance provides a framework to leverage technology as an enabler for implementing business process change. It includes the establishment of reporting, monitoring and evaluating processes to guide appropriate investments and applications of technology in alignment with business processes and objectives.
The framework should encourage desirable behavior on the part of not just the IT staff, but everybody in the organisation, using the IT systems and applications.
However, IT governance structures cannot exist in isolation. They have to be developed in co-ordination with other key functions in the company including finance, human resources, sales and marketing, customer and partner relations.
Sustainable Compliance
A sustainable compliance strategy can help to avoid the escalating costs of compliance programmes. A fundamental principle is to align compliance initiatives with the entire organisation structure.
The key components of a sustainable compliance strategy are:
• A well defined accountability structure;
• An efficient operating system
• An enabling technology structure
Clear Accountability Structure
In many organisations, it is common for the internal audit department to assume the responsibility for the oversight of all internal control functions. As the business processes become more complex and technology applications become more sophisticated, it has become untenable for the internal audit department alone to monitor and check that the companies’ entire control, reporting and data protection policies are in compliance with established policies and guidelines.
For compliance to be sustainable over the long term, overall responsibility must shift from internal audit to business process owners along the entire corporate structure. This means that compliance strategy must be incorporated into the overall business strategy. Owners of the various business processes would have to be identified and their roles in the control management process must be clearly defined.
Efficient Operating Structure
The axiom that automating an inefficient operating structure is merely automating inefficiency into the business processes can be applied to compliance. Aligning compliance processes along inefficient operating processes would not only be costly but would also expose the company to the risk of non-compliance. It is therefore crucial for the company to develop an operating structure that can facilitate monitoring and reporting in the form and context required by the regulators.
Technology Structure
Some organisations have the tendency to view technology as the “silver bullet” that can solve all their operating and compliance problems. While technology can deliver significant and measurable business returns if it is chosen and implemented correctly, the reverse can also be true.
As an enabler for facilitating process changes and compliance, the technological solution should be able to undertake the following functions:
• Schedule and automate the workflow of compliance initiatives;
• Monitor and report exposure and status of business risk;
• Support a cost effective infrastructure that is easy to be used and modified;
• Facilitate financial transparency and good corporate governance;
• Manage disclosure and control processes;
• Provide visibility to process flow;
• Support effective document and records management;
Recognising the challenges faced by IT executives in implementing IT solutions to drive operational efficiency and regulatory compliance, the IT Governance Institute (ITGI) and Information Systems Audit and Control Association (Isaca) have developed an IT governance framework called Control Objectives for Information and related Technology (COBIT).
According to Isaca’s definition, COBIT is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables companies to establish IT best practices throughout the organisation and better align IT projects with business imperatives. It provides an easy-to understand overview of the organisation’s IT infrastructure for non-technical business managers, helping them to get the most value from the IT projects.
Beyond Compliance: Enterprise Risk Management
Globalisation and the outsourcing phenomenon mean that organisations and business processes will become more complex. With new incidents of breach of corporate governance being reported regularly and with businesses operating across different political, economic and legal environment, the trend towards more rather than less regulations will continue.
Companies that have implemented sustainable compliance programmes find that they can reap more substantial benefits than just satisfying regulators. By leveraging their optimized business processes and enterprise-wide IT alignment, companies can establish enterprise wide risk management initiatives that can drive greater shareholder value.
Enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organisation in order to minimise the effects of risk and maximise business value in an uncertain environment. There are tools such as the Enterprise Risk Management Integrated Framework developed by the US Committee of Sponsoring Organisations of the Treadway Commission (COSO) to guide organisations in managing their business risks.
Conclusion
Increasingly, corporate boardrooms are, in addition to meet their responsibilities under the law, expecting to see tangible value to the businesses from the efforts and investments in compliance, IT governance and risk management. Companies that are successful in integrating these efforts their business processes are able to create the business values to meet boardrooms’ expectations.
The author is Managing Principal, Risk Management Consulting of Atos Origin |
