Process 3: Comply with Directives

  • Article

Published: April 25, 2008   |   Updated: October 10, 2008

 

Compliance is an application of risk management that ensures IT’s conformance with company policies, governmental regulations, and industry-specific laws. Some of the better-known compliance laws and their functions are included in the following table.

Table 7. Examples of Compliance Laws and Their Functions

Compliance law

Function

The Sarbanes-Oxley Act (SOX)

Enhanced standards and controls for all public company boards and public accounting firms in the United States

Health Insurance Portability and Accountability Act (HIPAA)

National standards for electronic healthcare transactions

BASEL II

International standard for banks

Increasingly, compliance activities require greater diligence and responsibility from IT pros. For example, many large corporations have significantly automated their financial management systems, which has resulted in the automation of internal business controls. These application controls are part of the compliance environment; when they are automated, they become part of the IT environment. IT pros must also be aware of general computing controls (for example, the separation of development and test environments), which are defined as those processes, activities, and configurations that are applied across multiple infrastructure components in order to ensure that technology performs as expected.

Evidence and Assurance Reporting

Assurance is the process of providing executive management with an indication of how well its goals and objectives are being met (complied with) by the organization. Assurance reports are the responsibility of the auditing department, which provides an impartial assessment. This reporting is based on data that demonstrates the effect of controls put in place to achieve results in an intended manner. Evidence is the term used to describe this data, and testing is the process of exercising the controls to generate evidence. It may also refer to evaluating the evidence generated.

This can be confusing to IT pros who usually use the term “testing” to refer to the quality assurance (QA) processes used in software development and system deployment. Saving the actual data used to perform testing (the evidence) is not a common part of the IT pro’s testing methodology. However, auditors want to see evidence collected over a sufficiently long period of time to be able to form an opinion about the effectiveness and efficiency of controls. Another point of confusion between assurance testing and the IT pro’s use of the term “testing” is that assurance testing usually focuses on controls and processes in the production environment. It is focused on what is actually happening in the real-world experience of the organization—not in the isolated test environment, where functional issues can be isolated and resolved.

Finally, assurance reporting can be obtained from several sources (for example, compliance audits, security audits, or auditing related to contractual obligations), and IT pros may find that they are asked for very similar evidence numerous times. By becoming aware of assurance activities in their organization, exploring retention requirements for evidence, and understanding the use of the required evidence, IT pros can improve efficiency and reduce the disruptive aspects of the assurance process.

Cc531023.image6(en-us,TechNet.10).jpg

Figure 6. Comply with directives

Activities: Comply with Directives

The compliance process is iterative; IT must continually monitor the environment, adapt to regulatory changes, and respond to management directives. IT pros should be careful to look to company policy for directives, rather than interpreting regulations without input from other areas of the business. The regulations themselves should be evaluated by various groups within the company (for example, legal, HR, and finance), who will then determine the company’s stance regarding any particular regulation.

The IT pro should actively bring IT-relevant regulations to the attention of the business. These regulations can then be evaluated, the company can determine its position relative to each, and appropriate policies and directives can be constructed to guide decisions and activities. With that pathway established, the auditor will be able to take management objectives—now in the form of directives—and audit compliance to those directives.

This process includes the following activities:

  • Identifying policies, laws, regulations, and contracts
  • Selecting policies, laws, regulations, and contracts
  • Assessing current compliance state
  • Setting future compliance state
  • Creating compliance plan
  • Maintaining compliance
  • Auditing compliance

Table 8. Activities and Considerations for Complying with Directives

Activities

Considerations

Assumptions
  • The organization wants to make sure that directives are followed, whether or not they are subject to formal requirements for governance.
  • IT may have services that carry performance requirements with penalties for non-compliance.
  • The organization has been subject to audit findings that indicate its control environment is ineffective or inefficient or that have resulted in the company being out of compliance.

Identify policies, laws, regulations, and contracts

Key questions:

  • What laws and regulations (local, national, or global) apply to the company?
  • What governing entities apply to the company’s activities?
  • What objectives require policy to demonstrate management’s intent and to make sure desired activity can be enforced?
  • What IT service commitments carry performance compliance requirements?

Inputs:

  • Worldwide, national, and local laws and regulations
  • Governing entity requirements
  • Management directives
  • Legal’s review of compliance needs
  • Performance requirements from IT service level contracts

Outputs:

  • Identified laws and regulations and the organization’s directives for compliance
  • Identified compliance directives that support the organization’s intent to deliver against strategy

Best practices:

  • Compliance has multiple facets, but primary considerations relate to compliance to management objectives, company directives, and legal requirements. Also, services should be performing in a manner that complies with agreements and contracts. Monitoring and metrics may provide information for both areas of compliance.

Select policies, laws, regulations, and contracts

Key questions:

  • Has the business reviewed and determined what laws and regulations the company is clearly subject to?
  • Is there a control framework that effectively covers the laws and regulations that the business is subject to?

Inputs:

  • Reviewed list of laws and regulations and interpretations
  • Risk tolerance of the company
  • Past audit reports
  • Potential control objectives from relevant frameworks

Output:

  • List of laws, regulations, and performance and control objectives to be addressed by company policy

Best practices:

  • An organization’s culture and the way it works to achieve strategic goals will greatly affect the areas selected for compliance activities. Balancing the requirements for compliance and culture requires that the decisions are made openly with appropriate stakeholders.
  • Include legal and audit professionals in the discussion.

Assess current compliance state

Key questions:

  • What is the current state of compliance to relevant laws, regulations, and directives?
  • What is the state of compliance to performance objectives?
  • What is the history of non-compliance incidents and is there an identifiable trend?

Inputs:

  • Risk assessments for systems and business processes (see “Process 2: Assess, Monitor, and Control Risk”)
  • Existing policies and directives
  • Compliance reporting, whistle-blower activity
  • Performance compliance for IT service contracts and agreements

Output:

  • State of compliance health (report or dashboard)

Best practices:

  • Compliance health can be volatile. One goal of a vigorous compliance program is to decrease volatility through active monitoring of controls and the detection of trends. A compliance dashboard that is frequently refreshed with recent monitoring data will keep senior managers informed, but not burdened with compliance reports. A dashboard should support further investigation into details of compliance incidents.

Set future compliance state

Key questions:

  • In what areas are there recurring incidents of non-compliance?
  • What compliance risks are outside of the company’s risk tolerance?
  • Have penalties been incurred for IT services that failed to comply with performance requirements?

Inputs:

  • Current state of compliance
  • Changes in IT portfolio and service catalog
  • Changes in regulatory environment relevant to the business
  • Regulatory trends and legal rulings that may impact the business
  • Changes in business tolerance of risk
  • Potential modifications, reductions, and additions to control environment

Output:

  • Documented compliance roadmap for future state

Best practices:

  • Consider non-compliance from several perspectives: Are related procedures and guidance inappropriate or confusing? Is the policy too heavy-handed and burdensome, which could result in a conflict between performance and compliance? Is training adequate?
  • Consult with legal counsel before finalizing policy based on regulation. It is important to have an interpretation of how the company should comply with regulations that includes a broader understanding of legal precedent and maturity of regulations.

Create compliance plan

Key questions:

  • In what ways will the compliant company (the “to-be” state) differ from the current company?
  • What is not working effectively in the current compliance program?
  • What resource requirements, training, and changes to policies, processes, and systems will be required to become compliant?
  • Do IT service contracts with performance clauses need to be addressed?

Inputs:

  • Documented compliance roadmap for future state
  • Senior management review of the “to-be” state, strategic goals, and business objectives
  • Agreement that the identified “to-be” compliant company and strategic goals are compatible
  • Project plans for changing identified IT services to achieve better performance compliance

Output:

  • Proposed compliance plan project approved by all stakeholders

Best practices:

  • Pay attention to the culture of compliance in the company. If the company is in a heavily regulated industry, there is likely an expectation that compliance requirements are part and parcel of day-to-day activity. On the other hand, if the industry is one of fast-paced change that is driven by growth, compliance might be seen as a burden or a “tax” to be avoided. Future compliance plans need to take this into account and move the compliance culture in the desired direction based on its current character.

Maintain compliance

Key questions:

  • What non-compliance issues are happening?
  • Are there ways to reduce the costs of compliance without increasing risk?

Inputs:

  • Compliance plan
  • Service management and control reporting
    (see the Service Monitoring and Control SMF)
  • Audit reports, control monitoring
  • Risk and compliance tolerance levels

Outputs:

  • Compliance reporting
  • Compliance dashboard updates

Best practices:

  • Compliance issues often contain sensitive information. Certain individuals should see certain parts of this information; other individuals other information. Multiple views of the information along with role-based access to reporting and/or dashboards will help address privacy concerns.
  • The compliance environment is dynamic—it requires frequent reviews of applicable controls. These control reviews should involve a cost/benefit analysis that includes risk dimensions as well as operating effectiveness.

Audit compliance

Key questions:

  • What is changing in terms of relevant laws and regulations or new requirements the company may become subject to?
  • Is the current state of compliance acceptable to senior management?
  • Is sufficient evidence of control activity, testing, and maintaining control compliance kept current and appropriately stored?

Inputs:

  • Legal reviews and updates to regulatory interpretations
  • Auditing of normal operations
  • Reporting and debriefing interviews with senior managers regarding the state of compliance

Outputs:

  • Compliance audit results
  • Updated compliance plan

Best practices:

  • Regulations may have clear consequences for non-compliance, such as fines and/or prison sentences, but often have very general requirements. Legal and audit representatives can help clarify what actually needs to happen for IT to be compliant.
  • Make sure that appropriate and sufficient evidence of control activity is stored for later evaluation. Work with internal and external auditors to understand the requirements for evidence gathering and storage, and initiate that conversation months before any planned audit activity in that area.
  • Ensure the use of service level agreements (SLAs) to help define quality of IT services and establish guidelines for performance and requirements for compliance. For more information about SLAs, see the Business /IT Alignment SMF.