I.T. Governance: Overcoming the Triple Threat

Mention the word “compliance” in a roomful of executives these days, and you’re likely to hear a chorus of groans and sighs.

In addition to Sarbanes-Oxley—the law attacking corporate fraud that Congress passed in 2002—organizations are grappling with the Payment Card Industry (PCI) security requirements for credit card data; the Health Insurance Portability and Accountability Act (HIPAA) requirements for private and secure health-care data; requirements from the Food and Drug Administration to keep terrorists from tampering with supply chains for food and pharmaceuticals; and numerous other federal, state and international regulations, many passed after the Sept. 11 attacks.

“Regulation will continue, and it will be more intrusive, not less,” says John Garvey, a partner at auditor Pricewaterhouse Coopers. That’s because in democracies, he says, elected officials will not stop insisting that consumers and investors be protected from the risks of modern life.

Some companies are turning to information technology to help them comply with Sarbanes-Oxley and other mandates.

Software products are helping them keep track of employees’ roles and responsibilities, changes in their business processes, and whether compliance is contributing to the business at large.

In 2006, 40% of companies plan to spend money for information technology to comply with Sarbanes-Oxley, according to an AMR Research survey of 332 corporations. Sarbanes-Oxley came in first on spending, ahead of 15 other mandates, including document retention, manufacturing process approval, and various privacy and security rules.

And some companies that use software to help them comply with regulatory mandates cite unexpected benefits to their organizations.

At Sky Financial Group, a regional financial holding company in Bowling Green, Ohio, there is a stronger corporate culture more aware of internal controls, according to Donald Hileman, senior vice president of finance.

At Blackboard, which creates and sells software for online education in Washington, D.C., there is more organized communication between the business and information-technology sides of the company, says senior vice president of information technology John Lambeth.

Still, software is not a panacea.

For one thing, information technology has not slowed the rise in spending for compliance—at least not for Sarbanes-Oxley, which requires companies to certify that their financial statements are true. Between 2003 and 2005, the median cost of complying with the anti-fraud law rose 27%, from 0.074% to 0.094% of overall revenue, according to The Hackett Group, an Atlanta-based consulting company specializing in business efficiency.

In addition, standards for information-technology compliance—such as COBIT (Control Objectives for Information and related Technology) and ITIL (Information Technology Infrastructure Library)—are still getting established.

Research firm Gartner says that spending for compliance is scattered across 18 types of products, although they do cluster into three categories—process management, content management, and application access and control. Process management is where companies tend to look first for information technology, although Gartner expects spending to rise in the other two areas in 2006 and 2007.

But there are no “silver bullet” compliance products for companies, says John Hagerty, a vice president at AMR Research. He advises companies against relying on any information-technology product for compliance until they understand their business processes.

“Have a frank conversation with your auditor about expectations, then design your plan and do a lot of work on spreadsheets first,” he says. Technology should support the processes, not the other way around.

To better understand how technology has helped businesses deal with regulatory mandates, Baseline interviewed more than 15 companies, consultants, auditors, analysts and vendors, and found three obstacles that most had in common.

Here’s how three companies in particular are meeting those challenges.

Next page: Getting Employees in Line