Streamlining Your Compliance Strategy

Like it or not, many of today's organizations have to plan for audits - in some cases once a year, in other cases on an on-going basis. Of course, meeting compliance and auditing requirements takes time, resources and money. That's why many organizations have started to look at the effectiveness of their compliance and auditing strategies, with an eye to streamlining and automating processes and simply making audits less painful and costly.

For many organizations, IT compliance is being seen as essential to ensure regulatory and business compliance. As a result, IT teams need a greater understanding of business functions across divisions. They are no longer an invisible, backend support unit only but can be more involved in streamlining business processes as well.

To help organizations learn how to optimizing their auditing and compliance strategies, I talked with Jorge Rey, an information security and IT audit manager with Kaufman, Rossin & Co. a Miami-based accounting and consulting organization. Here are some key recommendations from Mr. Rey:

  • Understand Your IT Compliance Needs: The bottom line of compliance is protecting information. However, not all information needs to be protected the same way. Depending on your compliance requirements, information will need to be protected from unauthorized access, use, disclosure, destruction, modification, or disruption. Understanding what information to protect and how to protect it will help your organization design an information security program that addresses your regulatory and business requirements. Furthermore, it will help you assess what type of audits and related procedures will be required.
  • Understand the Types of Audits: Audits should be performed by an independent and qualified group (internal or external). Each organization, regardless of the size and complexity should want to understand how they are managing their compliance efforts, IT risks and how they can improve their processes. There are various types of audits that can be performed and these are: Financial, Operational, Integrated (financial and operational), Administrative, Agreed upon procedures, Information Security and Forensic audits. "Regardless of the type of audit that is or should performed, some organizations depending on their government or external requirements might require to have an external audit group issue an audit report," says Mr. Rey.
  • Identify Your Potential Risks and Decide on the Optimal Frequency: Organizations should assess and understand their regulatory and business risk to determine the optimal mitigation strategies and audit frequency. If the organization identifies vulnerabilities and threats to their information resources they will be able to determine the frequency and future benefit of the audit. The controls surrounding a business process should be audited more frequent when the consequences are devastating for a company if the vulnerability is exploited. Thus, the optimal frequency for audits depends on the potential threat and the loss potential. "The frequency of audits should be established during the audit planning. Analysis of short- and long-term planning should be covered during the planning so new risks related to control issues, regulations, technology or business processes are properly identified," says Rey.
  • Understand the Impact on IT: It's now more important than ever for business to have an understanding of IT (as well, of course, as IT having an understanding of business). "As a result of IT auditing and/or compliance requirements, it is more important for business process owners to have a better understanding of IT. Business owners are responsible for defining business requirements while IT is responsible for implementing and/or maintaining these," says Rey. "IT typically understands the business process (at the end, they are the backbone of many organizations) but they should not be responsible for making business decisions on behalf of business users unless explicitly requested and risks accepted."

For example, when data retention policies needs to be addressed, the business user should indicate to IT what information resides where and what the retention period should be. However, this typically rarely happens and IT is the one assuming responsibility and trying to establish a retention schedule that accommodates all business users' requirements.

  • Fine-tuning Your IT compliance strategy: A good way to fine tune your IT compliance strategy and make audits easier and more consistent is by adopting a business process improvement framework such as Capability Maturity Model® Integration (CMMI) (
  • Key Recommendation: "My number one recommendation is to have executive management involved including the audit committee and/or board of directors in your compliance reporting (if applicable)," says Rey. "Not having them included will affect the organizations ability to align IT compliance with business and IT risks mitigated."

Lastly, Rey warns companies to start with the basics. "The most overlooked issue when planning for an audit is the lack of sound risk assessments," says Rey.

About the Author

David Kelly - With twenty years at the cutting edge of enterprise infrastructure, David A. Kelly is ebizQ's Community Manager for Optimizing Business/IT Management. This category includes IT governance, SOA governance,and compliance, risk management, ITIL, business service management,registries and more.

As Community Manager, David will blog and podcast to keep the ebizQ community fully informed on all the important news and breakthroughs relevant to enterprise governance. David will also be responsible for publishing press releases, taking briefings, and overseeing vendor submitted feature articles to run on ebizQ. In addition, each week, David will compile the week's most important news and views in a newsletter emailed out to ebizQ's ever-growing Governance community. David Kelly is ideally suited to be ebizQ's Governing the Infrastructure Community Manager as he has been involved with application development, project management, and product development for over twenty years. As a technology and business analyst, David has been researching, writing and speaking on governance-related topics for over a decade.

David is an expert in Web services, application development, and enterprise infrastructures. As the former Senior VP of Analyst Services at Hurwitz Group, he has extensive experience in translating the implications of new application development, deployment, and management technologies into practical recommendations for enterprise customers. He's written articles for Computerworld, Software Magazine, the New York Times, and other publications, and spoken at conferences such as Comdex, Software Development, and Internet World. With expertise ranging from application development to enterprise management to integration/B2B services to IP networking and VPNs, Kelly can help companies profit from the diversity of a changing technology landscape.

More by David A. Kelly

About ebizQ

ebizQ is the insiderís guide to next-generation business process management. We offer a growing collection of independent editorial articles on BPM trends, issues, challenges and solutions, all targeted to business and IT BPM professionals.

We cover BPM standards, governance, technology and continuous process improvement, as well as process discovery, modeling, simulation and optimization, among many other areas. We follow case management, decision management, business rules management, operational intelligence, complex event processing and other related topics. We closely track important trends such as the rise of social BPM, mobile BPM and BPM in the cloud. We also explore BPMís use in functional areas, such as supply chain and customer management, and in key verticals, such as financial services, health care, insurance and government.

ebizQ's other BPM-oriented content includes podcasts, webcasts, webinars, white papers, a variety of expert blogs, a lively online forum and much more.