Comment: Compliance trends on the horizon

Klein says that auditing costs will shock organizations of all sizes
Klein says that auditing costs will shock organizations of all sizes
Cheryl Klein, GRC Consulting Services
Cheryl Klein, GRC Consulting Services

No matter what industry you are in, expect to encounter many compliance challenges in the forthcoming years. Many regulations, such as HIPAA, are beyond their grace period, which foretells audits for many companies. Other regulations, such as PCI DSS, plan to increase their fines in the coming year while Congress will likely add more compliance regulations in the coming months – especially for firms in the financial sector.

But fines and new regulations aren’t your biggest challenges. For the rest of the year and beyond, achieving compliance cost-effectively will be crucial. To help guide you through the compliance landscape, here are five trends in particular to monitor.

1. Control Spreadsheets and You Control Costs

Because of their flexibility and ease of use, the number-one financial reporting tool is the spreadsheet. However, spreadsheets rarely fall under administrative control. They also tend to be poorly managed and are usually a big headache for auditors. Many organizations fail to take spreadsheets into account when they plan for compliance audits, particularly small organizations that can’t afford lengthy, costly audits. But paying attention to spreadsheet controls can pay big dividends in terms of reducing compliance costs.

A case in point is Chugach Electric Association, headquartered in Anchorage, Alaska. Chugach is a mid-sized company (about 330 employees) in the heavily regulated electric utility sector. While the business is a cooperative, it must still comply with Sarbanes-Oxley (SOX) because of public debt.

Large organizations often spend millions to comply with SOX, but this is an expense Chugach simply can’t afford. Instead, Chugach hired my consulting firm to help them streamline the process and trim expenses. As we studied Chugach’s key controls, we found that many of them relied on spreadsheets. This is not unusual, but spreadsheet programs such as Excel leave document controls and change-management out of the picture. This means auditors must manually test the integrity, completeness and accuracy of spreadsheets.

2. Auditing Costs will Shock Organizations of All Sizes

Auditing is expensive on two fronts: First, valuable employees are taken away from their normal jobs and shifted to supporting internal audits. For many, this becomes a full-time job that takes weeks or months to complete. Auditing isn’t what you hired these employees for, and it is not the best use of their time.

Second, once the external auditors come in, the expense to get them in line will be significant if your controls are not in order. With spreadsheets, for instance, an auditor will charge upwards of $200 per hour to manually test the accuracy and completeness of the data. This process could take hundreds of hours as auditors pour over formulas, tabs, references, indexes and more on every financially significant spreadsheet.

For Fortune 500 companies, the expense impairs competitiveness – even in good economic conditions. Furthermore, regulations aren’t confined to the Fortune 500. As SOX, HIPAA, FFIEC, PCI DSS, state privacy laws and other regulations filter down to mid-sized and smaller organizations, the cost of manual audits becomes prohibitive.

Organizations of all sizes will be shocked and challenged by skyrocketing auditing costs and will seek ways to manage those costs. Smart organizations will turn to automation.

3. Multiple Benefits of Automation

Automation is the single best way to keep compliance costs in line. Automation is also a case where you have to spend in order to save. Forward-thinking organizations will realize that small upfront costs eventually will pay for themselves.

A crucial strategy in keeping compliance costs down is using automation and repeatable processes. With spreadsheets being a key problem area, I like to suggest services such as Brainloop’s virtual data room. As a web-based application, Brainloop is a collaborative tool that places security controls over documents. By moving spreadsheets into a Brainloop data room, my clients have an easily verifiable process in place to show auditors that controls and change-management are layered over their spreadsheets.

The result is that firms can now know exactly who owns a document and who has the access rights to modify it, as well as when changes are made and by whom. By adopting controls like this, compliance and document security are built into the document creation and maintenance process, and both are systematically and thoroughly applied.

Instead of testing each and every spreadsheet, the auditor must only validate that the process is working. Compliance is achieved in as little as 30 minutes rather than hundreds of hours.

In addition to adopting new technologies, organizations will look harder at the business enterprise software they already have by drilling deeper into their feature sets and leveraging the automation they’ve already paid for but haven’t had the incentive to use – until now.

4. Effective Document Controls Support Both Security and Productivity

According to a recent survey by the Ponemon Institute,1 employees routinely engage in activities that place sensitive data at risk. More than 60% routinely download data onto unsecured mobile devices, which are often not secure because 21% of employees turn off the security tools those devices may have. Forty-three percent admit to having lost data-bearing devices.

Sensitive data is routinely put at risk, and if organizations luck out and don’t pay the price through a data breach, they’ll certainly pay for it in the event of an audit. This is a tough problem to cope with because it is not simply a technical issue. Employees don’t move data onto unsecured peripherals and mobile devices to be malicious, and they certainly don’t lose those devices on purpose. Instead, employees are trying to do their jobs with the tools they have at their disposal.

In a challenging business climate, organizations will realize that although document security automation is necessary to keep costs in check and to establish corporate oversight of documents, they’ll also learn that not all security practices are created equal. If the price of document security is that it places productivity burdens on employees, then the cost-benefit ratio will probably weigh too heavily toward costs.

As business finance commentator Alan Radding notes, the same human factors that promote unsafe data practices – the desire to work quickly, effectively and efficiently – can also drive users to comply with security protocols, provided those protocols are implemented within a transparently secure workspace that automatically delivers productivity tools.2

In the coming years, expect this challenge to be met in one of two ways. Forward-looking companies will learn from those who have come before them. They will adopt document-compliance management software that helps rather than hinders employees as they do their jobs. Services from the likes of Brainloop, EtQ, and Proquis will make handling sensitive data in a secure manner simple enough to become second nature. These companies will also enjoy streamlined and inexpensive audits.

Slower-moving organizations will ignore history and neglect automated tools that balance security with productivity. Their employees will routinely put data at risk by actively avoiding cumbersome corporate controls. They will also improperly store and share data, and the challenge these organizations face will be the price they pay through IP theft, data breaches, expensive audits and fines.

5. Automation Helps not Only with Compliance, but with the Bottom Line

Not only will organizations that are slow to adopt automation suffer through expensive audits and possible fines, they may also slip competitively. Automation may be embraced solely for compliance, but that doesn’t mean its benefits are confined to compliance.

Improved security, streamlined workflows, automated change-management, better transparency and increased productivity all result from the proper deployment of automated tools.

Notes

  1. Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security, Ponemon Institute, June 10, 2009.
  2. Big Fat finance Blog: Playing the Human Factors, Alan Radding, October 13, 2009.

Cheryl Klein, CPA, CISA, CITP, is a governance, risk and compliance consultant and founder of GRC Consulting Services, which provides IT compliance consulting services.

What’s hot on Infosecurity Magazine?