The more I talk to customers and folks in the industry, the more I hear that compliance is emerging as a major IT issue.
Just a few months ago, the SEC announced that it was going to ask companies to report on cybersecurity and information risk in their filings. While there’s some discussion of how this will be received, I think it’s clear that we’re seeing the temperature rise on compliance.
Compliance puts the focus on IT as an audit issue. We saw this with Sarbanes-Oxley, and it just keeps growing. Since many controls are dependent on IT systems, if the control in IT is weak, the whole system is compromised.
So how do you strengthen your compliance and control?
Standardize and automate the processes managing IT
Control is all about process. But if you look at IT relative to other functions in the organization, IT is out of control. In many ways, IT is still a cottage industry. By that I mean that when something needs to get done in IT it often starts with a manual process and an order sheet. A lot of what is done in IT is artisanal, handmade work.
And this makes auditors very uncomfortable.
We’re reaching a point at which artisanal IT is giving way to the Industrial Revolution. Organizations are standardizing and automating IT because that delivers lower cost and faster time to market. The other benefit of these trends is increased control. With standardization and automation you’re now at a point where you can look at the quality of the processes managing your IT.
Get to know COBIT
As compliance becomes more of an issue for IT, we’ll see more of COBIT – a standard that has come out of the audit community.
COBIT previously used to define maturity levels in a way similar to other standards like CMMI. But with COBIT 5, which is now in pre-release for feedback, the organization responsible for COBIT is defining levels in a way that is much more compliance oriented. With COBIT 5 you’ll go through strict binary audits, process by process, and something will either be in control or not. Preliminary testing suggests that it’s quite difficult to get to a process that would satisfy an auditor as being in control.
What’s going to happen, I believe is that a lot of organizations will have to take a hard look at the state of their compliance.
Now many industries, such as banking, are already familiar with COBIT. I know one bank that runs everything in IT against COBIT controls and has a rolling audit process internally. But for others, it’s going to be a journey to a control mentality.
Change your mind-set to include control
Beyond embracing COBIT, there are other things organizations can do to improve control and compliance in their organization.
For instance, HP’s Executive Scorecard is all about better visibility and control. It provides executive-level metrics that actually track whether a process is within established tolerances or outside. It features exception-based management, which is also very much a control notion.
Making these changes now will go a long way toward positioning your organization for the new shifts in compliance.