Top Five Corporate Compliance Challenges for 2010 and Beyond

Corporate compliance will become an ever bigger concern in 2010 and beyond. Existing regulations are maturing – meaning that certain ones, like HIPAA, are beyond their grace period and now audit organizations for compliance, while others, such as PCI DSS, are increasing their fines in the coming year.

Meanwhile, Congress will likely add more regulations to worry about, especially if you are in the financial sector.

Fines and new regulations won’t be the biggest challenges in 2010, however. No matter what industry you are in, expect to encounter these challenges in forthcoming years.

1. Waking up to spreadsheets

The number one financial reporting tool in the U.S. is the spreadsheet. However, spreadsheets are rarely under administrative control, are poorly managed, and are usually a big headache for auditors.

Many organizations fail to take spreadsheets into account when they start planning for compliance audits. Especially for small organizations that can’t afford lengthy, costly audits, ignoring spreadsheets will no longer be feasible.

A case in point is Chugach Electric Association, headquartered in Anchorage, Alaska. Chugach is a mid-sized company (about 330 employees) in the heavily regulated electric utility sector. While the business is a cooperative, it must still comply with SOX because of public debt.

Large organizations often spend millions to comply with SOX, an expense Chugach simply couldn’t afford. Instead, Chugach hired my consulting firm to help them streamline the process and trim expenses wherever possible. As we studied Chugach’s key controls, we found that many of them relied on spreadsheets.

This is not at all unusual. However, spreadsheet programs such as Excel leave document controls and change management out of the picture. This means auditors must manually test the integrity, completeness and accuracy of spreadsheets.

For smaller organizations, 2010 will be the year where spreadsheet control becomes a major challenge. Fortunately, solutions are addressing this issue, which we’ll cover below.

2. Cutting the high cost of audits

Auditing is expensive on two fronts. First, valuable employees are taken away from their normal jobs and shifted to supporting the internal audit. For many, this becomes a full-time job that takes weeks or months to complete. Auditing isn’t what you hired these employees for, and it is not the best use of their time.

Second, once the external auditors come in, if your controls are not in order, the expense to get them in line will be significant. With spreadsheets, for instance, an auditor will charge upwards of $200 per hour to manually test the accuracy and completeness of the data. This process could take hundreds of hours as auditors pore over formulas, tabs, references, indexes and more on each and every financially significant spreadsheet.

For Fortune 500 companies, the expense impairs competitiveness even in good economic conditions. What’s more, regulations aren’t confined to the Fortune 500. As SOX, HIPAA, FFIEC, PCI DSS, State Privacy Laws and other regulations filter down to mid-sized and small organizations, the cost of manual audits becomes prohibitive.

In 2010, organizations of all sizes will be shocked and challenged by skyrocketing auditing costs and will seek ways to manage those costs. The first place smart organizations will turn is automation.

3. Embracing automation

Automation is the single best way to keep compliance costs in check. Automation is also a case where you have to spend in order to save. Forward-thinking organizations will realize that small upfront costs will pay for themselves many times over in the future.

When I worked with Chugach, I advised them that the best way to keep their compliance costs reasonable was through automation and repeatable processes. With spreadsheets being a key problem area, I pointed them towards Brainloop’s virtual data room (http://www.brainloop.com).

A Web-based application, Brainloop is a collaborative tool that places security controls over key documents, including spreadsheets. By moving spreadsheets into a Brainloop data room, Chugach had an easily verifiable process in place to show auditors that controls and change management were layered over their spreadsheets.

The result is that Chugach now knows exactly who owns a document, who has the right to modify it, and when changes were made and by whom. By adopting controls like this, compliance and document security are built into the document creation and maintenance process.

Instead of testing each and every spreadsheet, the auditor must only validate that the process is working. Compliance is achieved in 30 minutes rather than hundreds of hours.

In addition to adopting new technologies, organizations will look harder at the business enterprise software suites they already have, drilling deeper into their feature sets and leveraging the automation they’ve already paid for but haven’t, until now, had the incentive to use.

4. Establishing effective document controls

According to a recent survey by the Ponemon Institute*, employees routinely engage in activities that put sensitive data at risk. More than 60 percent routinely download data onto unsecured mobile devices, which are often not secure because 21 percent of employees turn off the security tools those devices may have. 43 percent admit to having lost data-bearing devices.

Sensitive data is routinely put at risk, and if organizations luck out and don’t pay the price through a data breach, becoming the next TJX, they’ll certainly pay for it come audit time.

This is a tough problem to cope with because it is not simply technical. Employees don’t move data onto unsecured peripherals and mobile devices to be malicious, and they certainly don’t lose those devices on purpose. Instead, employees are trying to do their jobs with the tools they have at their disposal.

In 2010, organizations will realize that while document security automation is necessary to keep costs in check and to establish corporate oversight over documents, they’ll also learn that not all security practices are created equally.

If the price of document security is that it places productivity burdens on employees, the cost-benefit ratio will probably weigh too heavily towards costs.

As business finance commentator Alan Radding notes, the same human factors that promote unsafe data practices – the desire to work quickly, effectively and efficiently – can drive users to comply with security protocols, provided those protocols are implemented within a transparently secure work space that automatically delivers productivity tools.**

In the coming years, expect this challenge to be met in one of two ways. Forward-looking companies will learn from those who have come before them. They will adopt document compliance management software that helps, rather than hinders, employees as they do their jobs. Services from the likes of Brainloop, EtQ (http://www.etq.com/) and Proquis (http://www.proquis.com/) will make handling sensitive data in a secure manner simple enough to become second nature. These companies will also enjoy streamlined and inexpensive audits.

Slower-moving organizations will ignore history and neglect automated tools that balance security with productivity. Their employees will routinely put data at risk by actively avoiding cumbersome corporate controls. They will improperly store and share data, and the challenge these organizations will face will be the price they pay through IP theft, data breaches, expensive audits and fines.

5. Balancing compliance with the bottom-line

Not only will organizations that are slow to adopt automation suffer through expensive audits and possible fines, they may also slip competitively. Automation may be embraced solely for compliance, but that doesn’t mean its benefits are confined to compliance. Improved security, streamlined workflows, automated change management, better transparency and increased productivity all result from the proper deployment of automated tools.

In the coming years, these benefits will accrue into a competitive advantage for proactive companies, especially if they take the money saved at audit time and devote it to research and development, employee retention and customer service.

Slow-footed companies risk being left behind; the challenge will be whether they can solve their compliance challenges quickly and effectively enough to catch up in the marketplace.

*Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security, Ponemon Institute, June 10, 2009

** Big Fat finance Blog: Playing the Human Factors, Alan Radding, October 13, 2009 (http://bigfatfinanceblog.com/2009/10/13/playing-the-human-factors/#more-659)

**********

About the Author

Cheryl Klein, CPA, CISA, CITP, is a governance, risk and compliance consultant and founder of GRC Consulting Services, which provides IT compliance consulting services.

Tags: Audit, audit cost, automation, cheryl klein, compliance challenges, corporate compliance, document controls, top 5