Driving IT priorities - Lee Dittmar
The surge of top-level concern about information technology (IT) can be explained in two words: governance and compliance. The past few years have delivered corporate leaders two rude awakenings about information and the technology that enables its production.
The first is that boards of directors and executives are being held to higher standards than ever before. They are expected to be well-informed and knowledgeable about what’s happening in the enterprises they oversee and manage, and they’re being held more accountable for surprises and setbacks, frauds and failures.
What’s more, executives and boards must oversee compliance with a plethora of legal and regulatory requirements, some of which affect IT directly and many of which have implications for IT usage and management.
Indeed, the Sarbanes-Oxley Act of 2002 is particularly notable for its wide-ranging IT impacts. And, to execute on their responsibilities and meet raised governance expectations, corporate leaders urgently need accurate, reliable, timely and transparent business information.
The second rude awakening is that many companies’ IT infrastructures are not up to the task of providing the high-quality information desired for efficient and effective compliance and governance. It’s as if a bright light has suddenly been turned on, and there, in plain view, are a number of pervasive issues concerning the state of IT. These are not new issues, but under the light of increased governance and compliance needs, their impact is profound.
Spurred by governance failures and new compliance requirements, business leaders everywhere are starting to critically examine their companies’ approaches, philosophies and positioning concerning IT. And, it’s not about how to lower IT costs; it’s about better aligning IT with business needs — particularly governance and compliance needs.
What Does IT Have to Do with Compliance?
That there is a relationship between IT and compliance may be self-evident to some, but it’s also complex and confusing. Some compliance requirements have a direct impact on IT management. Then, there are the many laws and regulations that affect the way IT is used to enable business processes. Records management laws and regulations, for example, have obvious IT implications, while other general and industry-specific compliance requirements that affect IT are too numerous to list.
Increasing regulatory challenges have spawned a corresponding rise in compliance-focused IT offerings. Analysts covering the software and professional service industries are swamped with vendors clamoring, “We can help with compliance. Review our products now!” Conferences continue to draw attendees seeking understanding in how IT can enable compliance at their companies.
But before looking at how additional software can help with new compliance demands, it is illuminating to first examine how well existing architectures, infrastructures and strategies meet the underlying legal and regulatory objectives.
Consider many companies’ experience in their first year of Sarbanes-Oxley Section 404 compliance. Financial reporting processes depend heavily on technology, so examining those processes for Section 404 compliance forced companies to perform a thorough review of financial systems, IT business processes and data. Based on Deloitte’s experience, the news wasn’t particularly good.