Once upon a time (actually not too long ago) a company and its audit firm lost their marbles indulging in innovative accounting and logic belying practices. The event resulted in the former shutting down and the latter being dismantled. Hapless citizens and investors who put their faith in these lost their financial safety nets and were left poorer. The aftershocks felt by the rest of the companies created an industry around consulting services. SOX became a bad word for all CXOs and everyone dreaded facing audits. Compliance gained prominence and everything else was subservient to it.
IT being the foundation of processes and information enabling the enterprise came under the scanner; it was not enough to demonstrate that data integrity and consistency is maintained, it was also important to provide evidence that others in the organization did not violate process that could result in potential loss of control. Thus as the custodian of the physical information assets and the administrator of the logical processes, the IT organization had to fend off auditors of all types at unnerving frequencies.
The FUD factor
Consultants thrived on FUD (Fear, Uncertainty, and Doubt) factor as non-compliance had severe ramifications for the CIO, CFO, COO, and the CEO. Perceptions of risk heightened the tension as any risk classified as high needed immediate attention. Tolerance levels of Boards tended to zero and Risk Committees hounded the functional heads to comply by the written word, who, in turn, turned to the CIO to address the sane and inane collectively.
Whether it is internal, statutory, or third party audit, the basic intent is to review process execution consistently against good practice and compliance to stated policy. Additional frameworks on quality, process maturity, security, and others provide the enterprise incremental value over competitors. Policy, once stated, requires alignment with the real world to ensure relevance; thus, periodic review is critical. When regulatory restrictions impose process change(s) like in case of SOX or PCI-DSS or HIPAA, the enterprise has a limited choice but to comply. Some industries are more regulated than others; some companies pride themselves on their GRC frameworks, the rest follow the path of least resistance.
Options for CIOs
So what are the strategies the CIO can adopt to ensure that s/he does not get beaten up at every audit? CIOs should partner with their Internal Audit teams to work with each functional head and process owner to review and validate not just the process, but also the management of exceptions. If Internal Audit is unable to provide the necessary attention, seek external help; but do not ignore it. S/he should create clear accountability and transparency of every task across the cross-functional teams involved in the execution. It is important to note that people are the weakest link of any process discipline. Internal process champions or BPM experts are invaluable in the quest towards excellence.
Compliance is non-negotiable; our shareholders and regulators expect every part of the enterprise to conform to the laid down policies and principles. Good corporate governance expects no exceptions; despite all the controls we still come across black swans that disrupt the equilibrium and raise the difficulty level. Unfortunately, the enterprise CXOs and the CIO have no choice but to run faster to stay in the same place.