Front Lines is a guest viewpoint section offering perspectives on current issues and events from people working on the front lines of Canada's technology industry. Iraj Pourian is the President and CEO of Sierra Systems Group Inc.
Across Canada's business and public sector, Bill C-198's June 30th deadline has fuelled a new focus on compliance. While the U.S. Sarbanes-Oxley (SOX) act affected only some Canadian companies, Bill C-198 now makes compliance everyone's business. However, while many agree that such regulatory developments were right in principle, experience south of the border has shown that SOX has been burdensome to implement. In fact, it has been regarded as one of the most controversial pieces of legislature to hit a U.S. statute book-with debate raging around its reach, effectiveness, and implications. It is feared that Bill C-198 will have the same impact in Canada.
The Opportunity A recent Deloitte study presents an interesting paradox. Wholeheartedly embracing the law, Deloitte points out, can actually be less expensive in the long run than grudgingly accepting it. This presents an opportunity for savvy organizations to use compliance to mitigate financial risk and create an environment of accountability while also increasing the organization's overall effectiveness.
Taking a closer look at Information Technology's role in compliance from this perspective shows us that the new legislation has created an opportunity to review all existing systems, break down information silos, and identify and eliminate redundancies and inconsistencies - all of which create an unnecessary level of complexity in any organization. This type of complexity can not only cause potential compliance pitfalls, it can often drive up IT management costs and affect the ability of organizations to make informed business decisions quickly in a competitive market. Behold the key to Deloitte's paradox-taking necessary steps to meet compliance requirements can help improve overall business performance and reduce costs in the long run.
How IT Can Seize the Opportunity IT can and should do 3 things: support the business in the design and implementation of necessary controls, review the way IT does business, strengthen those controls and integrate business and IT controls.
Bill C-198 and SOX, while focused on controls, have roots in ensuring that risks in an organization - specifically risks that could result in a significant financial impact - are minimized. This legislation requires organizations to design and implement compliance strategies that address these risks and assess or test the effectiveness of these strategies. While primary attention is given to financial, policy and procedural controls, it is generally accepted that operational and technology processes also hold significant risks which could result in financial error. IT systems all of a sudden carry a considerable amount of weight in the quest for compliance.
So how does IT strengthen its own controls? In a nutshell, while putting in place compliant policies and procedures is a must, achieving and maintaining compliance also requires strong IT governance, protocols, development methodologies, and change management practices. Since most of today's businesses rely heavily on IT applications to manage the business, this also means that strong organization-wide integration is no longer just a "nice-to-have." Such a sophisticated level of integration is now mandatory for anyone - public or private sector - who is hoping to effectively manage compliance requirements.
Overall effectiveness means doing the right thing; overall efficiency means doing things right.
These are not new requirements for IT; however, as competition heated up in most of Canada's sectors over the past few years, cost-cutting measures, the quick pace of change, and in some cases under-staffing, have taken their toll on the strength of IT controls and their ability to mitigate risk. More so than private, public sector organizations have to deal with the added complexity of managing IT with limited resources across large geographical distances and often dealing with widely heterogeneous technology environments. But not seeing the new legislation as a directive to getting back to doing the right thing is a missed opportunity. Not surprisingly, a compliance strategy reliant on stronger IT controls is generally accepted to be more effective and sustainable than one more reliant on manual controls.
Integrating business and IT controls should start at the highest level. This can be done by increasing the awareness of the short and long term benefits of strong IT controls at both the board and committee levels. Selecting a framework (eg. COSO/COBIT) that serves as an ongoing industry-accepted guide and remedying any shortfalls in key IT control areas (that have emerged during cost cutting of the past) are also crucial. Another important facet of a successful strategy is integrating the assessment of controls by not separating the business review from the technology review - the combination of the two provides a complete picture of the compliance situation. Finally, embedding a controls consciousness within all levels of the IT organization, in addition to the business organization, is a more reliable way to ensure long-term success.
Time is of the Essence Since Bill C-198 requires that the design of internal controls over financial reporting be completed with financial years ending on or after June 30, 2006, time is now of the essence. While an organization's design for first year compliance may be under way, second year and onward compliance can still be rendered more efficient and effective by reliance on stronger IT controls. Experience on SOX projects is proving that long-term sustainability is almost as hard to achieve as first year compliance. Relying on technology controls as cornerstones means increased sustainability for the future since, once set up, technology tools tend to drive an organization to carry out processes in a consistent way time and again. Here lies the dual opportunity for IT - by leveraging IT, organizations are in a position to build a much stronger compliance model and by establishing strong IT controls, organizations can better safeguard current and future success.
Given that C-198 is not bringing new directives to IT, most companies likely have at least some of the skills required to achieve compliance in-house. By working in conjunction with a corporate compliance team and external subject matter experts, organizations have the opportunity to leverage technology for a much stronger compliance model that more effectively mitigates risk.
The introduction of Bill C-198 to Canada's legislation is changing our country's business landscape. Undoubtedly there are challenges ahead for organizations in both the private and public sectors as they re-align their procedures, policies, and IT systems to achieve compliance. But the legislation creates a significant opportunity for IT; it is a call to action to place technology in the position it should play- a supporter to policies and procedures, an added layer of protection and control, and an enabler of efficiency throughout the organization. Approaching compliance from a standpoint of opportunity rather than burden is a way to re-energize the organization and create an environment of excellence. Like an inoculation shot, it might hurt a little in the beginning but it's really good for you in the long run.