The following is a series of questions that Julie Gable asked me to respond to for an article she was writing for the Association of Records Managers & Administrators (ARMA) Information Management Journal. Julie is a widely respected expert on electronic records management and compliance.I thought the questions along with my responses might be useful and provide a snapshot of some of my thinking regarding compliance, records management, and how organizations are addressing these challenges.
1. Tell me about your company, where is it based and what do you do? Compliance Solutions Group is based in Reston, VA (The Washington D.C. Metro area). Compliance Solutions Group (CSG) specializes in implementing document, records, and business process management solutions that address compliance with the Sarbanes-Oxley Act, SEC and NASD regulations for publicly traded companies and financial services businesses.As recognized authorities on compliance, document, records, and workflow management, CSG brings practical experience, thought leadership and technical expertise to every engagement. Our projects can be delivered in weeks or months not months or years.CSG is a subsidiary of Applied Information Sciences; a 25 year old software engineering firm, a Microsoft managed Gold Partner (www.appliedis.com), and has completed hundreds of enterprise solutions on-time, on-budget and on-target.
2. What compliance regulations do you deal with in your work? We typically focus on DoD and Federal regulations for our Federal Government customers. For our commercial customers we focus mostly on addressing SOX. Our business mix is approximately 50/50.
3. How are your clients/ customers approaching compliance? Is there a compliance officer? Is it a team effort? Who participates? For government: Most often the Records Manager is driving the need for compliance with the Federal Records Act. In other scenarios business executives are seeking business solutions and they know implementing a DoD certified solution is required.For commercial clients we are seeing Chief Risk Officers and SOX Program Managers primarily focused on addressing SOX compliance. There primary goal is reducing the year over year costs to manage the program. We have found that many are not that aware of the document and records management implications of SOX and the coinciding guidance from the SEC. I have produced a white paper called “Boiled Sox” which extracts the sections of the SOX Act that specifically relate to DM and RM and provide this to our clients. In many cases they are surprised while in other cases they know they need to do something but are not sure.
4. Are there models or processes that companies have used successfully in their compliance initiatives? Can you describe these? For example, identifying what the law requires, identify the processes involved, determine the controls needed, identify what is needed for reporting, etc. Many companies that we work with to implement our Compliance Toolkit™ for SOX are in year 2 and beyond on their SOX compliance program. Most have very mature and well defined and documented processes for reviewing their SOX related business processes and for testing the effectiveness of their internal controls. What has not been that successful is the amount of automation used to support these processes and integration of document/records lifecycle management.Many are using spreadsheets to track the status of their compliance initiatives, using File Shares as a document repository, and using email as a workflow tool.One client is using a model similar to the Software Engineering Capability Maturity Model (i.e. CMM-Level 2) to model his program and methodically mature the processes over time. His model sets a goal of maturing the model each year with year four becoming steady state.
5. Have standards played a role in the compliance efforts you’re familiar with (e.g., COBIT, ISO 15489, ISO 17799, etc.). If so, what purpose have standards served and how have they helped or hindered compliance efforts? COBIT is becoming important to many clients in their second and third years of SOX with the increased attention to the IT dimension related to SOX by the external auditors. We do not see much interest in ISO 15489 or 17799. The DoD 5015.2 STD still shows up as a standard that commercial clients are using to select and narrow the field of potential RM vendors or ECM solutions with RM.
6. At what point in the process (if any) does records management come in to play? What are the biggest concerns (if any) that surface regarding recordkeeping and proving compliance? How are these concerns met? Surprisingly, we have only seen a few companies addressing SOX who have an appreciation for the RM dimension of SOX compliance. In many cases we are educating them and getting the RM folks involved. We are working to develop a Compliance Toolkit ROI Calculator which will help clients more effectively evaluate the potential ROI of automating their compliance activities.
7. Companies that have put SOX controls in place now realize the cost of resources needed to maintain those controls, and this is probably true for compliance with many other regulations as well. Are you seeing increased emphasis on cost control in compliance efforts? If so, what remedies are your customers/clients considering? Yes – we are seeing an increased emphasis in controlling these costs. Another aspect that is being looked at is improved risk management. Many are seeking IT solutions to help them reduce costs by pushing the activities and responsibility for process reviews and controls testing out to the business. The clients we are working with are considering workflow and business process automation technologies to help them automate the tracking and processing of tests, controls, etc. in their SOX programs. There also a great deal of interest in providing better reporting for senior management, the Audit Committee, and the Board with more detailed insight to the underlying details that are summarized in the reports.
8. What trends are emerging for compliance practices? Is there greater emphasis on centralized efforts than previously? Is there more emphasis on process automation and technology for monitoring controls, reporting, etc.? The trends we are seeing include centralized command & control of the compliance programs with a strong desire to distribute the responsibility for compliance, testing, and for oversight to the business owners. The folks charged with administering the compliance programs cannot continue to manage all aspects of these programs. Many have been supplementing their staffs with temporary help and cannot continue to fund this. Also another key concern is their experience of spending over 95% of their time gathering, tracking, and preparing reports while having little time to review the accuracy and provide analytical review of the information to identify trends and make conclusions.
9. What advice would you give non-US firms and the small and mid-sized firms that will be contending with compliance issues? Are there key policy elements or practices that will save them grief? Small to mid-sized firms should seek out both professional functional and technical help early and not try to go it alone. Many small and midsized Accounting and Financial Services consulting firms have produced templates, best practices, and prototype frameworks that can quickly jumpstart a small to mid-sized firm quickly and more inexpensively. Applying IT and RM technologies early can ensure that the documents and documentation required for SOX compliance are managed effectively.