Summer vacations are over for most of us, so it’s back to work! I had a call yesterday with some analysts at AMR, and it was a very interesting exchange. Here is one of the interesting topic areas of the talk.

Sarbanes Oxley 404 Compliance. We agreed that way too much focus is being applied to tools / approaches to automating the audit of compliance, and not enough attention is being paid to eliminating the source of non compliance.

As a CPA and former auditor, the best approach to creating effective compliance (conformance) is to eliminate the root cause of the problem–which is almost always poor policy and process execution across IT.

IT is very fluid, dynamic, and incredibly complex. Establishing a “policy” and audit checkpoints for compliance, without automating the processes is an exercise in frustration. Who will comply? How will you get them to adopt the new processes? What happens to them if they don’t? How will the policy and processes be kept current as the organization, workers, technology, market, and regulatory requirements move around? How much no going work will all this require? Should anyone be surprised that year 2 of Sarbanes is projected to be more expensive than year 1? Just thinking about this gives me a headache.

Let’s elevate our thinking. We have lots of stuff to comply with, and more will come along. That stuff will continue to change–and each requirement will have some body of policy to comply with. This includes external compliance drivers like Sarbanes, but key internal drivers as well such as enterprise architecture, security, and the IT governance model.

There is a better way. You can automate compliance, get rapid adoption of policy changes, and improve IT wide efficiency all at the same time. How? By automating the work of IT, and including policy compliance adherence as a normal step at the start of the workflows.

Here’s how we helped one client– a global 2000 retailer, do just that by leveraging an enterprise wide ITIL change management approach (with the technology they already owned). They wanted to improve IT efficiency AND automate Sarbanes 404 compliance. We turned to CoBIT and ITIL as logical, de facto standards for guidance, distilled a policy set of what mattered most to the client, and eliminated redundancies to yield a simplified process framework. We then brought the policy to life by updating processes to reflect changes, and automated the processes with technology–driving the IT organization to 100% adoption of the new policy in two weeks–a major cultural change! We drove efficiency by empowering those requesting changes to self service, and created an automated risk / materiality calculator to route proposed changes accordingly.

The Business Value of IT? The customer went from less than 20% policy compliance to 100% in two weeks, and got a 30% efficiency gain in processing changes across IT. Even more, accuracy, agility, and quality have improved as well, while business continuity risks have significantly fallen.

As always, there is astounding value in getting IT to work as one unit end to end, but most organizations still don’t realize that their enterprise approaches to delivering the products and services of IT are really only silo to silo hand offs with their individual homegrown processes and data sources, with no high level visibility, no baselines, no common understanding, terrible inefficiency, and no ability to consistently improve and adapt.

But, every day, a few more get it. Keep the faith!

Don Casson

—–