Every CIO and CTO pondering how to get their company into compliance with the dizzying array of federal privacy, security, and disclosure legislation will tell you these federal laws are vague and ambiguously written.
Ted Frank, CEO of Axentis, will tell you that’s no accident. “The federal government has written ambiguity into these laws,” Frank said. “They did it because they want the private market to develop the best practices. So the private market develops a practice and the federal government gets to pick and choose, say that’s what they wanted or, no, that’s not what they want. Over time, there will be clear processes. Meanwhile, there will be a lot of process evolution involved.”
And that evolution is easily turning compliance into the measure of which corporation will be fit to survive. Guess right, and your company remains in compliance and can continue toward its more business-like goals. Guess wrong, and it’s time spent before federal grand juries, heavy fines, and jail time, while the company goes down in disgrace.
The laws are there—some spawned by privacy concerns, others by the disgrace of major financial institutions, and still others by perceived and very real terrorist threats. Many more laws are pending before Congress. Their names read like ASCII at times, but the ones that will keep an IT professional up most nights are:
- Gramm-Leach-Bliley—Limits financial institutions' ability to disclose "non-public personal information" about customers to third parties. The same financial institutions also are required to tell customers about their privacy policies.
- Health Insurance Portability and Accountability Act (HIPAA)—Requires physicians and other healthcare professionals to take measures to protect the security and integrity of patients' private information kept in electronic form. This law has been phased in over the last eight years, and the final privacy provisions take effect in October.
- USA Patriot Act—Extends law enforcement's surveillance and investigative powers. It also, for the first time, makes businesses responsible for seeking, detecting, and reporting computer trespasses. Banks in particular are expected to identify, discover, gather, amass, investigate, and report on financial activity to a far greater degree and depth than ever before was expected of them.
- Sarbanes-Oxley (SOX)—Enacted in large part as a response to U.S. corporate and accounting scandals, this legislation requires that companies become more fiscally accountable. Whistle blowing and other provisions have made this law particularly controversial and difficult to enforce.
“Sarbanes-Oxley was the straw that broke the camel’s back,” Frank said. SOX provisions, including the infamous section 404 (requirements that companies document and assess their control environments), is easily the single most important piece of federal legislation on corporate governance, financial disclosure, and public accounting since the U.S. securities laws of the early 1930s. Much has been written and said about how to remain in compliance, and quite a few lawyers expect to make a lot of money as corporations try to make their way toward compliance.
Axentis got into the compliance business a few years ago, just as the bulk of the legislation began to show it had teeth. “When we first came up with the idea, people asked us if there really was a market for this,” Frank recalled. Since then, Axentis has implemented its enterprise over a broad range of complex organizations that represent over 500,000 users in more than 100 countries and territories. More Fortune 1000 companies use Axentis for corporate governance, compliance, and risk management than any other compliance software company. Frank has written about compliance, including "An Enterprise Approach to Compliance Management," which he coauthored with Axentis founder Steve Lindseth.
A well-established habit that companies have adopted when pursuing compliance is to do all they can to stay out of trouble but to not draw much attention to themselves as they do it, Frank said. “People tend to look at this as a discrete process,” he explained. Faced with some very scary penalties, including possible jail time, no one wants to be singled out as the one who guessed wrong. So companies try to stay on the right side of compliance while keeping the corporate head down. “Companies don’t want to gain visibility for these processes,” Frank said. “They won’t stand up before Congress and say, ‘we have a good, clean process.’”
But that is exactly what these federal laws are expecting of the corporate community, Frank said. Private industry is expected to not only foot the bill for much of this legislation but to determine the best practices and means toward compliance.
Frank said one of the greatest obstacles to compliance is the dry, vague, and ambiguous way in which the legislation is written. But he said the accepted “standards” are not much better. As an example, he cited Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is widely considered the global standard of internal control and recognized by the SEC and Public Company Accounting Oversight Board for corporations to use in their efforts to meet Sarbanes-Oxley's reporting requirements. It also makes for “terrible reading that will put you to sleep,” Frank said.
However, hidden in that dry read is a brow-raising fact that many C-level employees find surprising: The federal legislation, vaguely written as it is, spells out what Frank calls “the seven elements of compliance.”
“It’s all there,” Frank said. “When you wind up in court and they are deciding fines and jail time, these are the enforcement standards they will use. These are the standards the judge will use to sentence you.”
In other words, Frank said, if your company, your boss or you end up in front of a judge charged with noncompliance with any of these federal laws, being able to show you have tried to achieve these seven points will make the difference between acquittal and imprisonment. The points are:
1. Organize all controls and procedures policies by process
Determine the company’s existing guidelines for identifying, designing, and maintaining controls and procedures used to ensure that transactions are properly authorized, recorded, and reported, and that assets are protected against unauthorized or improper use. Where these guidelines don’t already exist, they need to be established. This can mean a change in corporate culture if many of these processes are fragmented. “Don’t do it that way,” Frank said. “Manage it in one place.” This can be an awesome task, Frank said. One Axentis customer identified about 5,000 material processes as part of its struggle toward SOX compliance. “You would think you could never find that many,” Frank said. “But they might be there.”
2. Show high-level oversight
C-level employees—especially CIOs and CTOs who are expected to develop and implement a company’s compliance technology—must establish and maintain internal disclosure controls and procedures. This is particularly true in the financial industry, where companies are expected to make double sure their financial reporting does not contain false statements or omissions of material fact.
3. Decentralize administration and show proper delegation
Frank recommends identifying key people within an organization and delegating to them discretionary administrative authority. This “disclosure committee” should be responsible for identifying the importance of corporate-held information, determining what needs to be disclosed, and disclosing what needs to be on a timely basis. “Unless the people on the ground floor are included, unless they feel ownership, it’s not going to happen,” Frank cautioned. “It can’t happen from the top down.”
4. Establish and maintain effective communication channels
Those in a company who have a significant role in the organization’s control system need to fully understand all the relevant disclosure controls and procedures. This standard means the company will need to show it has taken steps to make sure these key individuals are kept fully informed and trained on these controls and procedures.
5. Auditing, monitoring, and reporting
Auditing means getting out and finding out what’s being done, monitoring means making sure it’s being done, and reporting means full disclosure. All three are key points to the steps toward compliance, Frank said.
6. Show uniform enforcement
This is a very critical step, Frank said. A company’s controls and procedures must be enforced. When exceptions or weaknesses are discovered, they must be addressed, and the corrective action taken must be consistent. “If someone commits a violation in Unit A and someone else commits a violation in Unit B, then you’d better deal with both violations uniformly,” Frank warned. “If you fire one person and not the other, then you are asking for a lawsuit.”
7. Continuous improvement
Now that you’ve established all the above, develop ways to constantly and consistently evaluate where the company is and where it needs to go. “Make sure you have due diligence around the processes,” Frank said.