Most companies have the right idea about compliance, and are trying to do the right things, but without the data systems in place to prove their compliance, they're vulnerable to already suspicious auditors.
Are you in compliance right now? How do you know?
Would it surprise you to find that the average cost of each compliance failure is $80 million? That's the estimate, according to a study of companies with revenues of $1 billion or more, conducted by META Group Research (now part of Gartner) for PriceWaterhouseCoopers.
In my years of experience consulting with clients to fortify their compliance programs, I've noticed three general weak areas: people, processes, and data systems, with data system being the largest culprit. Most companies have the right idea and are trying to do the right things, but without the data systems in place to prove their compliance, they're vulnerable to already suspicious auditors. Here are some key tips to put your data systems in order.
Let internal auditors run the show
There may be a white hat audit group in your company. This could be internal audit or a subgroup of the legal or finance department. Whatever it's called, this is the organization that's responsible for making sure that your company can survive an audit. So, it is critical that you design your system from their point of view. Do not shoehorn your existing systems to fit your compliance reporting requirements, build them from scratch with the auditors' perspective in mind.
Work with your internal audit team to role-play audit scenarios. You might even have an audit checklist or self-assessment that can be leveraged. If your company is somewhat sophisticated, you'll actually have an audit plan in place that can be used to clarify the outcomes for your data system. Use all these tools to start building the requirements for your system. Here are some key requirements your internal audit team will look for in a data system:
- Evidence: You will need to prove any claim you make, and physical evidence is the way to do it.
- Indexing: Auditors need the ability to find information quickly.
- Supporting details: Most inquiries start at a high level then drill down to the details.
- Point-in-time reporting: Most inquires are based on a certain period in history.
Repurpose business intelligence
If you already have a developed business intelligence and data warehousing department, you have most of the necessary components for putting together your data system for compliance. Business intelligence is about reorganizing the data captured in your transactional systems for the purpose of strategic analysis and reporting. Compliance reporting is very similar; however, instead of satisfying the strategic needs of the company, you're satisfying the regulatory requirements of an outside agency.
Leverage these well-developed data warehousing concepts when designing your system for compliance:
- Operational data store: The operational data store is your first stop in your transactional systems. It collects data from disparate sources into a unified representation of an enterprise concept. For instance, this is a great place to converge controls and get a holistic snapshot of your current compliance status.
- Enterprise data warehouse: The enterprise data warehouse is where you satisfy your point-in-time reporting requirements and start building aggregates for summary compliance reporting. Take extra measures when doing transformations to transition slowly and build supporting data structures that justify each step of the way.
- Data marts: Specific data marts can be placed downstream from the enterprise data warehouse to handle specific or unusual compliance requirements. For instance, you can build a Sarbanes-Oxley data mart specifically for the purpose of addressing Sarbanes-Oxley compliance. It may sound odd to converge controls just to diverge them again; however, this type of architecture fortifies your compliance. You can always fall back to the enterprise data warehouse to justify anything reported from your data mart.
If you're exposed from a compliance standpoint, most likely your data systems are weak. The good news is that you can take immediate measures to fortify your data architectures for compliance. Let internal audit drive the requirement and leverage your existing business intelligence resources. In no time, you'll have a compliant company, happy auditors, and a good night's rest.
John Weathington is president and CEO of Excellent Management Systems, Inc., a management consultancy that helps executives turn chaotic information into profitable wisdom. For over 20 years, John has been an information management consultant to clients of all sizes, including Fortune 100 icons such as Sun Microsystems, Cisco, and eBay. For more information, please visit http://www.xmsystems.com.