Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of March 2005 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story

IT's role in compliance

The technological trail to compliance

Organisations can employ IT tools to comply with regulations. CIOs can benefit by hiking on this technological journey. by Soutiman Das Gupta

Be it a bank, a manufacturing concern, a pharmaceutical company or a service provider—all must comply with the guidelines that the government, corporate governance, internal company policy and third party standards organisations have laid out. Compliance also implies proof in the form of reports, logs, and audit trails that have to be as transparent as possible. Here's where IT steps in.

Most regulations state that information must be saved, retrieved, stored and delivered in an appropriate format. It must be kept secure over time. IT has the tools and processes that can streamline an organisation's efforts to re-engineer itself and meet mandates.

The basics

The IT route to regulatory compliance involves the use of controls and monitoring. "Effective compliance with regulatory policies involves the implementation of internal process controls and monitoring the exceptions for corrective action. The objective is to ensure that the information submitted to regulatory authorities is accurate," explains Arvind Tawde, CIO, Mahindra & Mahindra Ltd.

The pre-requisites for compliance are:

  • Capturing and recording information from various business areas such as sales, marketing, finance, accounts, and HR
  • Preserving information integrity to guarantee that information has not been tampered with without authorisation during storage or transfer
  • Preserving information security to guarantee that information will not be lost or pilfered (See box: Security compliance for more information)
  • Keeping information available and retrievable at all times so that reports can be generated and audit trails logged

The above pre-requisites can be met by using enterprise applications, a storage infrastructure, and a security infrastructure in tandem.

Where IT can help

The key is to identify the aspects or areas in the regulatory framework that can be complied with the help of IT (software, hardware, processes). Documentation and records management, information storage and management, business process management, risk management and Business Intelligence (BI), information security as well as business continuity come under this heading.

CIOs can identify these areas by coordinating with other business heads. This way, he or she can deploy IT effectively. For all banks, preventing fraud and implementing anti money laundering measures are two important aspects of the efforts being made to prevent criminal misuse of the financial system which threatens the stability of financial transactions worldwide.

"The emerging scenario under the Basel II accord and the need to use supervisory resources more productively are prompting banks to move to a risk-based supervision environment," says Kapil Bhatia, Manager IT, Syndicate Bank.

Here the CIO must deploy risk management systems and analytical tools that have reporting and predictive capabilities.

Thomas Cook's road to FEMA

Selling forex is a prominent activity at Thomas Cook. This line of business is governed by the Foreign Exchange Management Act (FEMA).

Anil Nadkarni, the Head of IT at Thomas Cook has built an elaborate IT infrastructure that maintains detailed records of all currency purchases made by customers, and stores this information for the mandatory eight years.

The Reserve Bank of India (RBI) monitors the sale and purchase of foreign exchange and it has fixed limits and restrictions on foreign exchange purchases by Indian citizens. To keep tabs of purchases at Thomas Cook offices nationwide, the company has built a centralised DB2 database. It has a customised application that it runs on the WebSphere application server on 16 IBM servers that are hosted at Comsat Max's data centre in Vashi (Navi Mumbai).

Comsat Max's VSAT network, and Bharti Televentures' terrestrial network for redundancy maintain inter-office connectivity. The performance of the IT infrastructure is monitored 24x7. Nadkarni carries out periodic audits.

Nadkarni says that Thomas Cook's nationwide network give him the ability to remotely print a plane ticket at any company location. Although the technology is willing, (so that a traveller on the move can pick up the ticket at a different city) regulations do not permit the company to offer this service.

Deploying IT for compliance

Complying in an effective manner with regulations involves implementing internal process controls and monitoring exceptions to take corrective action as and when required

Arvind Tawde, CIO,
Mahindra & Mahindra Ltd.

Manish Bapat, Business Manager for NAS & CAS, EMC India and SAARC says, "The CIO should be IT savvy and have a strong financial background. This is because many regulations, notably Sarbanes-Oxley, require a solid knowledge of financial records."

If a CIO does not have that foundation, compliance with SOX can be intimidating. In such cases, the concerned CIO needs formal training in financial operations.

"IT should be able to provide clean data and set up a reliable storage infrastructure," says Vineet Khanna, Risk Management Specialist, SAS India Pvt. Ltd. "The use of software with good reporting and analytical capabilities helps."

Enterprise applications—ERP, CRM, various financial applications, and SCM—capture relevant data. Enterprise storage infrastructure has to ensure that the data is managed reliably, and that the data is not tampered with.

Take the example of how Tata Motors makes IT work for it in this regard. The manufacturing major has to comply with statutory guidelines as well as national and international standards. Tax Laws, Company's Act, Labour Wages Factory Act, SOX, ISO 9000, ISO 14001, and many others impact the company.

Tata Motors runs numerous IT applications that support business processes from product design and development (CAD/CAM/CAE), through Product Life Cycle Management, ERP, CRM, and Web-based applications.

The functional process owners from each of these areas and the IT team work together while designing requirements including those that concern regulatory compliance.

"The regulatory requirements for compliance are identified based on a comprehensive requirement analysis with the customers of IT services during the design stage of any application system," explains Probir Mitra, GM-IT, Tata Motors.

Many organisations prefer to use the services of an external consultant. Syndicate Bank used a consultant to help identify areas where IT can contribute, and Siemens Limited used a consultant who provided the initial guidance.

Maintaining harmony

Compliance efforts can only succeed if all departments work harmoniously. Most regulations affect multiple areas of business--accounts, finance, materials, and purchasing. Within each area, these regulations cover micro-aspects. The CIO must organise inter-departmental meetings where business leaders are asked to present, and even attend training sessions, to clarify what the specific requirements are from the IT department.

Coordinating with external consultants and auditors is critical as they play an essential role in validating the process.

In Siemens Limited the overall responsibility of coordinating SOX compliance lies with accounts. As SOX is applicable to the entire business, including IT, the IT department had to coordinate with other departments.

Probir Mitra of Tata Motors had to coordinate with several internal departments including engineering research, quality assurance, finance, HR, internal audit, and an external consultant to understand the compliance needs of all the business areas in his organisation. This effort made it easy for him to build the solution.

Tools of the trade

We did not avail of the services of a third-party consultant as we found that the required expertise existed in-house

Anil Nadkarni, Head IT,
Thomas Cook

The correct IT approach to compliance is a mix of IT solutions, strategy, and processes.

"Consolidation is the first step to compliance. When content is scattered across hundreds or even thousands of servers, meeting the requirements for compliance and legal risk management becomes substantially tougher," explains Bapat.

So there is a need to consolidate data in a separate storage infrastructure that preserves content and data for all applications running in an organisation. Going forward, a comprehensive and adaptable risk management infrastructure must be built that combines three ingredients.

The infrastructure should be sufficient to establish consistent and flexible strategies for archiving content; it should take care of disaster recovery. (See box: ‘Business Continuity’ for more information)

Search facilities are typically used to compile information regarding compliance to meet auditing requirements, restore lost data, perform periodic risk assessment reviews, and collect information for discovering evidence.

A capable workflow management facility is typically, the most effective tool for implementing policies to retain or dispose information. These policies are required to comply with most regulations and certification processes and to manage discovery risk.

A comprehensive and adaptable risk management infrastructure must combine three ingredients. It must be built on the right architecture, include (or provide a roadmap for) the right tools, and be supplied and supported by the right vendor.

BI, business analytics, and risk assessment tools that use a reliable data warehouse can provide such an adaptable infrastructure.

Versioning provides a coarse-grained method for summarising the process that an item of content undergoes in getting to its current form. Lifecycle auditing provides a similar function, but in a fine-grained manner. Together, they provide historical information required by many regulations and they can be useful in gaining a better understanding of the context in which specific content was created and used.

Categorising unstructured content is critical in ensuring that content is appropriately managed.

For most regulations, establishing and implementing policies regarding compliance is typically necessary but not sufficient by itself. The policies and the procedures that are used to carry these out must be comprehensively documented. Such documents are a required deliverable during regulatory audits. Enterprises can use tools that permit the digitally mapping of working instructions, and other processes that were previously issued on paper. These tools can consolidate database content into a central list. Data from a range of different applications such as SAP and Crystal Reports can be consolidated via universal print interfaces.

To comply with tax laws, auditors must have access to data relevant to tax matters. Digital data must be securely archived for auditing and be accessible to tax auditors. Software can be used for secure archival with features such as an online search, reporting with the option of storing data in a universal interchange format. Tax-relevant data may be extracted from the original data set and personal data can be hidden.

(See box: ‘Tools that aid compliance’ for more information)

Business Continuity

Business continuity can ensure that no critical information is lost in the event of system failure or a natural disaster. CIOs should look at the following to develop a business continuity plan:

l Make lists of critical, moderately critical, and applications that aren't critical on their organisation's network

l Create a check-list of incidents (Such as earthquake, fire, flood, bomb blasts) that may occur

l Decide the criticality of an incident based upon historical data and current developments

l Based on the criticality of a business set up, a Disaster Recovery (DR) site can be set up at a remote location

l Make a plan so that mission critical assets are up and running as soon as possible

l Assign personnel with clearly defined responsibilities and train them

l Perform dry runs to see if the plan is workable

Reengineering Processes

Compliance to a particular policy requires some degree of system and process reengineering. The level of reengineering depends upon how mature an IT department is before its compliance efforts kick off.

Partially computerised organisations will typically need lots of system deployments and a lot of reengineering of manual processes. Organisations with a mature IT set-up will find it simpler to re-engineer themselves. That said, the latter may be at a disadvantage. An organisation with lesser computerisation can conceivably evolve and mature faster than one that has to disregard its existing systems and processes and adapt to a new one.

Categorisation can be performed by users, by having content inherit categorisation from various repositories, or automatically applying the same through content analysis.

Susan D'Mello, Chief Manager-IT of Siemens Limited says, "Since our businesses were already ISO compliant and we were making extensive use of ERP, we did not need to do a special deployment of IT or undertake major reengineering for SOX compliance."

Tawde of Mahindra & Mahindra Limited uses SAP R/3 for accounts, finance, taxation and excise. "Records and registers maintained in the system are used for auditing," he says.

Old records are archived based on statutory requirements and systems allow data retrieval when required by governing agencies. Reporting requirements are met by systems. The company set to achieve BS 7799, which will help it cover all information assets nationwide.

Tools aiding compliance

Consolidation: NAS, SAN and storage management software

Risk management: Business Intelligence, Business Analytics, and Risk Management applications

Business Continuity: Software and hardware for backup, archival, and retrieval. The use of storage practices such as Information Lifecycle Management (ILM), Hierarchical Storage Management (HSM)

Information security: Firewalls, anti-viruses, Intrusion Prevention Systems (IPSs), Digital Signatures, and encryption. The use of certifications like BS7799

Search facilities: Databases, reporting tools, and analytics

Workflow management: Workflow management tools

External help

Most companies prefer to farm out compliance work to an external consultant. Third party help is useful in creating strategies, plans, and building roadmaps, and also for auditing.

A good consultant can provide the perspective gained from experience in helping other clients and provide critical feedback and input to create a broad game plan for effective compliance. It can identify areas that need restructuring.

With a few exceptions, some companies do not need help from external consultants for compliance. Among the businesses that Thomas Cook conducts, foreign exchange sales are governed by the Foreign Exchange Management Act (FEMA)—formerly FERA (Foreign Exchange Regulation Act).

Anil Nadkarni, Head of IT at Thomas Cook said, "We did not need to use a third party consultant because we found that the required expertise existed among our in-house personnel as we had been in the business for a long time," explains Nadkarni. (see box: ‘Thomas Cook's road to FEMA’ for more information)

Keeping it up

Since our businesses were already ISO compliant and we were making extensive use of ERP, we did not need to do a special deployment of IT or undertake major reengineering for SOX compliance

Susan D'Mello, Chief Manager-IT, Siemens Limited

"Compliance is not a one-time activity, but a continuous process," sums up Tawde. It is important to ensure that performance standards do not drop once compliance has been achieved. This is partly because regulatory requirements change and personnel change as well.

Says Bapat, "The only thing worse than not having a compliance program is not following through on one. Practices that conduct a compliance review but fail to take corrective action will exacerbate a regulatory problem."

Internal and third party experts should conduct regular audits to ensure that business units, including the IT department, perform consistently. Periodic audits let CIO identify strengths and weaknesses in systems and processes, and provide scope for development.

It is also a good practice to discuss audit findings in front of a review committee, staffed by trusted internal and external members.

CIOs should take advantage of the call to compliance and use it to upgrade and streamline IT systems and processes.

Security compliance

Information security and the use of security standards play an important role in compliance. Many regulations have guidelines and practices for security that can be dealt with if a company is compliant with security certification standards (think BS 7799 and ISO 17799). It is not mandatory to comply with certification standards but they show that a company has done its best to take necessary steps to minimise security risks.

Controlling access to content and establishing actions that can be performed by various users is a basic requirement of many regulations. In tandem with other enterprise information security measures such as firewalls, anti-virus software, intrusion prevention systems and digital signatures, access control can help create a safe computing environment.

The revised version of Part 2 of BS 7799-2 published in 2002 incorporates the ISO 9000 quality assurance standard and the ISO 14000 environmental control standard. These standards bring continuity and change management systems to BS 7799, commonly known as the Plan, Do, Check, Act (PDCA) cycle. Once certification is achieved, it has to be maintained. This entails periodic reviews and site visits by a BS 7799 assessor and re-certification every three years.

The BS 7799-2 covers 10 control areas with 36 control objectives, which in turn break down to 127 Control Points (CPs).

Soutiman Das Gupta can be reached at

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.