IT's role in compliance
The technological trail to compliance
Organisations can employ IT tools to comply with regulations.
CIOs can benefit by hiking on this technological journey. by Soutiman Das
Be it a bank, a manufacturing concern, a pharmaceutical company or a service
providerall must comply with the guidelines that the government, corporate
governance, internal company policy and third party standards organisations
have laid out. Compliance also implies proof in the form of reports, logs, and
audit trails that have to be as transparent as possible. Here's where IT steps
Most regulations state that information must be saved, retrieved, stored and
delivered in an appropriate format. It must be kept secure over time. IT has
the tools and processes that can streamline an organisation's efforts to re-engineer
itself and meet mandates.
The IT route to regulatory compliance involves the use of controls and monitoring.
"Effective compliance with regulatory policies involves the implementation
of internal process controls and monitoring the exceptions for corrective action.
The objective is to ensure that the information submitted to regulatory authorities
is accurate," explains Arvind Tawde, CIO, Mahindra & Mahindra Ltd.
The pre-requisites for compliance are:
- Capturing and recording information from various
business areas such as sales, marketing, finance, accounts, and HR
- Preserving information integrity to guarantee that
information has not been tampered with without authorisation during storage
- Preserving information security to guarantee that
information will not be lost or pilfered (See box: Security compliance for
- Keeping information available and retrievable at
all times so that reports can be generated and audit trails logged
The above pre-requisites can be met by using enterprise applications,
a storage infrastructure, and a security infrastructure in tandem.
Where IT can help
The key is to identify the aspects or areas in the regulatory framework that
can be complied with the help of IT (software, hardware, processes). Documentation
and records management, information storage and management, business process
management, risk management and Business Intelligence (BI), information security
as well as business continuity come under this heading.
CIOs can identify these areas by coordinating with other business heads. This
way, he or she can deploy IT effectively. For all banks, preventing fraud and
implementing anti money laundering measures are two important aspects of the
efforts being made to prevent criminal misuse of the financial system which
threatens the stability of financial transactions worldwide.
"The emerging scenario under the Basel II accord and the need to use supervisory
resources more productively are prompting banks to move to a risk-based supervision
environment," says Kapil Bhatia, Manager IT, Syndicate Bank.
Here the CIO must deploy risk management systems and analytical tools that have
reporting and predictive capabilities.
Deploying IT for compliance
Complying in an effective manner with regulations involves
implementing internal process controls and monitoring exceptions to take
corrective action as and when required
Arvind Tawde, CIO,
Mahindra & Mahindra Ltd.
Manish Bapat, Business Manager for NAS & CAS, EMC India
and SAARC says, "The CIO should be IT savvy and have a strong financial
background. This is because many regulations, notably Sarbanes-Oxley, require
a solid knowledge of financial records."
If a CIO does not have that foundation, compliance with SOX can be intimidating.
In such cases, the concerned CIO needs formal training in financial operations.
"IT should be able to provide clean data and set up a reliable storage
infrastructure," says Vineet Khanna, Risk Management Specialist, SAS India
Pvt. Ltd. "The use of software with good reporting and analytical capabilities
Enterprise applicationsERP, CRM, various financial applications, and SCMcapture
relevant data. Enterprise storage infrastructure has to ensure that the data
is managed reliably, and that the data is not tampered with.
Take the example of how Tata Motors makes IT work for it in this regard. The
manufacturing major has to comply with statutory guidelines as well as national
and international standards. Tax Laws, Company's Act, Labour Wages Factory Act,
SOX, ISO 9000, ISO 14001, and many others impact the company.
Tata Motors runs numerous IT applications that support business processes from
product design and development (CAD/CAM/CAE), through Product Life Cycle Management,
ERP, CRM, and Web-based applications.
The functional process owners from each of these areas and the IT team work
together while designing requirements including those that concern regulatory
"The regulatory requirements for compliance are identified based on a comprehensive
requirement analysis with the customers of IT services during the design stage
of any application system," explains Probir Mitra, GM-IT, Tata Motors.
Many organisations prefer to use the services of an external consultant. Syndicate
Bank used a consultant to help identify areas where IT can contribute, and Siemens
Limited used a consultant who provided the initial guidance.
Compliance efforts can only succeed if all departments work harmoniously. Most
regulations affect multiple areas of business--accounts, finance, materials,
and purchasing. Within each area, these regulations cover micro-aspects. The
CIO must organise inter-departmental meetings where business leaders are asked
to present, and even attend training sessions, to clarify what the specific
requirements are from the IT department.
Coordinating with external consultants and auditors is critical as they play
an essential role in validating the process.
In Siemens Limited the overall responsibility of coordinating SOX compliance
lies with accounts. As SOX is applicable to the entire business, including IT,
the IT department had to coordinate with other departments.
Probir Mitra of Tata Motors had to coordinate with several internal departments
including engineering research, quality assurance, finance, HR, internal audit,
and an external consultant to understand the compliance needs of all the business
areas in his organisation. This effort made it easy for him to build the solution.
Tools of the trade
We did not avail of the services of a third-party consultant
as we found that the required expertise existed in-house
Anil Nadkarni, Head IT,
The correct IT approach to compliance is a mix of IT solutions,
strategy, and processes.
"Consolidation is the first step to compliance. When content is scattered
across hundreds or even thousands of servers, meeting the requirements for compliance
and legal risk management becomes substantially tougher," explains Bapat.
So there is a need to consolidate data in a separate storage infrastructure
that preserves content and data for all applications running in an organisation.
Going forward, a comprehensive and adaptable risk management infrastructure
must be built that combines three ingredients.
The infrastructure should be sufficient to establish consistent and flexible
strategies for archiving content; it should take care of disaster recovery.
(See box: Business Continuity for more information)
Search facilities are typically used to compile information regarding compliance
to meet auditing requirements, restore lost data, perform periodic risk assessment
reviews, and collect information for discovering evidence.
A capable workflow management facility is typically, the most effective tool
for implementing policies to retain or dispose information. These policies are
required to comply with most regulations and certification processes and to
manage discovery risk.
A comprehensive and adaptable risk management infrastructure must combine three
ingredients. It must be built on the right architecture, include (or provide
a roadmap for) the right tools, and be supplied and supported by the right vendor.
BI, business analytics, and risk assessment tools that use a reliable data warehouse
can provide such an adaptable infrastructure.
Versioning provides a coarse-grained method for summarising the process that
an item of content undergoes in getting to its current form. Lifecycle auditing
provides a similar function, but in a fine-grained manner. Together, they provide
historical information required by many regulations and they can be useful in
gaining a better understanding of the context in which specific content was
created and used.
Categorising unstructured content is critical in ensuring that content is appropriately
For most regulations, establishing and implementing policies regarding compliance
is typically necessary but not sufficient by itself. The policies and the procedures
that are used to carry these out must be comprehensively documented. Such documents
are a required deliverable during regulatory audits. Enterprises can use tools
that permit the digitally mapping of working instructions, and other processes
that were previously issued on paper. These tools can consolidate database content
into a central list. Data from a range of different applications such as SAP
and Crystal Reports can be consolidated via universal print interfaces.
To comply with tax laws, auditors must have access to data relevant to tax matters.
Digital data must be securely archived for auditing and be accessible to tax
auditors. Software can be used for secure archival with features such as an
online search, reporting with the option of storing data in a universal interchange
format. Tax-relevant data may be extracted from the original data set and personal
data can be hidden.
(See box: Tools that aid compliance for more information)
Compliance to a particular policy requires some degree of system and process
reengineering. The level of reengineering depends upon how mature an IT department
is before its compliance efforts kick off.
Partially computerised organisations will typically need lots of system deployments
and a lot of reengineering of manual processes. Organisations with a mature
IT set-up will find it simpler to re-engineer themselves. That said, the latter
may be at a disadvantage. An organisation with lesser computerisation can conceivably
evolve and mature faster than one that has to disregard its existing systems
and processes and adapt to a new one.
Categorisation can be performed by users, by having content inherit categorisation
from various repositories, or automatically applying the same through content
Susan D'Mello, Chief Manager-IT of Siemens Limited says, "Since our businesses
were already ISO compliant and we were making extensive use of ERP, we did not
need to do a special deployment of IT or undertake major reengineering for SOX
Tawde of Mahindra & Mahindra Limited uses SAP R/3 for accounts, finance,
taxation and excise. "Records and registers maintained in the system are
used for auditing," he says.
Old records are archived based on statutory requirements and systems allow data
retrieval when required by governing agencies. Reporting requirements are met
by systems. The company set to achieve BS 7799, which will help it cover all
information assets nationwide.
Most companies prefer to farm out compliance work to an external consultant.
Third party help is useful in creating strategies, plans, and building roadmaps,
and also for auditing.
A good consultant can provide the perspective gained from experience in helping
other clients and provide critical feedback and input to create a broad game
plan for effective compliance. It can identify areas that need restructuring.
With a few exceptions, some companies do not need help from external consultants
for compliance. Among the businesses that Thomas Cook conducts, foreign exchange
sales are governed by the Foreign Exchange Management Act (FEMA)formerly
FERA (Foreign Exchange Regulation Act).
Anil Nadkarni, Head of IT at Thomas Cook said, "We did not need to use
a third party consultant because we found that the required expertise existed
among our in-house personnel as we had been in the business for a long time,"
explains Nadkarni. (see box: Thomas Cook's road to FEMA for more
Keeping it up
Since our businesses were already ISO compliant and
we were making extensive use of ERP, we did not need to do a special deployment
of IT or undertake major reengineering for SOX compliance
Susan D'Mello, Chief Manager-IT, Siemens Limited
"Compliance is not a one-time activity, but a continuous
process," sums up Tawde. It is important to ensure that performance standards
do not drop once compliance has been achieved. This is partly because regulatory
requirements change and personnel change as well.
Says Bapat, "The only thing worse than not having a compliance program
is not following through on one. Practices that conduct a compliance review
but fail to take corrective action will exacerbate a regulatory problem."
Internal and third party experts should conduct regular audits to ensure that
business units, including the IT department, perform consistently. Periodic
audits let CIO identify strengths and weaknesses in systems and processes, and
provide scope for development.
It is also a good practice to discuss audit findings in front of a review committee,
staffed by trusted internal and external members.
CIOs should take advantage of the call to compliance and use it to upgrade and
streamline IT systems and processes.
Soutiman Das Gupta can be reached at firstname.lastname@example.org