IT's role in compliance

The technological trail to compliance

Organisations can employ IT tools to comply with regulations. CIOs can benefit by hiking on this technological journey. by Soutiman Das Gupta

Be it a bank, a manufacturing concern, a pharmaceutical company or a service provider—all must comply with the guidelines that the government, corporate governance, internal company policy and third party standards organisations have laid out. Compliance also implies proof in the form of reports, logs, and audit trails that have to be as transparent as possible. Here's where IT steps in.

Most regulations state that information must be saved, retrieved, stored and delivered in an appropriate format. It must be kept secure over time. IT has the tools and processes that can streamline an organisation's efforts to re-engineer itself and meet mandates.

The basics

The IT route to regulatory compliance involves the use of controls and monitoring. "Effective compliance with regulatory policies involves the implementation of internal process controls and monitoring the exceptions for corrective action. The objective is to ensure that the information submitted to regulatory authorities is accurate," explains Arvind Tawde, CIO, Mahindra & Mahindra Ltd.

The pre-requisites for compliance are:

• Capturing and recording information from various business areas such as sales, marketing, finance, accounts, and HR
• Preserving information integrity to guarantee that information has not been tampered with without authorisation during storage or transfer
• Preserving information security to guarantee that information will not be lost or pilfered (See box: Security compliance for more information)
• Keeping information available and retrievable at all times so that reports can be generated and audit trails logged

The above pre-requisites can be met by using enterprise applications, a storage infrastructure, and a security infrastructure in tandem.

Where IT can help

The key is to identify the aspects or areas in the regulatory framework that can be complied with the help of IT (software, hardware, processes). Documentation and records management, information storage and management, business process management, risk management and Business Intelligence (BI), information security as well as business continuity come under this heading.

CIOs can identify these areas by coordinating with other business heads. This way, he or she can deploy IT effectively. For all banks, preventing fraud and implementing anti money laundering measures are two important aspects of the efforts being made to prevent criminal misuse of the financial system which threatens the stability of financial transactions worldwide.

"The emerging scenario under the Basel II accord and the need to use supervisory resources more productively are prompting banks to move to a risk-based supervision environment," says Kapil Bhatia, Manager IT, Syndicate Bank.

Here the CIO must deploy risk management systems and analytical tools that have reporting and predictive capabilities.

Deploying IT for compliance

Complying in an effective manner with regulations involves implementing internal process controls and monitoring exceptions to take corrective action as and when required Arvind Tawde, CIO, Mahindra & Mahindra Ltd.

Manish Bapat, Business Manager for NAS & CAS, EMC India and SAARC says, "The CIO should be IT savvy and have a strong financial background. This is because many regulations, notably Sarbanes-Oxley, require a solid knowledge of financial records."

If a CIO does not have that foundation, compliance with SOX can be intimidating. In such cases, the concerned CIO needs formal training in financial operations.

"IT should be able to provide clean data and set up a reliable storage infrastructure," says Vineet Khanna, Risk Management Specialist, SAS India Pvt. Ltd. "The use of software with good reporting and analytical capabilities helps."

Enterprise applications—ERP, CRM, various financial applications, and SCM—capture relevant data. Enterprise storage infrastructure has to ensure that the data is managed reliably, and that the data is not tampered with.

Take the example of how Tata Motors makes IT work for it in this regard. The manufacturing major has to comply with statutory guidelines as well as national and international standards. Tax Laws, Company's Act, Labour Wages Factory Act, SOX, ISO 9000, ISO 14001, and many others impact the company.

Tata Motors runs numerous IT applications that support business processes from product design and development (CAD/CAM/CAE), through Product Life Cycle Management, ERP, CRM, and Web-based applications.

The functional process owners from each of these areas and the IT team work together while designing requirements including those that concern regulatory compliance.

"The regulatory requirements for compliance are identified based on a comprehensive requirement analysis with the customers of IT services during the design stage of any application system," explains Probir Mitra, GM-IT, Tata Motors.

Many organisations prefer to use the services of an external consultant. Syndicate Bank used a consultant to help identify areas where IT can contribute, and Siemens Limited used a consultant who provided the initial guidance.

Maintaining harmony

Compliance efforts can only succeed if all departments work harmoniously. Most regulations affect multiple areas of business--accounts, finance, materials, and purchasing. Within each area, these regulations cover micro-aspects. The CIO must organise inter-departmental meetings where business leaders are asked to present, and even attend training sessions, to clarify what the specific requirements are from the IT department.

Coordinating with external consultants and auditors is critical as they play an essential role in validating the process.

In Siemens Limited the overall responsibility of coordinating SOX compliance lies with accounts. As SOX is applicable to the entire business, including IT, the IT department had to coordinate with other departments.

Probir Mitra of Tata Motors had to coordinate with several internal departments including engineering research, quality assurance, finance, HR, internal audit, and an external consultant to understand the compliance needs of all the business areas in his organisation. This effort made it easy for him to build the solution.

Tools of the trade

We did not avail of the services of a third-party consultant as we found that the required expertise existed in-house Anil Nadkarni, Head IT, Thomas Cook

The correct IT approach to compliance is a mix of IT solutions, strategy, and processes.

"Consolidation is the first step to compliance. When content is scattered across hundreds or even thousands of servers, meeting the requirements for compliance and legal risk management becomes substantially tougher," explains Bapat.

So there is a need to consolidate data in a separate storage infrastructure that preserves content and data for all applications running in an organisation. Going forward, a comprehensive and adaptable risk management infrastructure must be built that combines three ingredients.

The infrastructure should be sufficient to establish consistent and flexible strategies for archiving content; it should take care of disaster recovery. (See box: ‘Business Continuity’ for more information)

Search facilities are typically used to compile information regarding compliance to meet auditing requirements, restore lost data, perform periodic risk assessment reviews, and collect information for discovering evidence.

A capable workflow management facility is typically, the most effective tool for implementing policies to retain or dispose information. These policies are required to comply with most regulations and certification processes and to manage discovery risk.

A comprehensive and adaptable risk management infrastructure must combine three ingredients. It must be built on the right architecture, include (or provide a roadmap for) the right tools, and be supplied and supported by the right vendor.

BI, business analytics, and risk assessment tools that use a reliable data warehouse can provide such an adaptable infrastructure.

Versioning provides a coarse-grained method for summarising the process that an item of content undergoes in getting to its current form. Lifecycle auditing provides a similar function, but in a fine-grained manner. Together, they provide historical information required by many regulations and they can be useful in gaining a better understanding of the context in which specific content was created and used.

Categorising unstructured content is critical in ensuring that content is appropriately managed.

For most regulations, establishing and implementing policies regarding compliance is typically necessary but not sufficient by itself. The policies and the procedures that are used to carry these out must be comprehensively documented. Such documents are a required deliverable during regulatory audits. Enterprises can use tools that permit the digitally mapping of working instructions, and other processes that were previously issued on paper. These tools can consolidate database content into a central list. Data from a range of different applications such as SAP and Crystal Reports can be consolidated via universal print interfaces.

To comply with tax laws, auditors must have access to data relevant to tax matters. Digital data must be securely archived for auditing and be accessible to tax auditors. Software can be used for secure archival with features such as an online search, reporting with the option of storing data in a universal interchange format. Tax-relevant data may be extracted from the original data set and personal data can be hidden.

(See box: ‘Tools that aid compliance’ for more information)

Reengineering Processes

Compliance to a particular policy requires some degree of system and process reengineering. The level of reengineering depends upon how mature an IT department is before its compliance efforts kick off.

Partially computerised organisations will typically need lots of system deployments and a lot of reengineering of manual processes. Organisations with a mature IT set-up will find it simpler to re-engineer themselves. That said, the latter may be at a disadvantage. An organisation with lesser computerisation can conceivably evolve and mature faster than one that has to disregard its existing systems and processes and adapt to a new one.

Categorisation can be performed by users, by having content inherit categorisation from various repositories, or automatically applying the same through content analysis.

Susan D'Mello, Chief Manager-IT of Siemens Limited says, "Since our businesses were already ISO compliant and we were making extensive use of ERP, we did not need to do a special deployment of IT or undertake major reengineering for SOX compliance."

Tawde of Mahindra & Mahindra Limited uses SAP R/3 for accounts, finance, taxation and excise. "Records and registers maintained in the system are used for auditing," he says.

Old records are archived based on statutory requirements and systems allow data retrieval when required by governing agencies. Reporting requirements are met by systems. The company set to achieve BS 7799, which will help it cover all information assets nationwide.

External help

Most companies prefer to farm out compliance work to an external consultant. Third party help is useful in creating strategies, plans, and building roadmaps, and also for auditing.

A good consultant can provide the perspective gained from experience in helping other clients and provide critical feedback and input to create a broad game plan for effective compliance. It can identify areas that need restructuring.

With a few exceptions, some companies do not need help from external consultants for compliance. Among the businesses that Thomas Cook conducts, foreign exchange sales are governed by the Foreign Exchange Management Act (FEMA)—formerly FERA (Foreign Exchange Regulation Act).

Anil Nadkarni, Head of IT at Thomas Cook said, "We did not need to use a third party consultant because we found that the required expertise existed among our in-house personnel as we had been in the business for a long time," explains Nadkarni. (see box: ‘Thomas Cook's road to FEMA’ for more information)

Keeping it up

Since our businesses were already ISO compliant and we were making extensive use of ERP, we did not need to do a special deployment of IT or undertake major reengineering for SOX compliance Susan D'Mello, Chief Manager-IT, Siemens Limited

"Compliance is not a one-time activity, but a continuous process," sums up Tawde. It is important to ensure that performance standards do not drop once compliance has been achieved. This is partly because regulatory requirements change and personnel change as well.

Says Bapat, "The only thing worse than not having a compliance program is not following through on one. Practices that conduct a compliance review but fail to take corrective action will exacerbate a regulatory problem."

Internal and third party experts should conduct regular audits to ensure that business units, including the IT department, perform consistently. Periodic audits let CIO identify strengths and weaknesses in systems and processes, and provide scope for development.

It is also a good practice to discuss audit findings in front of a review committee, staffed by trusted internal and external members.

CIOs should take advantage of the call to compliance and use it to upgrade and streamline IT systems and processes.

Soutiman Das Gupta can be reached at soutimand@networkmagazineindia.com