Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of June 2005 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story

Compliance and Audit

The first step to corporate governance

While many organisations still do not conduct security and compliance audits, most invest time and effort in documenting policies and processes. Third party certifications are now becoming popular. by Deepali Gupta

Strict compliance results in less work because uncertainty is reduced and damage control procedures are in place and well known

Until late 2003, the quality of Indian products and security levels maintained by India Inc. were regarded with suspicion by potential outsourcers abroad.

Two years on, India Inc. is on the road to reinventing its image. Indian organisations are now stepping beyond the regulatory minimum and complying with international standards such as BS7799.

Executive Summary
Certified for sure

63 percent of organisations do not conduct any audit, but that figure may not be representative of the big players planning to enter global trade. A surprising number of companies are opting for certifications, and third party audits to inspire client confidence.

Power pill

If you need to compete at a global level right away, it may be wise to put an audit mechanism to comply with international Corporate Governance standards.

In the context of IT, compliance usually refers to data security and corporate governance or the systems and practices that have been set up and enforced with the help of IT. There are two kinds of compliance: regulatory, imposed by governmental or quasi-governmental bodies, and self-imposed.

Documentation: the basis of security policy

Over the past year, we have observed that companies investing in IT or setting up the means to enforce security were rare.

S B Patankar,
Chief Technology Officer, The Stock Exchange, Mumbai

63 percent of respondents do not conduct security audits. This suggests that compliance is still not taken as seriously as it should be. However, 61 percent have a documented security policy, and that, says S B Patankar, Chief Technology Officer, The Stock Exchange, Mumbai, is the first step in the direction of compliance. BSE just received its BS7799 certification. 14 percent of respondents of IS 2005 have already invested toward getting that clearance.

Indian regulations and compliance

The largest set of consolidated regulations that mandate integrity of data in India are the IT Act and SEBI's clause 49 for listed companies. These regulations do not currently enforce the kind of security standards that are common in Europe and the US. In a global economy, however, no company is an island and India Inc is adopting US and European compliance procedures and certifications such as Sarbanes Oxley, Safe Harbour, BS, and ISO.

Compliance, regulatory or otherwise, does not directly concern the IT department. In manufacturing for instance, compliance controls don't really involve system security, and a large part of the quality control required by authorities cannot be imposed or enforced using IT. Companies that deal with sensitive information, financial services and BPOs, banks, MNC subsidiaries or those with plans to expand beyond Indian shores are all affected. These will continue to make strides towards compliance. For the medium-scale segment (Rs 100-300 crore turnover), security and audits are not a priority. This segment is comfortable with public mail servers, and exchanging information over not very secure connections.

Certification for A competitive edge

Research Snapshots
  • 61 percent of the respondents have documented their security policies
  • Security policies are reviewed every six months in 59 percent of companies
  • 63 percent of them do not conduct security audits. Of those who do, only 36 percent have a quarterly or better frequency
  • For 54 percent of respondents, audit policy exists as a matter of security policy or as a business necessity

"Compliance comprises enforcing a quality and standard that results in transparency and fairness," says Patankar. The process of getting certified leads to clarity, documentation of processes, and assignment of ownership to the right people-which is what happened at the BSE. That is not the only reason for getting certified. Like many other organisations, the BSE was already enforcing a majority of the necessary practices, but the certification assured customers that doing business with the exchange was safe. If the company is seen as being more secure than its competitors, it gains favour with customers.

Even though organisations are opting for third-party audits to gain the trust of partners and customers, the IS 2005 survey indicates that only 10 percent of the organisations claim that they conducted an audit because a client asked for it. For many it is a matter of regulation, but for the largest percentage of respondents (30 percent), audit is a matter of policy. CIOs are now also at least partly responsible for compliance with standards such as Sarbanes-Oxley, Safe Harbour, HIPAA and the GLB Act laying down rules of privacy and data security that an organisation has to follow while capturing, maintaining, using, and exchanging data.

Corporate governance

According to IS 2005, 54 percent of organisations that audit on a regular basis do so because they view it as a business necessity. Only ten percent attribute it to a client requirement.

Besides this, only 16 percent do so because it is imposed by a regulatory authority, and a large chunk of that is from the BFSI segment. This clearly reflects that organisations are taking audits seriously even if they are not mandatory.

Otis India got itself certified for Sarbanes-Oxley (SOX) this January. Most SOX mandates involve corporate governance, but technology comes in handy when it's time to put controls in place, according to V Subramaniam, CIO, Otis India. "IT can be used for putting secure user access rights in place, and certification ensures a well-articulated policy, regular audits and therefore evidence that the organisation is compliant," says Subramaniam.

Certifications ensures a well-articulated policy, regular audits and therefore evidence that the organisation is compliant

A similar standard concerning corporate governance is BS15000. Organisations such as L&T will eventually look at getting certified for these standards as Anatha Sayana, General Manager at Larsen & Toubro Infotech suggests. His organisation is evaluating the merits of the certification as we go to press. As per Sayana's indication, L&T already follows most of the practices imposed by BS15000. However getting certified is significant as "someone has documented the processes for the certification, and it will help increase our credibility," Sayana says.

People = process

V Subramaniam
CIO, Otis India

The greatest challenge for a CIO with regard to compliance is people management. "Most people seem to think the increased security effort will mean more work, but strict compliance results in less work because uncertainty is reduced and damage control procedures are in place and well known," says Patankar. "An organisation has to be conscious of each member involved in an affected process, and create awareness at every level for effective compliance standards," says Subramaniam.

Getting hold of the people to implement and enforce best practices is the core. "You can put algorithms in place, but getting users to understand and use them effectively is important," says Patankar. That is perhaps why when it comes to compliance and audits most companies will document their policies and get third-party certification for the sake of visibility.

NM recommends
  • Consider establishing internal regulations to propagate corporate best practices.
  • Create a document first that enumerates regulations in a clear and concise manner.
  • Identify the users involved at every level and get buy in.
  • Put a control mechanism in place to ensure compliance.
  • Have a third-party audit to let partners know that the company is serious about business.

Deeepali Gupta can be reached at

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.