Compliance and Audit
The first step to corporate governance
While many organisations still do not conduct security and
compliance audits, most invest time and effort in documenting policies and processes.
Third party certifications are now becoming popular. by Deepali Gupta
Strict compliance results in less work because uncertainty
is reduced and damage control procedures are in place and well known
Until late 2003, the quality of Indian products and security
levels maintained by India Inc. were regarded with suspicion by potential outsourcers
Two years on, India Inc. is on the road to reinventing its image. Indian organisations
are now stepping beyond the regulatory minimum and complying with international
standards such as BS7799.
|Certified for sure
63 percent of organisations do not conduct any audit,
but that figure may not be representative of the big players planning
to enter global trade. A surprising number of companies are opting for
certifications, and third party audits to inspire client confidence.
If you need to compete at
a global level right away, it may be wise to put an audit mechanism to
comply with international Corporate Governance standards.
In the context of IT, compliance usually refers to data security
and corporate governance or the systems and practices that have been set up
and enforced with the help of IT. There are two kinds of compliance: regulatory,
imposed by governmental or quasi-governmental bodies, and self-imposed.
Documentation: the basis of security policy
Over the past year, we have observed that companies investing
in IT or setting up the means to enforce security were rare.
S B Patankar,
Chief Technology Officer, The Stock Exchange, Mumbai
63 percent of respondents do not conduct security audits.
This suggests that compliance is still not taken as seriously as it should be.
However, 61 percent have a documented security policy, and that, says S B Patankar,
Chief Technology Officer, The Stock Exchange, Mumbai, is the first step in the
direction of compliance. BSE just received its BS7799 certification. 14 percent
of respondents of IS 2005 have already invested toward getting that clearance.
Indian regulations and compliance
The largest set of consolidated regulations that mandate integrity of data in
India are the IT Act and SEBI's clause 49 for listed companies. These regulations
do not currently enforce the kind of security standards that are common in Europe
and the US. In a global economy, however, no company is an island and India
Inc is adopting US and European compliance procedures and certifications such
as Sarbanes Oxley, Safe Harbour, BS, and ISO.
Compliance, regulatory or otherwise, does not directly concern the IT department.
In manufacturing for instance, compliance controls don't really involve system
security, and a large part of the quality control required by authorities cannot
be imposed or enforced using IT. Companies that deal with sensitive information,
financial services and BPOs, banks, MNC subsidiaries or those with plans to
expand beyond Indian shores are all affected. These will continue to make strides
towards compliance. For the medium-scale segment (Rs 100-300 crore turnover),
security and audits are not a priority. This segment is comfortable with public
mail servers, and exchanging information over not very secure connections.
Certification for A competitive edge
- 61 percent of the respondents have documented
their security policies
- Security policies are reviewed every six
months in 59 percent of companies
- 63 percent of them do not conduct security
audits. Of those who do, only 36 percent have a quarterly or better
- For 54 percent of respondents, audit policy
exists as a matter of security policy or as a business necessity
"Compliance comprises enforcing a quality and standard
that results in transparency and fairness," says Patankar. The process
of getting certified leads to clarity, documentation of processes, and assignment
of ownership to the right people-which is what happened at the BSE. That is
not the only reason for getting certified. Like many other organisations, the
BSE was already enforcing a majority of the necessary practices, but the certification
assured customers that doing business with the exchange was safe. If the company
is seen as being more secure than its competitors, it gains favour with customers.
Even though organisations are opting for third-party audits
to gain the trust of partners and customers, the IS 2005 survey indicates that
only 10 percent of the organisations claim that they conducted an audit because
a client asked for it. For many it is a matter of regulation, but for the largest
percentage of respondents (30 percent), audit is a matter of policy. CIOs are
now also at least partly responsible for compliance with standards such as Sarbanes-Oxley,
Safe Harbour, HIPAA and the GLB Act laying down rules of privacy and data security
that an organisation has to follow while capturing, maintaining, using, and
According to IS 2005, 54 percent of organisations that audit on a regular basis
do so because they view it as a business necessity. Only ten percent attribute
it to a client requirement.
Besides this, only 16 percent do so because it is imposed by a regulatory authority,
and a large chunk of that is from the BFSI segment. This clearly reflects that
organisations are taking audits seriously even if they are not mandatory.
Otis India got itself certified for Sarbanes-Oxley (SOX) this January. Most
SOX mandates involve corporate governance, but technology comes in handy when
it's time to put controls in place, according to V Subramaniam, CIO, Otis India.
"IT can be used for putting secure user access rights in place, and certification
ensures a well-articulated policy, regular audits and therefore evidence that
the organisation is compliant," says Subramaniam.
Certifications ensures a well-articulated policy, regular
audits and therefore evidence that the organisation is compliant
A similar standard concerning corporate governance is BS15000.
Organisations such as L&T will eventually look at getting certified for
these standards as Anatha Sayana, General Manager at Larsen & Toubro Infotech
suggests. His organisation is evaluating the merits of the certification as
we go to press. As per Sayana's indication, L&T already follows most of
the practices imposed by BS15000. However getting certified is significant as
"someone has documented the processes for the certification, and it will
help increase our credibility," Sayana says.
People = process
CIO, Otis India
The greatest challenge for a CIO with regard to compliance
is people management. "Most people seem to think the increased security
effort will mean more work, but strict compliance results in less work because
uncertainty is reduced and damage control procedures are in place and well known,"
says Patankar. "An organisation has to be conscious of each member involved
in an affected process, and create awareness at every level for effective compliance
standards," says Subramaniam.
Getting hold of the people to implement and enforce best practices
is the core. "You can put algorithms in place, but getting users to understand
and use them effectively is important," says Patankar. That is perhaps
why when it comes to compliance and audits most companies will document their
policies and get third-party certification for the sake of visibility.
- Consider establishing internal regulations
to propagate corporate best practices.
- Create a document first that enumerates
regulations in a clear and concise manner.
- Identify the users involved at every level
and get buy in.
- Put a control mechanism in place to ensure
- Have a third-party audit to let partners
know that the company is serious about business.
Deeepali Gupta can be reached at firstname.lastname@example.org