Compliance requirements can be a headache for the IT manager and the CIO, but downed lines of communication between their respective groups and poor information management policies easily can make a minor pain blossom into a migraine as the Nov. 15 Sarbanes-Oxley Act (SOX) deadline approaches.
One research firm has discovered a majority of U.S. organizations are still scrambling to meet compliance requirements, while a separate study of enterprise-level corporations revealed that even if the requirements are met, few corporations have a budget established to maintain compliance after the deadline.
In a joint industry study of 400 end users conducted by The Association for Information and Image Management (AIIM) and Kahn Consulting Inc., most (80%) companies are in the early stages of adapting to new compliance concerns, and still struggling to address new legal, regulatory and business requirements.
A second joint-study from Vancouver, B.C.-based ACL Services Ltd. and the Center for Continuous Auditing (CCA) polled 248 senior audit professionals from $1 billion-plus in revenue corporations and found that half were less than 60% along in meeting SOX Section 404 compliance requirements. An even more troubling statistic was that 67% had no annual budget allocated to maintain the requirements after Nov. 15.
John Mancini, the president of AIIM, said corporations are still addressing compliance concerns because of the way the document storage industry has evolved and because of regulatory compliance legislation like SOX and HIPAA. Eighty percent of the corporations surveyed stated that they have or are planning to make changes to the way they manage information, while 37% and 26% said they are making changes because of SOX and HIPAA respectively.
Mancini warned executives not to focus entirely on factors like HIPAA and SOX, because the real problem is the nature of business documentation -- it has changed from paper to electronic, and most corporations haven't fully adjusted.
"In that respect HIPAA and [SOX] are putting on some urgency, but the core problem lies in how organizations are documenting their information," Mancini said. "[They are starting] with electronic information and are assisting with the same discipline, transparency and security that used to be commonplace in the paper world."
To assist with this strategy shift, Mancini advised executives to become very involved with company driven initiatives from the top, and warned that the compliance headaches that exist today will certainly not be solved in a day.
"The one thing Sarbanes-Oxley has done is get people on the path with a solution," he said. And that solution involves a team approach between different specialties throughout the organization, including IT, records management and upper level executives.
Mancini said that those in IT need to be conscious of legal and records management issues and not just handle information, but become in tune with records. A strictly hardware/software approach isn't enough. Those in records management, who may lack the tools to deal with the IT aspect, need to have open communication with IT to ensure long-term goals are met.
A major issue facing executives as SOX approaches is that more than 60% of the organizations surveyed by AIIM failed to provide regular employee training, and the training that was given focused more on records and information managers than on executives and IT staff. More than a third of those organizations said they had not received guidance from an executive in the last 18 months, and nearly half did not provide an executive statement of support for the information management program.
The lack of training can be attributed to any number of things, Mancini said, including lack of time, budget cuts, and even apathy.
"The softer aspects of IT implemented are often the ones neglected," Mancini said. "It's not enough to say that to get down the path of importing document management solutions you have to take time to develop policies. Holding people accountable is really the only way to have sensible processes."
Organizations need to have people who make sound, well-planned policies and procedures as well as training and accountability on the implementation side, Mancini said. If mistakes are made after that point, then at the very least the organization is protected.
"One thing that has helped in getting the senior executives to help out is something like the language within Sarbanes-Oxley -- most of them aren't ready to do hard time," Mancini said.