Corporate compliance initiatives have grown tremendously over the past quarter century as federal regulators and Congress have enacted more than 114,000 business governance rules and regulations. Of course, no company has to comply with all of those regulations, but many certainly are applicable. And when global regulations are taken into consideration for companies with an international presence, the onus of corporate compliance can be heavy indeed.
The Sarbanes-Oxley Act of 2002 (SOX) brought the issue of corporate compliance to the forefront as affected companies dashed to complete the initial documents to demonstrate compliance. Then, while employees were breathing a collective sign of relief, the realization hit home that the process would have to be repeated again and again to remain in compliance.
Keys to staying in compliance include creating comprehensive policies around corporate governance, devising systems to share data across compliance documents to avoid duplication of work, establishing clear lines of responsibility so each person knows what data to gather and when, and making those processes part of a company's culture. But many of those policy and procedure changes are easier said than done, so many companies remain in the reactive mode, struggling to stay in compliance.
Richard Diamond, CIO at FormFactor Inc., has been slowly realigning the public company from a reactive mode in regard to corporate compliance to a more proactive one. The Livermore, Calif.-based maker of advanced wafer probe cards used by semiconductor manufacturers has endured numerous Sarbanes-Oxley audits, which Diamond said is a time-consuming and expensive process.
"Very often, there is a raising of the bar by auditors the next year, so [compliance] often is a moving target," said Diamond, who joined FormFactor earlier this year after a stint with Management Agility Inc. One of that company's practice areas is compliance management, so Diamond has traveled this road before. "If you stay in a reactive mode, you are always on the treadmill and will remain there indefinitely," he said.
During his short tenure, FormFactor has worked with an outside consultant to help it define and publish IT policies and currently is identifying those critical processes that will be addressed first. "Once that's complete, we will have turned a corner," Diamond said. "We expect our procedures and controls will support SOX compliance without spending significant dollars ahead of time" on audit preparation partners that have been used to help FormFactor get ready for an audit.
FormFactor is working with VariTrak Systems Inc., a Los Angeles-based software company that helps manage operational risk as it relates to corporate compliance. VariTrak CEO Dean Lane compares his company's product to the warning lights on vehicles that point out problems or maintenance concerns.
"There are 100 things that fall into the corporate compliance arena, not only SOX but ISO, FDA, HIPAA and internal policies and procedures," Lane said. After bringing databases and spreadsheets to a common platform, the system sends reminders to the appropriate employees about when compliance tasks need to be accomplished, escalating those alerts should the work remain undone. A dashboard feature of the subscription service allows board members and C-level execs to monitor corporate compliance. "Everyone wants to do a good job … and they're happy to get a tool to take care of compliance," Lane said.
While a software solution can take care of the nuts-and-bolts issues surrounding corporate compliance, "Software without the right organizational structure will do nothing," cautioned Michael Rasmussen, vice president for risk and compliance research at Forrester Research Inc. in Cambridge, Mass.
Companies serious about corporate compliance issues are naming chief compliance officers and devoting the necessary funds to address not only external requirements and laws but also internal compliance around corporate governance, IT, sales and product manufacturing. "The ones that are paying attention to this issue are the ones that have had problems in the past," Rasmussen said.
Adrian Bowles, program director for regulatory compliance at Object Management Group Inc. in Needham, Mass., recommends that companies use corporate compliance tools based on the Control Objectives for Information and related Technology (COBIT). The IT governance framework and supporting tool set allow managers to bridge the gap between control requirements, technical issues and business risks. "If a company uses COBIT controls, it can trace back to see what the company is compliant with," Bowles said.
As regulatory demands on business continue to escalate, compliance isn't going away. The key, experts say, is to stay ahead of the regulations whenever possible.
"You'll never solve the compliance problem as long as you're reactive," Diamond said. "Good IT governance and control is the proactive solution to SOX compliance."
Matt Bolch is a freelance writer based out of Atlanta.