Automated Compliance - Fact or Fiction?

When it comes to compliance there is one common theme is prevalent, no matter the regulation, industry or department, i.e. “do the minimum there is to comply”. This is not necessarily the best strategy in the world but there are a lot of reasons for this strategy, mostly being letting your employees concentrate on your core business and not necessarily the burden of being compliant.

The recent COSO guidance on monitoring internal controls suggests real time information reviewed by management allowing them to act in a timely basis. Any kind of manual process introduces possibilities of human error and fraud. Software vendors are responding to these needs by upgrading their products and positioning their products as “automated compliance solutions”.

Before making a determination if any tool is really automating compliance, consider what does it takes to be compliant, it typically means:

  • you need policies

  • certain mandatory regulatory obligations need to be reflected in these policies

  • these policies must be reviewed and updated on a yearly basis

  • your staff have to be aware of and trained on these policies

  • the policies are translated into procedures that include controls to mitigate risk

  • your staff has to execute these procedures to ensure the desired results with evidence that they were actually performed

  • an auditor periodically reviews the evidence to confirm the controls are operating effectively.

There are definitely items that can be automated in that process. The problem for a software vendor is all companies are dynamic, even if they are in the same industry they operate differently. To have a truly automated compliance solution a vendor would need to:

  • Be able to supply a policy that can be tailored to your specific business

  • When the policy is changed, the procedures would have to be changed to reflect those policies

  • The procedures should be translated into workflows that would automatically be triggered depending on certain criteria being reached, either time or value related

  • The workflows would trigger an email to a person to review and approve something or an automated process to perform comparisons, calculate totals, etc.

  • A dashboard with alerts would be needed to notify the compliance officer when things are not functioning properly

  • All evidence is easily accessible for the auditor to ensure compliance

As mentioned earlier, software vendors are positioning “automated compliance” solutions since that sounds attractive to compliance officers and senior management. If you are considering an “automated compliance” solution, do your due diligence to determine exactly which part (if any) is covered by the vendor.

There are products that ask a series of questions “Do you have a Information Security Policy”, “Are new employees trained on the policy”, etc. By answering yes or no, the software “automatically” determines if you are compliant or not.  Although the solution is not really supplying an automated compliance solution these tools are helpful, especially for an initial compliance project since these tools often suggests improvements to get you in compliance.

Other tools exist that test certain aspects of a regulation: There are tools that monitor new customers for banks (OFAC), tools that perform penetration testing (HIPPA, PCI, FISMA, etc), others that perform email surveillance (HIPPA, SEC 17a-4, NASD 3010, GLBA, etc. Some of these tools issue “certificates”, however, don’t think that these certificates mean that you are totally compliant with a certain regulation.

There are Governance Risk and Compliance (GRC) tools where you identify and store the policies and associate General Ledger (GL) accounts to risks, controls and tests which will help you track the audit process and “automatically” report on the results of the audit process and results of the audit. Again these tools are useful especially for large organizations that have a large number of processes and internal controls in various locations.

If you are considering a new tool and the vendor is touting “automation” here are some things you should ask:   

  • Does the tool store documents or have a direct tie into as Enterprise Content (Document) Management system?

  • Will it relate Processes, risk and controls to each other?

  • Does the tool have the ability to relate a control to specific regulations (paragraph number)

  • Will it relate financial general ledger accounts to processes, risk and controls (public companies and financial institutions)?

  • Does it have a work flow that will easily tie automated workflows to the processes?

  • Does it have access to your database so value related controls can be automatically generated?

  • Is there an ability to automatically indicate a control is working or not working?

  • Are alerts generated when controls are not being executed when expected?

  • Is there a dashboard that is automatically populated from the results of the workflows (not just the mere execution of the work flow)?

  • Is the evidence of the execution and results of the test available for the auditor and is it easily uploaded into their report?

Visage has had “the good fortune” to work with a number of tools, ones that appear in the “Magic Quadrant” others that don’t appear on the chart at all. There are some tools that come close, others…….

Will there ever be a single tool that can truly supply a totally automatic compliance solution? Technically it is a difficult challenge, but who knows they have computers playing Jeopardy now! Will software vendors ever be able to truly guarantee a totally compliance solution? Their lawyers will never let them or will set some pretty tough preconditions. Can you guarantee that your people will truly understand your policies, perform the compliance duties they are assigned without getting too caught up in the daily operations of the business to perform them in a timely basis or keep your best interest at heart?  That is why you should automate as much as you can.

Contact Visage Solutions today to see how we can assist you with this and other compliance matters.

_________________________________________________________________________

About Visage Solutions – www.VisageSolutions.com

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.

 
 
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

if you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2010 Visage Solutions, LLC.