Managing Multiple Compliance Initiatives

An organization faced with multiple compliance obligations; such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Information Security and/or the USA Patriot Act, faces the challenge of minimizing redundant efforts. Additionally, management has the responsibility to fully disclose all pertinent information to their external auditor. The challenge is to balance how much information and about what issues to “bubble up” to the appropriate auditor. Supplying too much detailed information and keeping them focused will help ensure that extra time and effort is not spent on inconsequential items.

In the world of multi-compliance initiatives this becomes a little more complicated. With proper analysis and forethought, Processes, Risks, Controls, Tests, Issues and Action Plans (PRCTIA) now can be related (shared) amongst different compliance initiatives. However, certain aspects of those PRCTIA may be relevant to one compliance initiative but not necessary to another.

For an example, let’s look at Information Security Compliance and SOX. Most of the IT processes are applicable to both compliance initiatives. However, the SOX initiative addresses the ability of the organization to report accurate financial statements, whereas Information Security is focused on getting information into the wrong hands. This poses subtle differences in each of the Information Technology General Controls of:

·         Application Development

·         Application Security

·         Data Backup

·         Computer Operations Change Management

·         Data Interface

·         Application Governance

·         Network Access

·         Physical Security

As you can imagine the Risks, Controls and Tests for Physical Security should be very similar for both initiatives. Data backup processes need to be evaluated from two perspectives; can the organization recover a file backup effectively (SOX) and are the backup media protected from inadvertent loss or theft (Information Security).

Having a database or software tool that can differentiate and/or share information becomes imperative in this multi-compliance arena. The tool can be used to prevent duplicate efforts or providing TMI to the auditor.

Use of a Scope indicator in a tool can give you the ability of filtering information on reports that can be given to the external auditor. This will require the Control Owners to correctly identify which attributes apply to SOX and which ones are related to Information Security, etc. Descriptive text in the Process Narratives, Walkthroughs and testing procedures might be able to be written generically enough to satisfy both initiatives while still providing enough quality information for each initiative.

Another potential area of concern is designing test attributes. There are certain tests where the software application has been identified as an attribute or as a descriptor in a test sample. Under this scenario, separate test items can be created for each initiative and the SCOPE indicator at the test level can be set accordingly.

Potentially the greatest challenge may be in supporting conclusions on the effectiveness of the Control, its design or operational effectiveness. If an Information Security test fails, there still is a potential that the SOX Control conclusion can pass. There are also fields that are used for SOX but may not be pertinent to Information Security initiatives, such as; Assertions, Design Effectiveness, and Operational Effectiveness.  They should simply be filtered out of any Information Security report. You should define a priority initiative (like SOX) which should base it’s determination of effectiveness at the Control or Risk Level, the subsequent initiatives should then base its conclusions at the test level.

In conclusion, having a tool that can assist in segregating data can surely assist in the managing multiple initiatives. However, it will still take individuals that understand the requirements of each compliance initiative and the controls to fully document the controls and tests appropriately. Otherwise duplicate effort will be performed when controls do affect multiple compliance initiatives or we run the risk of providing too much information to the auditor and potentially having them go down a track we do not intend for them to go.

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals.