Quick Links
Advertise with Sarbanes Oxley Compliance Journal

< Back

Sarbanes Oxley : Technology : Data Center

Top Six Cost-Cutting Strategies for IT Compliance

By Daniel Magid
Daniel Magid
Chief Technology Strategist

Do your compliance requirements cripple your efforts to rapidly deliver solutions to business problems? Or if you break the bank to become compliant, have you been a success?
The auditors don’t care how you do it, but your CEO may expect more.

Chances are high your organization is dealing with regulatory compliance, maybe with just one standard or maybe many.  From Sarbanes-Oxley to HIPPA to Basel II, to PCI and the FSA, or combinations thereof, you may be contending with compliance just to remain in business.   While most companies have implemented compliance strategies, the cost in both dollars and resources has been daunting.  At the same time, the rapidly changing IT environment means that IT compliance continues to become more complex.  While the stakes are high, most IT budgets are not.  Proper IT Governance is more important then ever, but the administrative burdens continue to grow.

The One IT Constant: Constant Change
Sprawling multi-platform infrastructures, ever-changing applications, and a string of new development methods (e.g. Service oriented applications, agile development, mash-ups, etc.) are all trademarks of a healthy IT department, but they don’t do your IT compliance efforts any favors.   It means shorter delivery schedules, more components to track, more IT changes to record, more people and access to control, and more risk to manage so that you can meet regulatory requirements and produce the necessary audit trails.  Compliance efforts can require critical staff resources, delaying important business building IT projects.  Meanwhile, these new service oriented, mash-up and agile development methods are blurring the lines between business and IT, increasing the number of people that must be kept up to date, managed, and tracked.   So as the IT infrastructure changes, the compliance “To Do” list gets bigger while IT budgets are shrinking in an uncertain economy.

Fortunately, companies are finding ways to reduce compliance costs while, at the same time, increasing the effectiveness and productivity of their IT organizations.  Below are some tips for implementing some cost reducing strategies that will make regulatory requirements much easier to achieve.

The Top Six Cost Reducing Strategies for IT Compliance

First Tip:   Encapsulate compliance processes into an automated system 
Creating and maintaining the documentation of approved processes can be some of the most difficult and unrewarding of compliance tasks.  Because maintenance is so arduous, the documentation is often created, put on a shelf and never touched again – except during audits.  As processes change, the documentation becomes obsolete.  Implementing an automated compliance solution allows an organization to encapsulate its processes within the system.  As processes are updated, they are viewable directly through the compliance system.  The documentation and the processes are never out of sync because a change to the process changes the documentation.  When the auditors arrive, they can view exactly what process is currently being used.  They can also see the history of changes to the process.

Second Tip:  Create structured, controlled software development processes
In a nutshell, repeatable and measurable processes—structured, defined, implemented, and enforced—are key to effectively and easily complying with regulatory requirements.  Determining the most effective change processes and then ensuring they are used consistently not only reflects IT best practices, it also reduces the cost of compliance.  If the auditor can see that the same processes are used all the time, there is no need to drill down and look at every operation.  In addition, Total Quality Management studies have shown that structured repeatable processes reduce errors and the requirements for rework, further reducing costs.

Consistently applied processes are much easier to automate, reducing the need for manual intervention.  It's absolutely critical to automate processes when you want to reduce compliance costs.  In fact you should start thinking of “manual” as a bad word.  The main regulatory bodies require management to define and establish procedures to ensure that software is developed in a controlled manner. Yet, it is important that the controls not interfere with IT’s ability to respond quickly to the needs of the business.  Consequently, if these controls are automated you will reduce the time, expense, and disruption of IT audits. Most importantly, your staff can focus on proactive IT projects rather than administrative type projects that come with compliance.  

Third Tip:   Apply Best Practice Methodologies
It is very expensive and time-consuming to attempt to develop managed IT processes from scratch.   And yet, many companies do just that.  Each department or even each team establishes its own way of doing business.  They build processes in reaction to the situations they encounter rather than stepping back and determining the best overall approach.  The result is an environment that is very difficult to manage and even harder to audit.

Over the last 60 years of developing applications, we have learned a great deal about how to rapidly create high quality applications.  Those lessons have been encapsulated in many of the existing and readily available IT best practices standards.  The top best practice frameworks stress automated, structured, repeatable processes within IT—the very thing the regulations demand. Six Sigma, COSO, COBIT, ITIL, and CMMI, to name a few, all strive to make software development and frequent service delivery true business processes that can be tracked, measured, and controlled. Although each standard has its own approach and objectives, they have many requirements in common.  In many cases, a single IT best practice standard will address compliance requirements for a number of different regulations and standards.

Many organizations are using regulatory compliance budgets to implement best practices - a boon for business efficiency and quality.  The regulations are giving companies permission to dedicate resources to acquiring the tools and expertise to address compliance and best practices and reduce costs.  This innovation frees up staff to focus on new solutions and software applications.  This makes IT more and more valuable to the business.  IT now has a rare opportunity to examine and improve internal processes for the benefit of all.

Fourth Tip:  Collaborate. Collaborate. Collaborate.
In order to meet the service levels required by most compliance standards, business users and IT staff must work closely throughout the change lifecycle.  Most new development methodologies recognize that requirements, priorities and business opportunities evolve rapidly during the change lifecycle.  It is essential to keep everyone in the loop to avoid re-work, missed objectives and to ensure that the entire organization is moving in the same direction.  Each team member needs visibility to anything that might impact their efforts to achieve their objectives.  Management needs views that cross operational, business and development silos to perform investment and impact analysis.  There’s no better way to save money then doing the right job, the right way the first time.

To get centralized access to information, you will need to turn to specific technology that will put your entire IT and business teams on an automated process-driven system, so they are using the same workflow tools and processes, across the enterprise.  Coordination and synchronization will improve dramatically as everyone operates under a unified umbrella, reporting into the same system with information that can be viewed, tracked and shared.

Part of your central information database must be a repository for the programs, procedures, processes, ideas, designs, discussions, requirements, tasks, and other information to which team members need ready access.  All valuable intellectual property should be stored and secured within a repository to prevent loss and unauthorized access. A consolidated inventory ensures synchronization between platforms, reduces management overhead, and defines a manageable and repeatable process.  This repository becomes a simple place for auditors to go when they want to examine change history and controls.

By making their jobs easier, you will save time, money and headaches.

Fifth Tip: Develop Specific Compliance Reports/Templates
Work with your auditors to determine exactly what information they need to see and when they need it.  Because at this point you have a centralized repository of information and you have structured repeatable processes (if you have followed tips 1 through 4), you can pre-define reports and queries for the auditors.  These can simply be scheduled to run at the appropriate time or can be executed on demand.  Management can check compliance on an ongoing basis via dashboards or other customizable reports.

With IT and business users working together, you can establish the built-in, structured, repeatable, and auditable change processes and appropriate workflows for everyone involved. Ongoing compliance is simply a matter of using point and click procedures to maintain processes and populate and generate the necessary reports.

Sixth Tip:  Bring on New Technology 
Spend a little to save a lot.  Too often, like the cobbler’s children who are the last to get new shoes, IT is the last place to get the benefits of the kind of value technology can produce.  Just as technology can help the business serve its customers, technology can help IT serve its end users.  Using technology to implement the 5 tips outlined above can significantly enhance the productivity and morale of IT organizations while at the same time meeting the compliance objectives of the company.  There are a variety of technologies or approaches to consider.  Application Lifecycle Management (ALM) solutions, Service Desk software, Project Management and Asset Management programs will provide the basic infrastructure necessary.  

A strong software compliance solution should: 
•    Establish repeatable, automated compliance and change processes
•    Link change lifecycle workflow to Best Practice Methodologies
•    Include Compliance related report templates supporting standards
•    Create centralized management and visibility of IT assets, and progress reporting for auditing and performance improvement. 
•    Provide a collaborative communication infrastructure that ensures IT services and software initiatives support overall business goals;
•    Reduce IT costs by ensuring project teams build the application correctly the first time around;
•    Enable communication between stakeholders of all changes in projects, and ensure appropriate notification, reviews and approvals;
•    Provide a secure, visible repository of all application artifacts.
Most organizations are aware of their compliance requirements and have taken steps to meet them.  Now is the time to implement automated systems and centralized information repositories that reduce the administrative burden created by compliance efforts.  Doing so will allow IT and business users to focus on the important job of moving the business forward.

There you have it.

Daniel Magid
Chief Technology Strategist
Daniel Magid is chief technology strategist for Aldon and a recognized authority on helping leading organizations achieve compliance through application lifecycle management (ALM) solutions.  He has written a variety of articles for leading IT publications and is a regular speaker at technology conferences.  With Magid's guidance for over two decades, Aldon has received broad industry recognition as the clear leader in the process-driven change management.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY