Compliance Programs: 31 Flavors of Compliance
Ingredients Change but the Fundamentals Remain True
By Jason Rohlf
I realize what I’m about to say is controversial, but it must be said: I love ice cream. OK, maybe it’s not so controversial, but in this case it’s the perfect conversation starter. I remember heading to Baskin Robbins as a kid to get my hands on a cone when the inevitable would happen: my brain would lock up at the sight of those 31 flavors all laid out before me. Even though I was able to quickly eliminate the flavors that I never enjoyed (I’m looking at you, every flavor of sherbet), I would still find myself overwhelmed by the task of picking the perfect flavor to fit my mood.
All throughout my professional career, I’ve been involved in a different sort mental dilemma. Starting with my internal audit days and leading through my current role in software, I have been intimately involved with the world of controls and compliance. No matter the company’s size, industry or culture, internal controls were as pervasive as the air we breathed. And working in an assurance function, I became hypersensitive to the presence (or absence) of controls, as I understood their importance to ensuring the success of the business and was responsible for making sure they were operating as expected.
As I gained a deeper understanding of controls and why they exist, I became more aware of the people involved—specifically, those who were responsible for managing and tracking the performance of controls in the context of the various purposes they served. For these individuals, it wasn’t just about performing a control; they were expected to place that control into a broader context and demonstrate how that individual activity ensured that the organization was meeting its very significant obligations. This awareness became even more pronounced when I started to understand just how many different regulations were hanging over the head of every organization.
I think this concept really hit home for me back in 2002 when the Sarbanes-Oxley Act became a reality. I remember it quite clearly. I was working for an Internal Audit consulting firm and we were contracted by a number of companies whose only instructions were, “help us comply with SOX.” Given that nobody knew exactly what that meant, we were forced to take the approach of documenting everything and anything as a control, testing the holy heck out of it and hoping that the external auditors were in a good mood when issuing their opinion over the effectiveness of internal controls. And back in those days, we didn’t even consider whether the controls we had just tested served any other purpose, so single-minded was our task of demonstrating SOX compliance.
In the years since, I have come to appreciate the fact that it’s not so much about the individual controls themselves, but the broader system of controls. I learned about the various guidelines and best-practice frameworks that existed for the purpose of helping organizations better categorize, prioritize and manage their controls. Compliance pundits released guidance on the proper methods for mapping controls to authoritative sources. Frameworks were refined and re-released, then refined once again. Soon the catchphrase “Ask Once, Answer Many” entered our lexicon, setting the expectation that all you need to do is document your controls and map them to a standard and POOF, you now have an integrated, efficient and effective compliance program!
If only it were that simple. I doubt I’d speak with so many who are still struggling to manage their compliance programs if it were. Regardless of how far we’ve come and how much we’ve learned, there are still a multitude of organizations and countless professionals who are struggling to do their best work. Competing priorities, ambiguous goals, overwhelming requirements (GDPR, SOX, ISO, HIPAA, PCI, etc.), and inefficient or inadequate systems all get in the way of their goal. And what is that goal? Building a clear, predictable and reliable system of internal controls that allows them to demonstrate alignment with the myriad of drivers that prompted them to implement controls in the first place.
Thankfully help is available for those who want it. There are many folks out there who have already taken steps to mature their compliance programs, align their controls with the objectives and drivers that prompted their creation, and actively manage and monitor the overall effectiveness of their programs. There are content providers who have focused on defining common criteria for a wide array of regulatory and best practice frameworks, with a focus on making management of control environments more efficient and wide reaching. And there are software providers who bring it all together for you in a system that’s intuitive and reliable.
These common supports remain in place, even as regulations and best practices evolve. Remember this as you stand at the metaphorical “ice cream counter of compliance.” The sheer variety and complexity of requirements can be overwhelming, but the core people, processes and technologies you engage to understand and address those requirements remains largely the same.
More to come on this topic. I hope you’ll stay tuned.