Canadian CIOs say their efforts to bring IT systems into compliance with government regulations have made them far less efficient and have brought little value other than being able to say “no” to senior executives more often.A study released from Toronto-based consulting firm PricewaterhouseCoopers recently said regulatory compliance projects were driving at least 40 per cent of the IT governance initiatives mandated by their organizations. Of the 37 CIOs included in the paper, however, only two were measuring the hard benefits of such initiatives, PwC said.
The study is backed up by comments made during a roundtable moderated by PwC earlier this year in Calgary. Featuring CIOs from TransCanada Pipelines, the City of Calgary and Trimac Transportation, among others, a document with excerpts from the roundtable released to Computing Canada includes a litany of complaints from senior IT executives. Though the comments in the roundtable excerpts were not attributed to CIOs by name, they all expressed frustration over what compliance pressures have brought to their workload.
“Warning . . . auditors don’t’ get it, and if you’re not careful they’ll impose controls that make no sense,” said one CIO. “It’s crazy what they’re asking us to do.”
Another CIO predicted a long-term fallout from compliance work: “It will take several years to recover from the efficiency hit of having externalities imposed on us.”
While accounting scandals at Enron and Nortel precipitated regulations such as the U.S. Sarbanes-Oxley Act (SOX) and Canada’s Bill 198, one CIO doubted compliance was making much difference. “One controller said even if Enron was SOX compliant, its meltdown would have still happened.”
Denis Kalma, vice-president of IT at Calgary-based industrial waste management firm NewAlta, was among the roundtable participants. He told Computing Canada NewAlta went live on SAP on Jan. 2 in part because the software would meet its compliance objectives.
“The energy and effort to meet all the documentation, the separation of duties, all those kinds of things, they take cost and time,” he said. “There’s an IT constraint. (Auditors) can rarely come back and give you specific guidance.”
Tony Balasubramanian, a vice-president with PwC’s IT Advisory Practice, maintained that compliance legislation is a valuable part of IT governance because it creates more transparency. The problems is some enterprises try to adopt a framework such as Controls Objectives for Information and Related Technology (COBIT) to the letter, rather than using it as a guideline.
“What’s important is you’re operating your IT function in a controlled enough fashion that you’re not going to have misinformation coming out of the IT systems,” he said.
Celso Mello, CIO at Mississauga, Ont.-based Chubb Security North America, said his firm became SOX compliant after being acquired by a U.S. conglomerate. “Once you understand where they’re coming from, some of those controls they’re making you implement, they play in your favour,” he said. “You have very formal processes in place, which means when users come in and want something done right away, you can tell them you can’t do that, because you don’t have the documentation.”
Kalma agreed that compliance offered a way to push back. “We used to have no leg to stand on. We’d say, ‘It’s not a good idea.’ They’d say, ‘Do it or else.’ We now have some leverage to get that same good practice going on their side.”