Compliance is a front-of-mind issue for business today. Much of the focus, at least in large companies, is rightly focused on Sarbanes-Oxley. It’s both costly and has severe legal implications.
But compliance takes many forms. Another front-of-mind compliance issue is privacy. This takes on new prominence after several highly-publicized privacy breaches. Are companies just in denial or is it that they just don’t care?
Yet another form of compliance relates to eligibility for a product or service. Many programs in governments, non-governmental organizations (NGOs) and, in the case of outsourced or privatized government programs, the private sector are only available to people that meet eligibility requirements.
Much of this is driven by IT-enabled transformation of programs to provide citizen-centric services, to integrate programs where appropriate, to reduce waste and improve efficiency and to detect fraud. In some of these cases, there is a fine line between efficiency and an invasion of privacy. In Canada, one of these cases went all the way to the Supreme Court of Canada and the program was upheld as legal, which brings us back to privacy and compliance in general.
IT is called upon to build, implement or integrate robust information systems in such a manner that all transactions are captured and these transactions cannot be modified without adequate controls to ensure that they are accurate. To ensure these processes have rigour, business rules must be implemented in the system.
Moreover, we need to ensure that robust IT operations processes are in place. We call these processes by names such as change control, configuration management and patch management. Although many might not think of them that way, these are IT governance processes that support the business in compliance with the applicable regulatory mechanisms.
A lot is at stake for companies. But a lot is also at stake for the IT profession. If we cannot deliver the reliable, robust systems and processes that are required, we are at risk. To meet this challenge, we need a commonly accepted accountability framework for IT practitioners.