Companies given compliance guidelines

Chief information and financial officers must work closely together, says analyst

Organisations must appoint an IT compliance manager and ensure that the chief information officer (CIO) is part of the firm’s compliance council to best deal with the requirements of Sarbanes-Oxley (SOX), according to analyst Gartner.

A report from the analyst details best practice advice for IT departments trying to comply with the regulations.

The report also recommends that technology is used to automate processes, and suggests that the CIO works closely with the firm’s chief financial officer, general counsel and corporate compliance officer, within a corporate compliance council.

At the very least, the CIO and IT compliance manager should track regulatory developments, establish the impact to the firm and evaluate the role of IT in mitigating regulatory impact, says Gartner.

Its recommendations for the IT department include:
* Adopting a framework of corporate governance principles
* Establishing a compliance or governance council
* Identifying and using IT solutions to automate process controls where possible
* Designating an IT compliance manager
* Using peer-reviewed, publicly available internal control frameworks to improve corporate and IT governance
* Setting up a ‘weather bureau’ for regulatory compliance
* Managing compliance as a programme, not a project
* Using a logical compliance architecture to reduce the number of controls and cut cost.

Laurie Stephens, head of consulting firm Capgemini’s regulatory compliance business, says SOX is seen as the gold standard for compliance at many firms.

‘Some are even adopting its principles voluntarily to demonstrate their openness and accountability to the market,’ he said.

One example is brewer SABMiller, which aims to become ‘materially compliant’ with SOX in light of its substantial dealings in the US, even though it is only listed in the UK.