The Tao of Compliance: Unifying Controls over Chaos

Auditors are camped at the corporate gate, business managers are beating on your door, and the executive board is concerned about your compliance spending. How can IT compliance managers keep regulators, business units, auditors, and corporate bean counters happy? Standardize, simplify, and, above all, unify.

The strategy for employing the army is not to rely on their not coming, but to depend on us having the means to await them. Do not rely on them not attacking, but depend on us having an unassailable position.

Sun-Tzu, The Art of War


Gone are the days when you can hope that auditors won’t come a-knocking. Because of Sarbanes-Oxley (SOX) and other sweeping regulations, auditors have a permanent seat at the executive table—alongside the divisional managers, who want to know when you’re going to get to their projects, and the CFO, who wants to know where all of the IT dollars are going.

Of all of the burdens on IT, compliance has taken a forefront recently—and it won't go away. But neither does it remove the many complex needs of the enterprise. IT leaders must find a way to integrate compliance into the panoply of corporate needs. Simplification, alignment, and unification of heterogeneous standards and requirements are the keys.

Anticipating Chaos and Corporate Inquisitions

Companies do not seek chaos; nor are they led astray by greed, ineptitude, or stupidity. Chaos is simply the consequence of forces and conditions that segregate and diversify complex compliance efforts over time and across the distributed organization.

Choices—which standard to follow, which control to implement, which priority to choose—can all lead to IT diversification. And, as if that weren't enough, regulatory creation, definition, and clarification never cease.

On the other hand, SOX audits, periodic budget reviews, and other regulatory filing deadlines all recur with adamant regularity. External auditors come around at least once a year—if not quarterly—to sample transactions, query staff, and scrutinize reports. And budget committees can be similarly exacting and persistent.

The challenge is daunting: how can IT compliance managers maintain compliance norms in a highly variable environment? one answer is to cultivate a unified compliance environment that encompasses the challenges you know and anticipates the challenges you don't.

In broad strokes, unifying the IT compliance environment should begin with a survey of the compliance landscape, focus heavily on standardization and unification of control objectives, and provide the latitude to bring new control objectives and deviant intiatives into alignment as they arise.

Elements of Unification

Identifying opportunities to standardize and unify compliance efforts offers tactical and strategic benefits. The specifics of any company's compliance environment will vary by business, market, and industry; however broad-stroke alignment occurs across:

  • Zones of IT compliance responsibility
  • Regulatory guidance for IT controls
  • Business requirements for IT controls
  • Available frameworks and standards for IT controls

Most unnecessary compliance spending occurs in the overlap of controls within these areas—for example, redundant development of technical security controls for SOX, HIPAA, Gramm-Leach-Bliley (GLB), and payment-card processing systems. Each identified overlap is an opportunity to apply a single control across multiple requirements.

Tying control unification to one or more available control frameworks, such as ISO 17799, CobiT, the new Payment Card Processing standard, and HIPAA standards allows companies to tap into established best practices and streamline internally defined controls. Since recent PCOAB guidance encourages SOX auditors to recognize that high-level controls can establish the validity of contributing controls, using the hierarchical design of established IT frameworks could also significantly streamline the auditing process. Moreover, because frameworks such as CobiT and ISO 17799 offer recommendations beyond company's defined needs, they essentially comprise a reservoir of controls that compliance maangers can tap as the need arises.

The benefits of unification are potentially enterprise-wide. They include less redundant development, standardized measurement and reporting, and shorter implementation times. Unification efforts that incorporate business requirements for controls (payment-card processing standards, for example) can also indicate ways to bundle unfunded business projects into compliance efforts, without significantly increasing total project cost. At the corporate level, unification draws executive attention to high-level IT oversight, which can earn IT compliance leaders a larger role in strategic planning.

Finally, unification offers tangible cost savings. According to a May 2004 report by industry analyst Gartner, Inc., public companies adopting a compliance management architecture will spend up to 50 percent less on compliance by 2006 than companies without one. This could translate to millions of dollars for both accelerated and non-accelerated filers.

Pre-fab Paths to Enlightenment

Currently, unification efforts are in the works at several organizations, including the Information Systems Audit and Control Association (ISACA), the Information Systems Security Association (ISSA), and the Workgroup for Electronic Data Interchange (WEDI). Most of these projects address a specific area of compliance, such as security or health information protection.

Companies shouldn't have to choose between compliance imperatives and business goals. Standardizing and simplifying IT frameworks and unifying compliance goals at the control level reduces the likelihood that they'll have to.

Additional Resources


Cass Brewer manages T2P and was formerly research director for the IT Compliance Institute. Email her at cbrewer(at)

This article originally appeared at Copyright 2008, 1105 Media Inc. Reprinted with permission.

Comment on this article

You must be logged in to leave a reply. Login »