Compliance Can Improve Company Performance

By Melanie Warner

Government regulation, such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA), presents new and interesting challenges for the majority of America's corporations. The cost of failing to meet compliance requirements can be severe -- in the case of Sarbanes-Oxley, for example, it could even mean jail time for executives. Yet these regulations also offer something of a golden opportunity for CIOs to improve their IT systems in a way that will reward the entire company. Most CEOs and corporate executives view compliance purely as an additional cost to doing business. But there are also potential benefits to those who are willing to seize the opportunity.

It is true that regulation can cause significant problems for a company if compliance is not met.  That said, it is also true that CIOs can see these challenges as an opportunity to take ownership and propose innovative and strategic solutions that will not only address the compliance issue but also improve data management and integrity throughout the enterprise.

Take Sarbanes-Oxley, which every public company over $75 million in market cap must adhere to by November 15, 2004. Sections 404 and 302 of the law require that a company's executives maintain internal controls over financial reporting, that they make periodic assessments of those controls and that they personally testify to the accuracy of all quarterly and annual financial statements. To make these statements as accurate and easy as possible for internal and third-party groups to audit, companies must have a clear and traceable link between original data -- such as a sales order -- and the final numbers reported to the Securities & Exchange Commission.

This is fundamentally an IT problem. Finance executives oversee the organization and management of financial data, but it is software that does the essential job of shuttling this information amongst employees, customers, and suppliers. Using automated or integrated systems that create greater efficiency within this data chain will not only help satisfy compliance requirements, but also create a more efficient organization.

CIOs, however, must play an active role in not only deciding how "Sarbox" controls will be established and implemented, but also in educating other executives on how relevant IT can benefit the entire company. In many companies, this is not an easy undertaking. Too often, IT is left out of the decision-making process. A recent study by research company Hackett Group found that just 12 of 22 companies surveyed had IT representation on their Sarbox steering committees. And when Gartner surveyed 75 public companies last fall, just 63 percent said IT was involved in Sarbox planning.

Good IT investment can reduce the need for increasingly expensive audits, shorten the company's monthly close of the books, increase management transparency into financial accounting, and enable executives to respond faster to the demanding audit committees that are now a business reality. When it comes to taking ownership of compliance, educating top executives on these ancillary IT benefits is one of the most important jobs of the CIO.

The key to laying out an effective strategy to deal with Sarbox or any other government regulation lies in taking an ambitious high-level, enterprise-wide approach. It isn't enough to attempt to squeeze compliance requirements out of cobbled-together solutions. IT executives must shift their perspective from individual business units to the company's long-range needs and goals.

Several companies in the healthcare sector have already started using HIPAA requirements as an impetus to bring a greater degree of automation and security into their enterprises. Insurance company Humana in Louisville has started encrypting all patient information it sends outside the organization. When thinking about how to meet HIPAA's Security Rule, which will start being enforced on April 21, 2005, Humana's IT team envisioned the issue as broadly as possible, thinking about how technology could protect the company from all possible security breaches.

Government regulation invariably dictates what companies must do, but leaves it up to them to figure out how. For the CIO to play a role in constructing smart solutions, it is critical to persuade other stakeholders within the company that IT is an integral part of compliance and that the intelligent investment in it will pay enormous dividends for the enterprise as a whole.

Melanie Warner writes for The New York Times.