Compliance, a Byproduct of Good Practices

Compliance as Byproducts of Good Practices

What is all the griping about? You hear it from CIO’s, Ron Paul, technology people, managers. . . Compliance is a burden, all this documentation, all these processes, how can we keep up and make a profit, how can we compete? Every time I have ever been involved with an audit, it seems as if someone is always asking me to print something to prove we did something, that we didn’t, or looking for some document they never gave me time to write in the first place. Every audit is seen as its own quest of rules, and special information requirements, will this pass SAS 70 is this SOX compliant?

The time has finally arrived where IT is becoming more like a profession akin to accounting. The two are certainly linked, and it only makes sense. Just about anything that happens in a company can be traced electronically. With SOX, and especially the Newly Revised Rules of Civil Procedure, information transactions are finally being given the weight they have always intrinsically had. Imagine for a second an accountant trying to convince an IRS auditor that it was too hard to keep track of everything the company purchased with last years budget. That’s not your business; this is a free market, leave us alone, how we spend our money is our concern, BUTT OUT! Incidentally Ron Paul argued in favor of this in his April 2005 statement to the House of Representatives. This is exactly what the compliance detractors are doing right now, its too hard BUTT OUT!

Mind if I BUTT IN? My support of compliance does not come from any deep down desire or love of more government regulation (that would be down right strange). I support the movement toward more transparency because it forces companies to run their information technology processes like they should have always been run. It also forces upper management to actually face the decisions they cram down on IT departments. Instead of making an un-realistic request, disappearing, and getting mad when it doesn’t appear a few months later, they are forced to sit down, plan, budget, understand (at least on a high level) what it is they are asking, and how they are going to achieve it, and finally sign off on it.

In the long run (and probably, not so long), companies that are “burdened” by these compliance standards, will ultimately enjoy a competitive advantage over the companies that Ron Paul mentioned in his 2005 argument that de-listed from public exchanges because they didn’t want this transparency. As a programmer, before and after the push to standards, the most significant changes I have seen are better planning, better documentation, a surge in training to grasp industry recommended practices such as source and revision control, and some actual control on the amount of ridiculous, “do this now requests” that over time, render a system an un-supportable, un-reliable, production nightmare. Now if you tell me to break something, you have to sign off on it, and I am glad.

Compliance should not be the focus, but the byproduct of good IT practices. Knowing who has access to a system, what the system does, what changes have been made, when and why, should not be seen as a burden, anymore than keeping good financial accounting records. In a similar manner, looking at the utilization of money in an organization helps a company to determine how to allocate resources to maximize financial profit. IT systems should be seen in exactly the same way, and keeping good records should not be scary, but a way to succeed. Compliance may be the catalyst, but the outcome is a more controlled environment, an environment that is cheaper to run, and one that can be leveraged to accommodate new opportunities, because it is more readily understood. Just about every recommendation put forth by Cobit can be linked with a byproduct of a long existing best practice. Difficulty implementing these recommendations is most often the byproduct of not following these best practices. So the burden really relies in adopting best practices. Passing audits and adhering to compliance regulations should be nothing more than collecting and presenting information acquired while following good, common sense, IT practices.

So I think the complaining about adopting better practices is like a child crying because his mother has asked him to pick up his toys. The more of a mess he has made, the more he will cry as there is more work for him to do. It’s understandable that the child made a mess, after all he was just playing. But now its time to clean up, and in the process, grow up a little.