The potential downside of compliance errors has struck fear with CFOs, CEOs, and now CIOs, so it is no surprise that virtually every software vendor has added a compliance spin to their message. As we approach the 30th anniversary of the Pet Rock phenomenon, caution is in order for those tempted to buy based on packaging rather than functionality. Four simple principles should guide your decisions:
- Improved processes for governance, security and privacy can meet many compliance requirements. Nothing beats software for process monitoring, management and reporting, so a complete solution will be software-aided if not software-centric.
- No application is a substitute for vigilance. Software should be part of the solution, but human processes are critical. Beware of IT solutions that promise too much.
- Everything that can be audited should be audited. Well, that might not be true, but it is likely to be the position of your auditors, who tend to be a conservative bunch. Our position is that all data used to manage your business should be created and managed by processes - including the software and people involved - that may be audited if desired. Tools are available to audit databases, and enterprise applications now offer auditing features, so this should be a requirement for all new systems.
- The basic rules for vendor due diligence have not changed with the advent of compliance requirements. Exercise caution when dealing with new vendors, but don't rule them out based solely on size or longevity. Partial solutions for compliance problems are coming from established players and upstarts, and neither has a monopoly on innovation. Stick to the fundamentals when evaluating technical merit and business viability. The new requirement is to involve the appropriate domain experts from finance and legal when the regulations make their inclusion in the review process appropriate.
This was first published in April 2005