When Sarbanes-Oxley or SOX was introduced to companies around the country in 2002, the big challenge was to get compliant. Many survived the initial rounds and got their various control processes updated, implemented, and documented. Now, the real challenge is how to maintain compliancy and improve upon it. Today's business environment presents challenges and constraints to the compliance processes:

 

* Technology and business boundaries are constantly changing and expanding. * New technology brings new risks, new processes, and thus new compliance issues. * Businesses still need flexibility to remain Competitive. Rigid control processes can hinder flexibility and thus hurt businesses ability to operate effectively.

Without a defined process for maintaining and keeping controls up to date, you will find that many of your controls will soon be out of compliance due to normal changes in your business and IT environments.

As change is constant, you should have a process for continuous improvement of your controls and compliance efforts. Having a defined and documented improvement

process will show good due diligence to your auditors. Here are some steps and suggestions on how to keep up with changes and ensure your compliance efforts don't get lost in the daily change shuffle.

1. Monitor new or potential legislation and regulatory pronouncements. New legislation and regulatory rules are always in the works for information security, privacy, and other related business controls. Some are refinements and new interpretations of existing laws. Here are some tips for keeping up on regulations:

a. Identify and subscribe to services that monitor and alert you to new and upcoming regulatory rulings for your specific industry. b. Inventory current and upcoming (potential) regulations. c. Include local, state, federal, international governing bodies in your research. d. Identify upcoming or potential new laws, and determine potential impact and risk to your organization. e. Keep business management, Compliance Officer and Legal Counsel updated on new legislation.

2. Define requirements to meet new compliance requirements. For new legislation or regulatory requirements, you will need to analyze and determine the steps needed to bring your organization into compliance. Here are a few steps to follow:

a. Perform a risk assessment and gap analysis, if not already done b. Get business management involvement c. Identify business and IT processes affected d. Define business requirements e. Create/update policies that support new or changed compliance needs f. Define technical and system requirements g. Implement changes

3. Integrate with change control processes. Make use of your change control process to help ensure controls and compliancy are maintained over time. Modify your change management practices to include a check and verification for controls and compliance requirements. Any changes to applications and systems should include a review and update to the control processes before being allowed into production. Controls processes, like other system functions, should be tested. The Information Security Officer or appropriate IT compliance manager should sign off on all changes to ensure controls were properly addressed and updated, and meet regulatory requirements. Also, for SOX related applications, changes should be scheduled and timed so as not to cause issues at quarter or year-end audit controls testing. If new controls are implemented too close to the end of a year, then auditors may not be able to test the effectiveness of the control, creating issues in their audit findings. 4. Integrate with project management process. Modify your project management methodology to include meeting regulatory requirements as a deliverable success factor for each project. This will help ensure all new systems and applications meet regulatory requirements. When defining business and technical requirements for a new system, include identifying and defining the regulatory and controls requirements. These should be considered up front and integrated into the system requirements and functions. The controls should be tested along with the other functional and system testing. The final approval to move a system into production should include a review and approval of the control processes. If you can, get your Internal Auditor to review the controls design for new systems during design and before implementation. If there are issues, then you can resolve them at less cost than having to redo something after the system goes into production and creates an out of compliance issue.