Compliance Issues - Year one vs. year two
June 15, 2005
Database Journal caught up with Dr. Murray Mazer, co-founder of Lumigent Technologies and frequent speaker on compliance issues. Here is what Dr. Mazer has to say about compliance, where it is going and how it will affect both industry and individuals.
DBJ: What are the current trends in compliance?
People have been trying to get their head around all of the different regulations that affect how they operate their business and what level of accountability they will be held to. Part of the challenge is translating the regulation into what it means for the internal controls for the business itself.
The second trend is the difference in how businesses respond to regulations between year one and year two and beyond.
In year one, people spent almost all of their time documenting what they already had and trying to get their head around what they needed to do to be compliant with the regulation. They ended up doing a lot of ad hoc processes, a lot of fire drills and they typically underestimated the cost, the effort and scope, of what was required. The hope is that in year two, they can take the lessons of year one and improve their processes and controls and build a sustainable compliance model going forward. Year two and beyond is an opportunity to create a sustainable, cost effective process that you can maintain on an ongoing basis.
The third trend is that people are finding it very difficult to quantify the costs and benefits of compliance.
The challenge for people is they have to adopt compliance without understanding upfront what the costs are going to be or what the benefits are going to be and so it is not solely a problem for any individual corporation, it is a problem for everybody involved, whether it is the regulators, the companies that are regulated or the legislators. None of them can really assess the costs or benefits yet because it is just too early to understand what the costs are and what the benefits will turn out to be.
The fourth thing that I would talk about as a trend or as a key issue is
The second essential benefit of automation is that fraud does not occur on a schedule so automation allows you to do more effective, continuous monitoring. Automation offers faster problem detection and a faster remediation process
The final point is that automation allows you to reduce the amount of testing that an external auditor has to do on your controls because they trust automated controls more than they trust manual controls. Therefore, by reducing the amount of effort the external auditor has to do, you have reduced the cost of the audit
DBJ: What direction do you see these trends taking in the future
DBJ: How do the emerging financial and technology risks affect IT executives?
DBJ: How will data auditing provide a solution for the next wave of compliance
Another risk is somebody not being permitted to continue to pursue their business plan or business objectives. We see examples where a lack of proper controls has caused the regulators to prevent a business from doing mergers and acquisitions for a period of time, until problems are fixed.
We see other examples of personal risk to the executives involved. For example, if financial reports are based on fallacious data, and the CEO has attested to that data, he can face personal liability, fines or jail time. So, the cost, the risks to the company and individuals are varied, but at the end of the day it all has to do with are you properly managing who is doing what to the data, when.
All of these regulations, all of the compliance requirements are about data, so the question is what is database auditing and how does it relate to what we're talking about. The answer is pretty straightforward. Data auditing is the ability to continuously monitor, record, analyze and report on database activity. In other words, being able to answer the question 'Who did what to which data, when and how'. If you can answer that question, you can be responsive to these requirements and compliance, and if you cannot answer these questions, you are just putting your organization at a greater risk.
DBJ: Will you share some best practices with us, as far as data auditing is
The other top-level goals are having a solution or technology, which is flexible to evolving requirements and evolving organizations. Adopting a solution that is flexible as those requirement changes is important. You do not want to have a solution that is specific to a particular regulation because the solution for that specific regulation is not going to necessarily help you with all the other regulations you have to deal with. Organizations change, we see a lot of mergers and acquisitions occurring, and being able to take a new organization and apply the same technology and the same processes as the organization evolves is a critical issue.
Having a single framework, a single approach, which can help deal with the diversity of regulations and infrastructure, is a key.
Another key is having a solution that helps you be proactive in your compliance activities--a solution that automates the creation of a continuous audit trail, and provides alerting and allows you to do forensics.
Finally, having a trusted, evidentiary trail that can be relied upon to help investigate fraud and help pursue whoever carried out the fraud, is also critical in terms of a best practice.
DBJ: Would you give me a brief overview of how Entegra addresses regulatory
rules and mitigates risk associated with the access and use of corporate data
Entegra provides rich reporting capabilities, so you can have high level, detailed, and other kinds of reports, on the database activity. It provides alerting so that you can respond quickly to potentially exceptional activity. It is flexible so that as your requirements change, you can change what is being audited easily and leave your existing system in place. It minimizes the impact on the infrastructure, it is easy to deploy, non-disruptive to existing operations, and provides end to end functionality from deploying, to maintaining, to collecting activity information, consolidating it from multiple databases into a single repository, reporting analysis and so on.
Dr. Mazer will lead discussions on compliance trends at RFG's thought
leadership summit in
New York on June 15 and 16.