Stan Lepeak, VP for META Group, had some compelling insights regarding regulatory compliance in a session at the META conference titled: "Compliance, Law, and Disorder." Although, as he explains, "IT isn’t mentioned in [Sarbanes-Oxley] anywhere, IT plays a pivotal role in there. It’s a concept-based list of regulations… There is no list of what you should do. There is a list of what you should have as output, but no way to tell you how to get there."
Mr. Lepeak lists eight areas that compose the "compliance landscape": Sarbanes-Oxley (SOX), which oversees fiscal accountability for public companies; Gramm-Leach Bliley Act (GLBA), which concerns privacy of financial information; SEC Rules 17a-3 and 17a-4, involving the retaining of records related to securities and transactions; HIPAA, or the Health Insurance Portability and Accountability Act, which addresses the right to carry insurance between jobs and preserves the privacy of patient information; Basel II, covering the capital assessment and reporting standards for global banking; the USA Patriot Act, which touches on customer documentation (and library records!); DoD 5015.2 and UK Pro, addressing federal standards of records management; and NASD 3110, which regulates written policies and procedures for review of correspondence with the public. (Whew! It's enough to make a business person consider moving operations to the Antarctica.)
Slightly more than a fifth of managers and executives surveyed by META said that they're more likely to outsource IT as a result of SOX compliance (which is only slightly higher than those who reported it would make their organizations less likely to outsource). Yet, even if the IT service is outsourced, the executives of the audited company will still be held responsible for audit results. For example, SXO doesn't differentiate between insourced and outsourced processes. Of course, as Mr. Lepeak explains, nobody knows how companies will be held accountable, since the auditing hasn't really started yet. "Even when the clarification comes, it’s not going to be, you have to do a-b-c… It’s very much open to interpretation: 'Go out and do it, but we’re not going to tell you how to do it.'"
If you're using offshore services, be wary. As Mr. Lepeak points out, "How can you ensure that privacy and adequate controls are in place? How can you ensure that wherever those bits and bytes land, the controls are in place? In many countries there is no reason to adhere to these regulations. They’re primarily US or European regulations."
Another area of concern: Companies are more accustomed to managing "pencils" than services, as Mr. Lepeak states. If you look at the maturity of most organizations in getting a handle on their IT services management, in your gut, you know this must be true. Most IT organizations operate at a level just slightly above chaotic.
One clue to you that the service provider you're working with isn't compliance-savvy: They refuse to go through an audit of their own.
In the future, I'll post an interview I did with Mr. Lepeak during the conference, in which he offers specific advice for public companies with compliance concerns that need to choose a service provider.