Regulatory Compliance
Many public companies are required to comply with
regulations that govern and control their
industry. For example, an HMO in the healthcare industry must comply
with the regulations specified by HIPAA to ensure that health records are
protected, secured and access is authorized.
Another example is Sarbanes-Oxley (SOX), the accuracy and timeliness of financial reporting relies heavily on a
well-controlled IT environment. The Sarbanes-Oxley Act was enacted by Congress
in 2002. Essentially, the Sarbanes-Oxley Act establishes new standards
for corporate accountability by requiring companies to assess and report the
effectiveness of control procedures for financial reporting. CxOs must certify and provide quarterly and
annual reports to the SEC. Management must accept responsibility for the
effectiveness of its internal controls, evaluate the effectiveness using
suitable control criteria, and support this evaluation with sufficient
evidence (such as records to validate the intent). Then internal and external auditors are required to verify and
attest to these controls. This places an unexpected burden on IT
organizations because it represents a drastic shift in what they are now
required to provide. Since the accuracy and timeliness of financial
reporting depends on a well-planned and well-controlled IT environment, IT
organizations must not only provide various forms of control documentation
(as seen in the forms of manuals, flowcharts, memoranda, etc.), but also
documentation about the effectiveness of those controls.
Many organizations simply don’t have mature IT
processes in place to hold IT accountable. IT service providers are
relying on ISO 20000, ITIL, ISO 27000, and COBIT, to assist them in
attaining regulatory compliance through IT governance. According to the COSO Enterprise Risk
Management method ,achieving internal
controls require the following:
- Internal Environment
- Setting Objectives
- Event Identification
- Risk Assessment
- Risk Responses
- Control Activities
- Information and Communication
- Monitoring
Accordingly, Internal Control is a mandatory requirement for
regulatory compliance [SOX, Bill198, HIPAA, BASIL2, GAAP, GAMP, ...].
Since IT is an integral part of the business, internal and external auditors
will require that the IT organization demonstrate their internal controls.
But many IT organizations don’t yet have these
internal controls in place. A company must first ask
itself whether it is in control of the IT services required for business
operations. If the answer is no, the next step is to use ISO 20000, ISO 27000, and COBIT
to enable internal IT
controls.
Rapid ITSM enables this internal control by
leveraging by providing documented evident to auditors. Rapid ITSM
is a non-proprietary open system that is anyone can use without extensive
training.
Contact us for a webinar so
we can demonstrate Rapid ITSM to you, no vapour-ware or smoke and mirrors,
just that facts.
|
