The concerted efforts of information technology vendors, combined with highly publicised accounting scandals in companies such as WorldCom and Enron, have pushed compliance high up the agenda for many chief information officers.
Compliance projects are absorbing a growing proportion of IT budgets, as companies struggle to bring their systems in line with the requirements of laws such as the US Sarbanes-Oxley Act.
But as in the run-up to the year 2000 – when resources had to be diverted to ensure that IT systems were Y2K compliant – CIOs are finding there are fewer resources available for projects outside compliance.
Innovative programmes that could support top-line growth, but which cannot promise immediate returns, are being particularly hard-hit as businesses grapple with tougher regulatory requirements.
Businesses have little choice but to upgrade their systems to keep up with the demands of compliance legislation.
“The risks to a business associated with providing poor information have increased. Sarbanes-Oxley has reminded people of that, and a number of companies are having to catch up and tidy up their information systems,” says David Elton, a compliance expert in the technology practice at PA Consulting.
Building compliance best practice into new IT projects is less of an issue, Mr Elton says, than adding compliance features to existing infrastructure.
Companies may need to graft a range of controls and information quality checks on to systems. Many of these systems will be mission-critical; some will be old and difficult to adapt.
Some companies have released additional funds in order to accommodate compliance work. IT vendors noted a spike in spending on compliance last year.
According to Chris Leone, a vice-president of product strategy at Oracle, companies increased their spending by as much as 30 per cent last year in order to absorb compliance projects, especially around Sarbanes-Oxley.
The additional spending, however, has not led to a sustained upturn in investment in IT. “The last 18 months have been an anomaly,” says Mr Leone. “This year, budgets have been set and compliance is coming out of wider IT spending.”
This, in turn, is putting pressure on other areas. Not only is there less money available, as funds are switched to compliance work, but management and staff resources are also stretched.
Although managers in some lines of business might feel that IT people are using compliance work as an excuse to delay projects, the truth is that compliance is becoming a real burden and a significant barrier to further IT innovation.
“It is legitimate for IT departments to say that they can’t take on innovative projects because of compliance,” says Mr Elton of PA Consulting.
But some companies are succeeding in limiting the burden of compliance work. Companies in sectors such as financial services and petrochemicals are accustomed to working within tight regulatory frameworks.
These industries tend to have IT systems best able to accommodate compliance requirements. They are also further advanced in automating compliance, a critical requirement if companies are to control costs and free resources for other projects.
At Oracle, Chris Leone suggests that the first phase of compliance work was largely a manual process, with analysis carried out in spreadsheets and reports created using a word processor.
Such measures are time-consuming, expensive and prone to error. “Phase two of compliance is to automate a lot of those processes,” he says.
Automation, however, has to be combined with best practice if companies are to manage the compliance burden successfully. A box-ticking approach is neither completely effective, nor the best way to control costs.
In some areas, such as IT security, an overemphasis on filling in checklists can even be damaging. This is particularly the case in the area of information security.
A report by research company Gartner this year noted that “most regulations lead to increased reporting, rather than increased levels of security”.
Lawrence Orans, co-author of the report, cautions that focusing on the letter of compliance law, rather than building software and systems that are less vulnerable, will not increase security for companies.
The answer could be for companies to stress best practice, both in corporate governance and IT administration, and then ensure they meet specific compliance requirements.
This approach will ultimately be more effective, more flexible and cheaper than much of the current work large businesses are carrying out in the field.