Compliance

Introduction

Industry regulations are increasing in number and complexity.   Government regulations like Sarbanes-Oxleyand HIPAA, and industry standards like Basel II are examples of such regulations that require internal controls to be implemented in the applications software to conform to the regulations.  Penalties for non-compliance are substantial - failure to comply with HIPAA can cost up to $250,000 and 10 years in prison. The SOX penalties are even greater — up to $5 million or 20 years in prison. There is no option but to dedicate precious IT resources to addressing this issue.

Industry regulations and business consortiums have adopted standards for data exchange between organizations. Compliance with these standards has become the essential pre-requisite to doing business in these arenas.  

CIO / Executive

Compliance with government regulations and/or industry standards is a non-negotiable cost of doing business, so the corporate mandate must be to ensure compliance is achieved efficiently and as economically as possible. The organization must be able to demonstrate compliance to meet audit requirements, and prove that as applications are maintained, the changes are made in accordance with the regulatory requirements.

Architect

The CTO office will be responsible for assessing, reviewing and reporting on the state of the application portfolio with regard to compliance. Their ability to rate the compliance levels of each application in the existing IT landscape provides the audit information required, and allows the focus to be placed on non-conforming applications so that the organization can mitigate risk.   The first logical step would be to take an initial audit of that landscape and develop a systematic program for review and assessment of each application, determining the status of each in terms of compliance.   Following that is the goal of making such analysis repeatable and available on demand, so that as applications are updated over time, regulatory compliance can be efficiently verified for audit requirements.

Technical

Where you are dealing with older applications that may not have current documentation, building an inventory of the applications and generating documentation is the first step. From this deep understanding of the application facilitated through documentation, compliance can be determined.   This is a step that would be repeated across all applications, building an environment where non-compliant practices can be searched for and discovered in a consistent and repeatable way.   This repeatability allows for “on demand” audits to prove compliance and to focus effort on any area that may not meet the requirements. 

Conclusion

Compliance is a Mandate. Efficiency is Key.

Evaluating the many applications that make up your application portfolio for compliance to regulatory issues that did not exist when the application were written can be a daunting task.   Audits are an ongoing process and applications are constantly changing due to maintenance, making the need for compliance verification a recurring ad hoc requirement. 

A more scientific approach is required to determine the entire application portfolio's current state of compliance. APM, as the name suggests, is designed to manage this application portfolio, and promotes compliance by taking the guesswork out of the assessment and review of the applications.