Organisational compliance is not a “black and white”, “yes or no” status but a “more or less”, “better or worse” continuous scale. Organisations that are 100% certain of organisational compliance should verify their belief by considering the questions in this article.
First the article title, you might have recognised the reference to a television show called “So you think you can dance?”. I am not a big fan of the show but I love the title. For me it holds both a challenge for the contenders to show “their stuff” combined with a high-level of “who do you think you are to think you are good enough to appear before us?” arrogance. And indeed, as expected, self-appointed experts and has-been celebrities in the jury will cut overconfident no-talent participants down to size.
Too often I have to think about this image when I see (IT) auditors’ fresh out of school present their audit findings passing judgement over the organisational compliance effort. Please do not misunderstand me, there is nothing wrong with the auditing profession as such, but at times we seem to forget that the audit reports describes the auditors’ opinion not the absolute truth.
I have no respect for auditors that think they can pass final (and absolute) judgement on the workings of an organisation based on a two week (or even shorter) audit period. Yes they might be able to find examples of what went wrong in the operations. And a good auditor will be able to form an opinion about the mentality and culture of the organisation in such a time frame.
However a great auditor will be the first to admit that his report is just an opinion. He will discuss his findings with the organisation he investigated and more importantly will have an open mind for arguments that might change his opinion.
Too often the equality between auditor and audited department is gone. It is the same with these talent shows, if the performance is ridiculously bad it might be warranted to put somebody “out of his misery”. However when it comes to judging those that clearly show promise and commitment judges should discuss “opportunities for improvement” instead of passing “final verdict”.
Granted, where the purpose of the audit is to assure compliance with an individual regulation or to issue certification to a standard, the end result will be a pass or fail “bottom-line” statement. My comment is related to the relationship and attitudes during the assurance process to deliver that verdict.
So when assessing the compliance status of your organisation there are a number of questions you should consider. By answering them truthfully you will probably find that 100% certainty of organisational compliance is both impossible and if possible undesirable.
Are you sure you are aware of all rules and regulations you are supposed to comply with?
Compliance is a requirement; somebody wants your organisation or department to comply with a set of rules and/ or regulations. For instance the financial administration of an organisation that handles credit card transactions has to comply with the rules set by the credit card companies (PCI-DSS). In turn the administration will have to articulate the security requirements for their relevant IT-services to the IT Department. In the same manner the finance department will react to the Sox regulations (if applicable). The HR and Marketing/ Sales departments might require compliance with Data Privacy regulations. The logistics department may have requirements based on import/ export regulations.
Off course IT itself has to comply with software and hardware license requirements. We have the requirements originating for fire, health and (personal) security. The industry specific regulations for instance Basel II for finance or Hipaa for US Health Care organisations might be an issue. There are local regulations regarding building, parking, signage, etc., etc. Just to name a few.
The list of organisational stakeholders with rules and regulations to comply with is endless. So how sure are you that you know all the compliance requirements you are supposed to meet as an organisation or department?
When answering this question it is important to realise: To be 100% certain you know all applicable rules and regulations you would need infinite resources to keep checking with every possible stakeholder. This is the first compliance risk: Not knowing of the existence of the requirement. So 100% certainty is both impossible and undesirable since one has or would want to spend infinite resources. The real question then becomes what is your organisational risk posture? How much risk are you willing to accept? And how much are you willing to invest to mitigate the risk of non-compliance due to unawareness?