Driving the Cost Out of Regulatory Compliance

The practice of dispatching internal auditors throughout the organization seems strangely inefficient to Brad Ames, HP’s Director of IT Auditing – especially given the substantial post-SOX costs involved in traditional risk assessment methods. Here, he explains to Business Management how HP is gaining efficiency and reducing compliance costs while still maintaining its risk management standards.

BM. Let’s start with the obvious question first – do we really need more products and services in IT for Sarbanes Oxley compliance? Why can’t IT executives approach this as they have with other reporting requirements – a yearly fire drill that can be done manually?
BA. You can do it manually; however, it’s very expensive and not that beneficial. Sending out busloads of auditors to get a picture of your control environment is an intrusive, cumbersome process; it requires interviews and inspections that can distract from the business flow. What we discovered is that, for the most part, the things that really persuade auditors that your processes are compliant can be gotten remotely and systematically, which would pre-empt the need to send out all those auditors in the first place. So rather than offer more tools, what we try to do is deliver more visibility into risk and how it’s managed – which helps evaluate the operating effectiveness of the control environment.

BM. How did you get started on developing these solutions?
BA. Actually, we started on them before Sarbanes-Oxley became such a big issue. As you know, HP is a global company with dozens of data centers and thousands of applications, and we needed a way to evaluate the operating effectiveness of the control environment in order to govern that landscape. We couldn’t do it through traditional audit efforts because it was too expensive and cumbersome and the information it yields dates really quickly.

So about three years ago, we asked the auditors how long it took them to come to their conclusions in the course of their fieldwork, and asked them what they were looking for first. What we found was that the auditors tended to come to a conclusion about the outcome of an audit within about two days (even sooner for some of the more savvy ones). As a result, we tried to learn from those auditors what it was that they were looking at in those two days – what drove their intuition towards a particular outcome? We collected those indicators and categorized them into leading and lagging indicators for predicting the outcome of an audit, and worked out which of those indicators could be collected remotely and systematically. So that’s how we got started on compliance monitoring.

BM. So what impact did Sarbanes-Oxley have on these efforts?
BA. In the first year, the external auditors weren’t very forthcoming with solid direction as to how to go about doing this, which resulted in a lot more work than was originally expected. In year two, however, we drastically reduced our scope to become less reactive and more relevant in the areas we audited. A starting point for us in this effort was building a closer relationship with the external auditors, in order to precisely deliver to their expectations rather than trying to second-guess them. With all the ambiguities surrounding interpretation of the regulation, this is just too difficult to do.

Something else we found in year one was that a lot of the processes we were documenting were manual – because of the lack of clarity surrounding SOX compliance, people were tending to prioritise documentation of those manual processes they were familiar with, that they could see. However, because manual processes are around 25 times more difficult and expensive to test than automated ones, the cost of testing was much greater than expected. As a result, we resolved to be much more clear about which processes we were going to test. Again, it comes down to reducing our scope, and increasing the level of automation.

The final thing we tried to do was build confidence in our external auditors. When auditors are uncertain about the environment they are going to measure, they always expand the scope, so in order to lower compliance costs (which are directly tied to the level of testing required by the external auditors) we decided we needed to raise the confidence levels of the auditors to influence their scope of testing and keep costs top a minimum.

BM. Do you think that enough IT departments have thought through the implications of what it’s going to take to sustain the compliance effort?
BA. A lot of IT departments are now focusing on how to organize themselves more efficiently, but I don’t know that they have progressed towards taking this proactive approach just yet; a lot of them are still in reactionary mode, working with an inspection audit model that tends to be retrospective and thus doesn’t deliver ongoing benefits.

What we’re doing is trying to come up with a different way of coming to the same conclusion that you would do through inspection-style auditing. So in year two, we’re much more efficient in terms of scope and what we choose to test – we’ve already identified and lowered the amount of manual controls we’re testing, proportionally raised the number of automated controls we’re testing, and are currently building in analytics for evaluating risk in the environment that were pretty much discarded in year one.

BM. What difficulties do IT executives face in terms of communicating the complexities of IT compliance to those on the business side?
BA. I think there is a gap, primarily because a lot of compliance efforts are parallel efforts. You’ll see a SOX testing effort on the financial side and a separate SOX effort on the IT side, but there isn’t actually as much integration as you would expect. This is one of the problems we need to solve – trying to integrate the automated controls into the financial business processes so they can alleviate the manual testing they have built into the financial attestation effort.

There’s also another issue – most auditors come from a financial background, and have learned to audit through 70-plus years of tradition. They examine transactions, they recalculate balances, they inspect vouchers and so forth, and so we’re fighting that tradition by saying: “we can get there another way”. Analyzing a few cleverly placed leading and lagging indicators allows us to see that control environment operating effectively on an ongoing basis, which enables us to understand where the ‘outliers’ are – applications and technologies that are accepting more risk than we would expect – so we can deploy resources to where the emerging risk is rather than cycling round and performing traditional inspection-style techniques over and over, every year.

BM. So how does HP cut cost from the compliance effort?
BA. What we’re doing right now is identifying those control activities that are relevant to the external auditors, and for each of those control activities in the IT space, we’ve identified KPIs that we can monitor to give the external auditors visibility into that environment as it fluctuates on an ongoing basis. They can simply point to a dashboard and say: “that’s our control environment, that’s how we know we’re operating effectively.” We’re trying to transform their thought processes so they don’t feel like they need to send out a busload of auditors to inspect, simply to come to same picture.