Being from the IT industry, I can only compare it with the quality activities done within the software life cycle. We all know that building a quality process within our projects will help us achieve defect-free results with more efficiency. But still, quality is viewed as a series of steps to be followed for acquiescence purpose. We need to imbibe quality as a part of the work rather than an after the task complete activity for achieving compliance to standards set by the organization. If only everyone understands the value of an intrinsic quality program and does their bit, we could do away with the need for overheads like Quality checks and reviews, thus saving time and money.

Ditto with Compliance. At the grass roots level, the employees who actually submit the data for SARBOX (Sarbanes Oxley) view SARBOX as a redundant burden that increased the workload for them. It is viewed as a distraction from their real job and their goal of creating enterprise value, all leading to low employee morale and compliance violations, thus tagging a bad name for the organizations and credibility issues. They end up raking huge costs for employing more and more Compliance related products, services and trainings, to achieve nowhere near the intended outcome.

I feel most of this is happening because there is a huge disconnect among the people on what their organizations aim to achieve with Compliance. There is too much focus on the legalities and very less attempt at what “really” needs to be done.

Basically, why did the whole aspect of Compliance come into picture? Rather what is it all about? The whole idea behind compliance is doing the right things. Because there are ways around the right things which people might choose out of oblivion or on purpose, this might lead to undesired results. There would be a disruption in the harmony of society. So, some rules and regulations are set up to help us all live in a nice world safe from money launderers and frauds. If people would choose to do the right no matter someone was watching or not, there was really no need for these to be forced upon us.

If you take Sarbox regulations– these are disclosures and certification regarding internal controls that an organization employs for
• Ensuring Funds are used as projected
• Fraud prevention
• Shielding assets from destruction and misuse
• Security techniques to thwart hackers, viruses, criminal activities

If everyone in the organization realized the need for these, I am sure, compliance would mean a hygiene process and a mind-set rather than a project for audit purpose or an over-head. If firms could inculcate across their hierarchy, this culture of compliance, which instills in every employee the sense of ethical decision-making, half the battle would be won. Simply put, it means infuse in every employee an obligation to do what's right.

Rather than focusing too much on the legal complications of compliance, we first need to ensure that we get our basics tuned in. Folks, this is just the beginning of our journey on compliance. Can organizations have built-in mechanisms that automatically prevent non-compliance? What are the ways we can achieve this? We will try to get answers to these questions in the forthcoming blogs.

IT Governance sarbanes oxley