top of page

IT Compliance program – What are the issues and challenges?

The obligation to implement an IT compliance program is now a part of the reality of many small organizations in Quebec and the rest of Canada. Most of the time, these small organizations do not have a compliance team, internal audit team or security expert. Regardless of the IT compliance program (SOC 2, ISO 27001, GDPR, NIST, PCI DSS, HITRUST, etc.), the stakes remain the same.

Often, these small businesses have functional but not well-documented and well-structured internal IT control. The management of these small businesses is faced with this new compliance obligation and is forced to spend time and money on a project that does not have a direct return on investment. How should management act, and what are its priorities?

Sometimes in my practice, I see companies starting a compliance program with great enthusiasm, but being unable to get to the end of the compliance project, why?

For small businesses, nine significant issues allow a compliance project to be completed and that this project remains viable over time. What are these issues?

  1. Management's commitment: This is the main issue; senior management must take ownership of the compliance project, demand its success, and set a realistic but aggressive timeline. When senior management is not sufficiently involved and engaged, mandated people responsible are left to their own devices. They will have to manage organizational priorities at the same time as the compliance project, and too often, the compliance project is not prioritized.

  2. A Compliance Project: Many small organizations are very familiar with project management, but when a compliance project arrives, they don't manage it like a project. However, while not mandatory, it is a winning approach that ensures that the project will be continuously monitored and prioritized by the employees involved and by management.

  3. Communication and acceptance: Senior management must communicate to employees involved in the compliance project the reasons, objectives, timelines, impacts, and expectations about the compliance project. The best is to have a group meeting and explain in-depth the challenges of the compliance program that will be put in place. The employees involved must get all the answers to their questions, and a climate of trust and cooperation must be perceived by management.

  4. Documentation: Whatever the compliance program is in place, there will be underlying documentation. The documentation must remain realistic and straightforward and be in line with the organization's practices. Too often, we see that the company has complete and well-structured documentation, but this documentation is not a reflection of operational practices. This kind of situation creates problems with the auditors regularly.

  5. IT Controls: As soon as we talk about a compliance project, we are talking about an IT control environment. The notion of an IT control environment is not necessarily something that is familiar with the management of a small business. It is imperative that, from the outset, a matrix of IT controls is established and accepted by management. The controls will have to remain straightforward and easy to understand. This matrix defines, in fact, the scope of the compliance program.

  6. Processes: Structured, accessible, and straightforward documentation supports the underlying processes. These processes must remain simple and easy to implement. For example, a well-structured access policy will allow processes to be put in place to apply this documentation (access requests, departures, access review, passwords, etc.).

  7. Ownership: Regularly, we see a small company hiring an external consultant and asking them to set up a turnkey compliance program. The consultant develops very structured documentation and completes all the steps necessary to obtain certification. Once the consultant is no longer in the company, the compliance program does not work. Why? Because the consultant delivered his mandate without heavily involving the internal If senior management hires an external consultant to accompany them, it must be clear that this consultant works collegially with the existing team. The best is for the consultant to work with an in-house pilot, who will ensure that internal employees are involved in putting in place all the documentation and IT processes that have been defined.

  8. Consistency: Documentation, controls, and processes are put in place, and the auditor has concluded his audit positively. This is a great success for the organization. The trap is to believe that everything is over and that the difficult part is behind you. In fact, the easiest part is over, and the most challenging part begins. We now must make sure that processes and controls continually work in the same way, and that is a huge challenge for small companies. For example, how do we ensure that all requests for changes (RFP) are always documented and processed according to the documentation? This problem is now the challenge that employees and management must address. The risk of a lack of consistency is that during the second audit, discrepancies are raised by the auditor. This situation will result in a discussion with the auditors and probably disappointment for the management team. Also, what will be the clients’ reactions of the organization might make of it, that expect to receive an impeccable audit report.

  9. Self-assessment: An approach to help ensure that controls and processes are always applied in the same way. At least once a year, a self-assessment is recommended for all controls included in the audit program scope. This self-assessment will validate that the employees involved fully understand their responsibilities for the various controls and put in place action plans to correct the discrepancies detected.

Implementing an IT compliance program in a small company is demanding and expensive. Knowing the issues surrounding these IT compliance programs will allow senior management to minimize its risk of project's slippage or failure.  Senior management will need to continually remember that they are strongly responsible for the success of an IT compliance program.

Come back to the discussion page...

bottom of page