Why Compliance Cannot be Delivered as a Service

Posted February 15th, 2008 - 4 comments

My friend Mark MacAuley can always be counted on to stir things up. He’s seen plenty of enterprise deployments and architectures and comes at problems with a combination of Yankee ingenuity and healthy cynicism. Over on Identitystuff, Mark writes about offering Compliance as a service:

The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency.

Although the intent of Compliance is good, in Mark’s estimation Compliance is 100% cost with no positive yield to the bottom line.

The trouble is that Mark refers to Compliance as if it is an IT service that can be delivered like outsourced help desk or security management. Compliance, the Big “C,” cannot be delivered as a service. The Big “C” is the interplay between people, processes, and IT systems to achieve the mission of the business in the context of regulatory and market pressures. It isn’t binary; it isn’t something you have one day and not the next. This dynamic interplay requires continuous measurement and feedback loops to ensure that deviations are corrected and, ideally, prevented.

Compliance is a matter of controls – instituting a variety of controls and then charting the business’ distance in relation to those controls at all times. Let’s take a simple common non-business example. When a cop pulls you over for speeding, you often get asked two questions:  Continue reading "Why Compliance Cannot be Delivered as a Service"...

  1. Did you see that speed limit sign?
  2. Do you know how fast you were going?
February 15th, 2008 | Tags: , , , , , | Category: Professional | 4 comments

Oracle buys LogicalApps: Redux

Posted October 17th, 2007

Lori Rowland has posted an examination of the state of market given Oracle’s acquisition of LogicalApps. Her analysis of the impact of this acquisition to us independent controls management companies mirrors some of my thoughts on the matter. There was one thing that caught my eye. Lori writes:

There are obvious benefits to implementing Oracle and SAP’s controls management solutions to manage the respective environments. Who knows SAP SOD policies or sensitive transactions better than SAP, right?

Maybe not. I posit that the audit community (both internal and external auditors) have a better sense for what constitutes an SoD violation in their business context than ERP vendors do. Clearly, the ERP vendors know, from a functional stand-point, what each transaction and function does in their products. This enables them to build the “well, duh” SoD policies such as “flag everyone with SAP_ALL.” The “well, duh” SoD policies are the just the ante to play in the controls monitoring game. The meaningful, high value SoD policies come from the audit community and their years of lessons learned working across multiple industry verticals globally. It has yet to been if the ERP vendors will truly cater to this community’s needs. It is the greater audit community that Approva has sought to serve since day one and we’ll continue to do so. Viva independence!

October 17th, 2007 | Tags: , , , , , | Category: Professional | Leave a comment