Regulations govern just about anything a business might wish to do: Publicly held companies’ finances are subject to the 2002 Sarbanes-Oxley Act. Companies that collect health care data must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Food and medical device manufacturers must follow rules set by the Food and Drug Administration; companies that sell in Europe must follow European Union statutes. There are literally thousands of other examples.
These might seem like concerns exclusive to accounting and quality assurance departments. But information technology (IT) departments are not only subject to their own best-practice standards, such as the Control Objectives for Information and Related Technology and the Information Technology Infrastructure Library. They also are the enablers of the entire organization’s compliance efforts; they are almost always a means by which compliance is accomplished.
“Compliance is really a business issue that is delivered by technology,” explains Jim Jungbauer, president of Hollstadt & Associates, Inc., a management and technology consulting firm in Burnsville. “The reason companies use technology is to solve a business problem. These are all business issues that are delivered with technology solutions.”
Lorna Alamri, director of sales at Integral Business Solutions, a Roseville-based information security consulting company, says her firm deals with regulatory issues all the time. “A lot of our projects are driven by compliance,” she says. “Generally, information is what companies or government entities are trying to protect [in order to comply with regulations]. And a lot of that information is held within IT systems, within databases. So that’s why a lot of times these things seem to lead back to IT systems.”
No matter what department of a company is being regulated, the actual implementation and proof of the compliance effort tends to fall at least in part to IT, says Rick Kuula, president of Stillwater-based Solutia Consulting, a management and IT consulting firm. “The IT organization is getting hit from so many different sides,” he says. “Anything from external audits from government agencies to specific things like HIPAA and PCI [the payment card industry data security standard, a financial-industry standard that has recently been codified into Minnesota law], plus their own internal audits. You can imagine the burden of time and effort that goes into all of that. The IT organization is constantly hit with requests for information.”
Audits tend to require firms to retrieve stored information, he says. For example, in a pricing audit—such as when a bank is being evaluated on the way it applies rates and limits to its customers’ loans—a company might need to look back two or three years in its records to replicate its past pricing structure. That increases the complexity of the applications IT is creating and maintaining: not only do they need to create prices for the current moment, but also record a history of pricing methods.
