Government agencies are actually performing much better, overall, than private sector firms and non-profits when it comes to compliance results (Table 1).
Overall, 12 percent of the government organizations are operating as compliance laggards, suffering from large numbers of compliance deficiencies numbering in the tens to hundreds that must be corrected to pass audit. The largest proportion of government organizations, 56 percent, operate in the norm. These public-sector organizations are experiencing compliance deficiencies ranging from 3 to 15 that must be corrected to pass audit. Finally, 32 percent of government agencies are operating as compliance leaders, posting stellar compliance results with less than 3 deficiencies.
Compared with all private sector organizations, there are proportionately more government agencies operating as compliance leaders than there are among private sector firms. There are also fewer lagging organizations among government agencies than among private sector firms, as well as fewer government organizations operating at the compliance norm than among private sector businesses. These results are summarized in the Table below.
Table 1: Government and Private Sector Compliance Results
|
|
Government
agencies |
Private
sector alone |
Government plus private sector |
|
Laggards
(More than 15) |
12%
|
20%
|
20%
|
|
Norm
(3 to 15) |
56%
|
70%
|
69%
|
|
Leaders
(Less than 3) |
32%
|
10%
|
11%
|
Source: ITPolicyCompliance.com, 2006
Government Compliance Results: Size Counts
Among government agencies with the best (fewest deficiencies) compliance track record, size appears to play a factor in results. Forty-two percent of government compliance leaders are from organizations with budgets that are larger than $1 billion, 23 percent are from government organizations with budgets between $50 million and $999 million. 34 percent of government agencies performing as compliance leaders are from organizations with budgets that are less than $50 million.
The compliance performance results - by size of organization - among government agencies are very unlike those for private sector firms where the number of IT compliance leading organizations are hovering around twelve percent of all private sector and non-profit firms.
Five Strategic Government Actions That Improve Results
Leading government agencies---those with the fewest compliance deficiencies---are taking the following top five prioritized actions to improve results:
- Documenting business procedures, IT assets and IT controls
- Automating the monitoring and reporting of IT controls
- Automating IT change and controls management
- Automating IT controls and procedures
- Changing business procedures to achieve compliance
By comparison, government organizations operating as compliance laggards are choosing to hire staff, contractors and outside service providers as the first strategic action to improve compliance results. These agencies are not automating IT controls, the monitoring of these controls, nor are they changing procedures to improve results. After hiring staff and outside contractors, these agencies are choosing to deliver training and accountability to employees, reorganizing compliance-related functions in the organization (including IT and internal audit), while also documenting IT assets, controls, IT security standards, policies and business procedures.
The Single Most Important Success Factor: Frequency of IT Controls Monitoring
The factor found to be most critical to the success of reducing and sustaining compliance results is the automated measurement of IT-based controls, policies, and audit results. All government agencies (100 percent) that are performing as compliance leaders are conducting monitoring and measurements of IT policies, controls and audit results on a monthly or more frequent basis. By comparison, 80 percent of government agencies performing as compliance laggards conduct this monitoring only once annually.
The frequency of monitoring among government agencies closely matches results among the entire market of all private firms, non-profits and government agencies where 97 percent of compliance leaders are conducting monitoring and measurements at least monthly and 74 percent of laggards are conducting monitoring only once annually.
Guidance Recommendations:
Guidance for government organizations, based on fact-based benchmark results, include:
| 
