Leading Cause of Compliance Deficiencies for Small Business
The three leading causes of compliance deficiencies for small businesses (firms with less than $50 million in revenue, assets under management or annual budget) are: 1) access controls for PCs, laptops and mobile field devices; 2) documentation; and 3) controls and procedures for business continuity. Compared with industry leaders, small businesses are more deficient in all ten of the top ten causes of deficiencies (Figure 1).
Figure 1: Compliance Deficiencies among Small Businesses
Source: ITPolicyCompliance.com, 2006
Actions to Improve Results
The top three actions taken by small businesses to improve compliance results are: 1) automating IT configuration and controls management; 2) automating IT audit, monitoring and reporting; and 3) changing business procedures to comply. However, small businesses come up short in all actions to improve results when compared with the industry leaders (Figure 2).
Figure 2: Actions Taken to Improve Results by Small Businesses
Source: ITPolicyCompliance.com, 2006
Comparing Results for the Most Important Action
The number of small businesses that increased the frequency of IT audit, monitoring and reporting numbered just 37% of all small businesses. This compares with 60% of all industry leaders. Moreover, the time between auditing and monitoring between these two are starkly different. Small business audits and monitors IT compliance once every 200 days whereas industry leaders are conducting these measurements once every 21 days.
Guidance Recommendations:
Guidance for small businesses, based on fact-based benchmarks, include:
- Increase the frequency of IT audits, measurements and reporting to at least monthly if not more frequently.
- Reprioritize actions being taken to yield better results
- Improve controls for PCs, laptops, mobile field devices, information, and data archive
- Prioritize improvements for the areas with the highest deficiency rates
© IT Policy Compliance Group, 2006
| 
