Leading Compliance Deficiencies
The leading cause of compliance deficiencies among all organizations are found in IT security, where seven-out-of-ten deficiencies are directly related to deficiencies in IT security (Figure 1).
The leading compliance problem-area for most organizations is documentation, with almost 80% of organizations reporting documentation as the leading cause of deficiencies. Blind interviews conducted with numerous organizations confirm that documentation is an on-going problem area that is being monitored and managed, but one that rarely rises to the level of severe or significant deficiencies.
It is not unusual for organizations to find hundreds of “documentation” deficiencies that must be prioritized for correction. Secondary and later audit filings tend to reveal documentation deficiencies resulting from changes in business procedures and IT policies that are out-of-sync with older documentation.
The rather stunning finding is that deficiencies in IT security are directly related to 7 of the top 10 deficiencies according to 520 firms participating in the benchmarks. Besides documentation, the other areas not directly related to IT security among the top 10 include business continuity, data archive and data management. Although there are likely to be some IT security problems in documentation, data archive and data management, the benchmarks do not apportion these contributions.
Figure 1: Leading Causes of Compliance Deficiencies
The major IT security areas contributing to compliance deficiencies include: access controls; audit, measurement and reporting; along with IT security policies, standards and procedures.
The Inverted 70/30 Rule
According to findings released by Ernst and Young*, about 70 percent of Sarbanes Oxley (SOX) controls are found outside of IT, while only about 30 percent of SOX 404 controls are found to reside in IT. Despite overwhelming evidence that only a small portion of controls for SOX are directly related to IT, the focus of control remediation efforts among organizations is inverted: about 70 percent of control remediation efforts is in IT and about 30 percent of remediation efforts is in operational and financial processes.
The findings from the Ernst and Young study match the benchmark findings conducted by the IT Policy Compliance Group: 70 percent of the work effort to comply with regulatory mandates is found in IT - specifically in correcting deficient IT security controls and policies- while 30 percent are outside of IT.
Spend on IT Security Impacts Results
Spending on IT security is a predictor of compliance performance results (Table 1). Although there is a clear correlation between performance results and spend on IT security, a similar correlation does not exist for performance results and the size of organizations by revenue, nor the size of IT budgets. Instead, the benchmarks show that size of the organization and overall IT budgets match the overall performance results across organizations: 20 percent are suffering from tens to hundreds of compliance deficiencies; 69 percent of organizations are in the middle with between 3 and 15 deficiencies; and 11 percent operating as leaders with 2 or fewer deficiencies.
Table 1: Spending on IT Security and Compliance Results
|
Compliance Results |
Spend on IT Security |
|
Leading organizations |
10.4 percent of the IT budget |
|
Normative results |
7.2 percent of the IT budget |
|
Lagging results |
6.4 percent of the IT budget |
Source: ITPolicyCompliance.com, 2006
Guidance Recommendations:
Guidance for all enterprises, based on fact-based benchmarks, include:
- 70 percent of compliance deficiencies are in IT security
- Spend on IT security is a predictor of compliance results
- Compliance leaders are spending more than 10 percent of the IT budget on IT security
* Ernst and Young: Emerging Trends in Internal Controls, Fourth Survey, May 2006
© IT Policy Compliance Group, 2006
| 
