Research Reveals Compliance Problem

The Ponemon Institute says the majority report inadequacies in current practice of ensuring proper access to systems and data

TRAVERSE CITY, MIch. and AUSTIN, Texas -- New research from the Ponemon Institute reveals that despite the importance internal auditors and corporate compliance professionals place on ensuring proper access to systems and data – 70 percent of respondents say it is critical to IT compliance – the majority report inadequacies in current practice. Eighty-two percent say a risk-based approach would be more effective.

“Audit and compliance professionals are clearly struggling to gain control over issues at the heart of IT compliance, knowing who has access to what in your organization,” said Larry Ponemon, chairman and founder, Ponemon Institute. “They must do an incredibly complex and important job the hard way – manually and reactively – and they know it. Almost all would prefer to focus their efforts on the areas of greatest business risk, but they need help getting there.”

Commissioned by SailPoint Technologies, the survey, entitled Audit & Compliance Professionals: Survey on Identity Compliance, examines the views of auditors and corporate compliance staff on the state of compliance practices that focus on ensuring proper access to systems and data. Findings from analysis of 845 responses point to a number of inadequacies including:

  • Reliance on Manual Processes – Audit and compliance staff rely on manual efforts to manage compliance processes. Fifty-eight percent manually monitor and test controls on user permissions and activities, depending almost exclusively on reports generated by others rather than software tools (90 percent).

  • Lack of Centralized Control – Organizations have not established clear ownership of compliance oversight or processes around reporting on and monitoring user access to critical systems and data, with a wide majority conducting compliance efforts in a decentralized fashion at the application or department level (86 percent). Fragmentation of the data and distribution of responsibility among many groups are cited as the top two barriers to automating compliance.

  • Poor Communication and Collaboration – Audit and compliance staff report little to no collaboration with departments who share responsibility for IT compliance (61 percent), citing a poor understanding of risk management and compliance among other departments as the key barrier (65 percent).

  • Inattention to Business Risk – Asked if their organizations focus their compliance resources or efforts based on risk, half do not think so or are unsure, and the majority report the information necessary to quantify risk is simply not available (58 percent).

The full survey offers a comparative analysis of responses from audit and compliance staff with responses from IT security professionals to an earlier companion survey published by the Ponemon Institute in March 2007, also commissioned by SailPoint. Major points of agreement between the groups are poor collaboration and reliance on manual processes: IT professionals report little to no collaboration with audit and compliance staff (65 percent), citing a lack of technical expertise as the key barrier (42 percent); and 53 percent characterize efforts as manual and labor-intensive. Eighty-three percent of IT respondents also say a risk-based approach would be more effective for ensuring proper access to systems and data. Key differences are business drivers – audit/compliance groups seek better control and security (44 percent) while IT groups seeks higher efficiency (40 percent).

“Organizations are achieving compliance by throwing people at the problem, but they don’t know where their risks are,” said Jackie Gilbert, vice president of marketing and founder of SailPoint. “By taking steps to centralize and automate their efforts, companies can begin to regain control with a sustainable and effective approach that allows them to identify and reduce potential business risks like intellectual property loss, privacy breaches, brand damage and inaccurate financial reporting.”

Ponemon Institute LLC