Out of Order: 5 Compliance Projects Gone Terribly WrongPublished May 26, 2017 by Ben Lack • 7 min read
No one wants to admit that compliance can go horribly wrong, but it does happen. If you’re worried about how to handle a problem, Reciprocity’s seasoned GRC experts can assure you they’ve seen it all. In this webinar, Matt Kelly, Editor of Radical Compliance talks with our own Aaron Kraus, Dave Schmoeller, and Dave Driggers as they share their stories of working on implementing compliance projects, how projects can detour, and what compliance executives should focus on during GRC implementation.
Reciprocity’s director of GRC security has consulted in every field necessary including government, financial services, and healthcare in a variety of roles including designing, implementing, and auditing. He’s also experienced in teaching CISSP exam preparation, Mac OSX, Microsoft SharePoint, security and awareness.
The Comedy of Errors: The FinTech Case
Having adequate control over privileged and administrative accounts is a main aspect of compliance that ensures fraud prevention. The regulator for one of Aaron’s large financial services organizations issued a Matter Requiring Attention (MRA) which can be problematic, as unresolved MRAs can result in fines or even the closing of a business. The IT department chose a database monitoring tool without really understanding the problem they were tasked to solve, and the tool kicked out pages upon pages of data with complicated compiled information from over 20 databases across production, test, and staging environments.
All of the spreadsheets acted no differently than one person manually compiling the information, and the bank’s response was to throw more people into the mix. All of this lowered the return on investment since the compliance problems remained and additional development efforts added to the cost. Aaron noted, “the big lesson here was that making sure we picked the right tool was important and that that good old corollary that you can’t always just throw more people at a problem and expect it to be solved. Sometimes you do have to work a little bit smarter rather than simply throwing more resources at the problem.” Ultimately, the wrong people were put in charge of the purchase leading to a tool that worked for only one of the many stakeholders involved.
The Three Ring Circus: The Multiple Control Frameworks Case
Within the same financial institution, the audit team encountered problems when different business units could not agree on a single standard or framework with which to assess the security of third party vendors. This led to Aaron’s team spending time working across ISO frameworks creating excessive busywork translating reports because larger vendors worked with several business units.
The multiplicity of reporting created confusion for the Board, making understanding the risk difficult. Aaron noted, “In my experience with Reciprocity, this also very closely mirrors what some of our customers are facing, especially for smaller companies that are growing really quickly. We have people who are breaking into the healthcare industry, so they’re trying to approach HIPAA and High Trust and they just have too many frameworks to manage and the end result is they spread themselves too thin, they’re not able to adequately finish any one of these frameworks.” The problem lies in getting executive support and the tone at the top to ensure appropriate resources.
Reciprocity’s head of GRC services specializes in financial, operational, and IT audits with a focus on SOX compliance. His specialties include business process evaluation and improvement, systems implementation, fraud investigations. A renaissance man, he is an internal auditor, certified IS auditor and a certified risk and information systems professional.
Where SOX Compliance Went to Die: The Funeral Home Case
As audit director for a publicly held funeral home and cemetery company, Dave had oversight and project execution responsibilities focused on scoping and framing. The three rounds of annual testing involved hundreds of requests across thirty corporate users. The lack of central data repository for collecting evidence, tracking submissions, and contacting people led to a cultural and behavioral problem evidenced by an aggressive audit manager who stalked people on instant messenger. Informational disconnect led to poor relationships across the organization.
Audits ended up costing not just time and money, but the human capital inherent in strong collaborative relationships. The main value to automated tools lies in providing a more modern way of conducting audits. Dave noted, “I think more importantly it’s all the users’ time across the business, where they’re already doing their full-time job and the audits are very disruptive of that, so finding a way to make that painless, make it a great experience, make it more collaborative and useful as opposed to a one off very painful experience that certainly was encountered there.” Instead of stalking people, an automated tool becomes a collaborative resource with a dashboard providing status visibility leading to more efficient escalation. Ultimately, poor communication across departments leads to employee frustration that leads to loss of expertise.
Salt in the Wound: The Mining Industry Case
Once again in an audit director capacity, Dave noticed the management group not completing adequate user access reviews, resulting in too much access which could lead to fraud or poor reporting. Failure of the control reported up to the Board. While the correct plan of starting small was discussed, the program lacked the overall support, vision, and goal-setting from management to get to the big picture result.
Over the course of two years, little true remediation occurred because the lack of support led to SOX compliance being treated as a pet project instead of a focused, meaningful part of the organization. The Board and audit committee tasked Dave, with the task of creating a project team. Management supported was mandated by the Board, resulting in quicker organization of IT resources. Dave reminded everyone, “But the really cool thing, and I think where having this vision is very important was that one of the ideas was to change the company culture, and to that end was to give business ownership of their user access, their data and their security, as opposed to leaning on and thinking that it’s IT’s problem.” In the end, the company tightened the controls so that people had only enough access to do their jobs which lowers the risk profile.
One of Recirpocity’s resident GRC experts with over 15 years of experience. Dave has worked in a variety of positions from operations to strategic consulting in a variety of industries across four different continents.
That is Highly Illogical: The Logistics Company PCI Case
Back when PCI DSS was fairly new, Dave was brought into the middle of a multinational logistics company’s compliance effort to review the IT side. Despite the requirements being easy to follow, Dave’s team found that the relationships between different assets and safeguards were isolated. Scoping out how requirements applied to assets during the middle of the audit, questions arose as to why this was becoming more complicated than originally suggested. Forced to engage in the creation of these mappings, the organization obtained its PCI badge and created a candid intrabusiness relationship through compliance.
Viewing compliance as checkbox drudgery misses the inherent value of using frameworks and requirements to create an accurate picture of the environment, location of outfits, of protections, controls in place, and engage new programs. Dave reminded the group, “I think just looking at compliance as a list of a bunch of boxes that need to be checked, I think that’s missing a good 90% of what the real value is when you go through and generate these mappings, which is getting an accurate portrayal of your security posture.”
Question: Where you do get this executive support and get the top to pay attention and give their resources?
Dave Schmoeller: What that translates to is they’d have to disclose that to the public in their FCC filings and investors can lose some confidence in companies with material weaknesses. That all translates to declining stock value. I think that’s what really drove it home for them was really seeing, look, this is pretty critical. It’s not just me saying we need to fix this, this is really gonna have a big impact on the company, and I know you want to avoid having those kinds of disclosures in the company. Also, being empowered with someone who worked with all the functions across the company ended up being really persuasive and convinced about 20 people to still complete their full-time jobs but put in some extra effort and get all this other work done.
Question: I’m a university in the northeast. I’m having trouble building frameworks for multiple regulations, tips you can share there would be helpful.” How do you implement multiple frameworks at the same time? What are the best practices or the muscle memory that a compliance officer should be developing to do this sort of a thing?
Aaron Kraus: My approach for all of the customers that are onboarding at Reciprocity is start small and iterate your way to greatness, you’re not going to achieve everything if you try to do everything all at once. You can do a limited amount, show some value, demonstrate to your management, to your regulators, whoever it is that is reviewing your work, that hey, what you’ve done has provided value and then work from there.
Question: “Many CEOs, CFOs, COOs and the like, they’re focused more on enhancing revenue, and how do you get them over the cost hump.” What sort of advice would you have for people who are trying to explain to their boards, their executive managers that this is not just a big black hole of cost with no benefit, what would you recommend to them?
Dave Schmoeller: A material weakness has the potential impact to the stock market, stock valuation, people wanting to do business with you, all these things. There’s not a specific number with that, but that definitely gets attention. I think that trying to get by in for buying the tool you need to make sure everyone understands the hidden value. These are things people like doing once, getting it done, being done with it, and knowing that they’re done with it by using a collaborative tool. Meanwhile, having spreadsheets, people doing phone calls, emails, IM-ing, and having poor communication channels all over the place creates chaos.
Aaron Kraus: You can point to one of your peers and say, “We don’t want to be them so it behooves us to invest here.” I won’t mention any names but I think we all know retailers and entertainment companies who have had well-publicized issues.
Question: “I’m dealing with scope creep for developing controls for HIPAA compliance. Any thoughts on how I can keep that from happening?
Dave Driggers: Build out an inventory and see how all those different objects actually relate to one another. It’s difficult to do with spreadsheets because you really can’t visualize it, but what I’ve found is if I can visualize it and put those controls into place, as generic as possible to start with and then branch off of that and actually specifically target whatever assets require more stringent controls, that allows you kind of deck off 90% of your requirements with your core control set and then to go in and actually create one off controls for any gaps that are identified.
Question: What would you say about how to effectively track the progress of evidence collection? For a lot of audits, that is a big, big part of what people want to see. This is what audit firms and clients want to see on a SOX audit.
Dave Driggers: I think with evidence collection you have to be able to see the complete picture. There are various overlapping phases, particularly around evidence collection. Track the status of that evidence because you have a lot of different moving parts and a lot of people moving data to one another. You need some sort of central tracking tool to actually get an overview of exactly where each request is. Know where to actually put your effort. We’ve got a limited amount of time, and it’s valuable. I think the most important thing that we can do is to manage our resources properly, so centralized overview is most important.