Successfully dealing with regulatory compliance pressures means being able to communicate findings and take action across different disciplines inside and outside the organization.
Benchmarks completed by the IT Policy Compliance Group show that the majority of firms (73 percent of all organizations) are merging internal controls, IT security, risk and audit functions to more effectively demonstrate compliance with regulatory mandates (Figure 1).
Figure 1: Organizational Strategies for Compliance
By comparison, about two-in ten firms are not sure what to do about merging internal controls and IT security, while less than one-in-ten organizations are keeping the IT security and internal controls functions separate.
Performance results and organizational structure
Organizations performing as IT policy compliance leaders, those with the fewest compliance deficiencies and the smallest rate of IT security events resulting in financial harm, are more likely to merge internal controls and IT security functions, where 81 percent of the leaders have merged the two functions. Conversely, organizations operating as laggards are less likely (56 percent of the laggards have merged the two functions) than leaders to have merged internal controls and IT security. Similarly, there are more than twice as many compliance laggards (33 percent) among the organizations that are do not know whether to merge the two functions than among the leaders (14 percent) that do not know (Table 1).
Table 1: Results and Strategies for Organizational Structure
|
|
Keep internal controls and IT security as separate functions |
Merge internal controls and IT security |
Do not
currently
know |
|
Industry
laggards |
9% |
58% |
33% |
|
Industry
norm |
9% |
76% |
16% |
|
Industry
leaders |
6% |
81% |
14% |
Source: ITPolicyCompliance.com, 2006
Organizational leverage versus organizational chaos
Merging the practices and skills of internal controls and IT security functions could be fraught with difficulty due to divergent skills and focus: and it may not make sense to integrate all IT security and internal control functions into a merged organization. An example of this might include IT operations where IT security functions are performed on a day-to-day basis within business or operating units. However, the evidence from the benchmark results point to greater leverage, lower deficiencies and fewer IT security events resulting in financial harm by merging at least management of the two functions than in keeping them separate or by waiting any further.
Some cautions may be in order
The benchmarks clearly indicate that organizations merging internal controls into the existing IT security, or merging the IT security function into internal controls, are generally more successful than organizations trying to merge these two functions into risk and audit functions (Table 2).
Table 2: Results and Strategies for Organizational Structure
|
|
Merge IT security and Internal controls into a Risk management function |
Merge Internal controls into IT security function |
Merge IT security into Internal controls function |
Merge Internal controls and IT security into an Internal Risk and Audit function |
|
Industry laggards |
30% |
18% |
30% |
21% |
|
Industry
norm |
22% |
30% |
29% |
18% |
|
Industry
leaders |
17% |
34% |
28% |
21% |
Source: ITPolicyCompliance.com, 2006
The performance results among the organizations merging internal controls and IT security functions indicate that there is enough functional learning and progress occurring by merging the two, without overloading - or subsuming - the two functions within an overarching risk and audit function.
However this blanket observation, based on the benchmark findings, may be inappropriate, where adding responsibilities for risk and audit management are most appropriate, given the culture, practices and experience with risk management and audit within some industries and in specific organizations. Therefore, decisions regarding the correct structure should be influenced based on current practices that exist, or do not exist, at each firm.
Guidance Recommendations:
Guidance for all enterprises, based on fact-based benchmarks, include:
| 
