Register For Our New Online Classes!

Most companies aren't fond of their compliance procedures

Only 13 percent of companies are very satisfied with their current compliance processes.

New research has shown that most companies aren't happy about their compliance procedures.

A recent study conducted by Osterman Research and sponsored by security awareness training company KnowBe4 found that only 13 percent of companies are "very satisfied" with their methods of regulatory compliance. The researchers found this result surprising, given that 63 percent of survey respondents rated compliance as "very important." In addition to understanding satisfaction with current procedures, the researchers were also able to determine the source of companies' angst.

"Much of the discontent stems from the focus on manual processes," said Stu Sjouwerman, CEO of KnowBe4. "This is quite cumbersome and expensive."

According to the report, 19 percent of audit and compliance time each year is used for tracking requirements. Additionally, 31 percent is spent on gathering and maintaining audit evidence. Constant changes to regulatory requirements for compliance management aid in the challenging nature of using manual processes. Furthermore, the U.S. is one of the leading jurisdictions in regard to such changes.

The report noted, for instance, that the U.S. Federal Register, a daily publication that contains proposed and final regulations of U.S. federal agencies, published an average of 2,445 proposed rules and 3,827 final rules each year between 2002 and 2012. On a daily basis, those figures equate to about 9.4 proposed rules and 14.7 final rules.

The price of conventional compliance management
The researchers found that not only are conventional compliance management procedures tasking, but they are also not the most cost effective solution. Osterman used a subset of the initial survey - thereby eliminating outliers - to gauge the high cost of conventional compliance management. The total cost was $523.93 per employee per year, accounting for labor and expenditures on services and tools. The report noted that this equaled $43.66 per month, which would be about $261,000 per year for a company with 500 employees.

Companies are particularly losing time and money on manual processes, which are a central part of conventional compliance management procedures. These include Word document and spreadsheet maintenance as well as noticeable effort to maintain unique company software helps with compliance. When coupled with the time to search for information and open the necessary tools and documents, companies are clearly working inefficiently. Furthermore, up to 80 percent of the time used by compliance risk professionals goes toward searching for information, according to the report 

Duplicate efforts also slow procedures
In addition to the setbacks of manual processes, the researchers noted that duplicate efforts by compliance management staff can further waste valuable time. This problem, which is particularly prevalent in large and distributed organizations, leads to several employees picking apart the same compliance issue. With numerous staff members working on the same task unbeknownst to each other and manual processes already slowing procedures, inefficient compliance management can be damaging, especially as multiple departments and employees derive differing solutions for ensuring compliance.

Saving a company's  budget
Sjouwerman suggested that companies that are unsatisfied with their current compliance management strategies take steps to reevaluate their systems.

"Improving the tracking and gathering of audit evidence alone can help an organization save considerably in both time and budget," he said.

Many companies are turning to cloud computing software to streamline their procedures and eliminate manual processes. Companies should, however, be careful when choosing a vendor, reported. Additionally, organizations have to pay special attention to information security, as standards and best practices for cloud computing security are fairly new. Proper risk assessment should be conducted.