The Added Luster of "Fed"-Up

Although responsibility for compliance ultimately resides in the executive boardroom, management is increasingly turning to IT to facilitate compliance. "IT is all about the systems infrastructure, which has a critical impact on business processes," says Thomas Cronin, director of business activity monitoring at Fujitsu Consulting, Falls Church, VA. Whether guarding the privacy of a patient's medical data, monitoring adherence to CGMP in developing drugs, or identifying and reporting material events under Section 409 of Sarbanes-Oxley, corporate IT suddenly finds itself thoroughly entangled in compliance issues.

With critical deadlines looming for a number of major regulatory rule sets, such as HIPAA security in April 2005 or provider identifiers in 2007, the
pressure is only going to mount. And with IT groups still reeling from recession-related budget cuts, they are hard pressed to take on compliance chores in addition to their regular work. Enter the consultants.
"IT is good at the technology stuff. Where IT needs help is in meeting the business requirements," says Charlie Rowland, CEO, Breakaway Technologies Inc., Yardley, PA, a consulting firm that helps companies meet myriad financial mandates. In addition to understanding the business needs, "IT groups also are scrambling to get educated on tools," he adds.

Although Sarbanes-Oxley has grabbed the spotlight in recent months, it is far from the only concern. Many organizations, for instance, may find themselves unwittingly running afoul of more-obscure regulations, such as HIPAA (Health Insurance Portability and Accountability Act). HIPAA is a combination of EDI standards and security and privacy regulations for healthcare. Organizations that do not even consider themselves in the healthcare industry per se may find themselves subject to HIPAA privacy and security regulations, especially when it comes to their health insurance programs. Even a database consulting company that touches patient data in the process of helping IT set up, say, a data warehouse may be subject to HIPAA rules.

Helping corporate IT groups handle compliance chores is turning into big business for consulting firms with the right expertise. "Corporate compliance is our number one go-to-market initiative for 2004," says Cronin. And it is likely to remain a major initiative for years to come. "This is not like Y2K, which went away at midnight. The rules are going to evolve and there will be new rules."
The Aster Group LLC, Charlotte, NC, expects consulting around the various financial compliance requirements to substantially alter its revenue mix. Currently, its ERP practice accounts for about 80 percent of its revenue. "Within a few years, we expect that situation to completely reverse, with our BPM practice accounting for 80 percent of our revenue," says Joe Mastro, vice president of Aster's Business Performance Management (BPM) practice.

Other consulting firms working the compliance space are reporting a similar surge in business. "We're as busy as we've ever been, and it is all driven by compliance," says Rowland, whose 40-person firm is looking to hire seven more people.
Based on a survey of corporate executives on the issue of compliance spending, Gartner estimates that Sarbanes-Oxley compliance alone will cost $2 million for companies with $1 billion in revenue, based on responses from firms whose anticipated expenditures ranged from less than $10,000 at the low end to over $4 million at the high one. Of that spending, Gartner estimates that audit firms will capture the lion's share, 50 to 70 percent. At the same time, it advises IT groups to grab at least 20 percent of the overall Sarbanes compliance budget to cover what IT needs to support the effort.

Still, it is difficult to pin down corporate spending on compliance. To begin with, Sarbanes is just one of many mandates requiring compliance in one form or another, each with a different deadline. In addition, many companies "are doing just the bare minimum now," says Rowland — and worrying about the rest later.
Such fast fixes, however, will ultimately result in more revenue for the consultants. "The short-term corrections will result in too many Band-Aids, which will lead to the next wave of consulting," observes Edward Hill, managing director, Protiviti, a consulting subsidiary of Robert Half, Menlo Park, CA.

Compliance consulting engagements vary greatly depending on the particular mandate in question and the scope of the engagement. "We've seen spending start under $100,000 and run up to multimillions," says Mark Shishida, CEO, Fox Systems Inc., Scottsdale, AZ, a firm specializing in HIPAA compliance.

IT-oriented consulting engagements typically fall into three areas: process consulting, documentation, and technology support. Sometimes, though, the need is even more basic than that. "Companies typically need a couple of different kinds of help, but often the first is just trying to figure out which regulations they are subject to," says Hill. For example, many companies aren't sure whether they are subject to HIPAA requirements.

Protiviti approaches compliance consulting with three questions:

• What regulations does the company have to worry about?

• What are the specifics of the applicable rules and regulations?

• How can they be dealt with?

Regardless of the particular mandate, all have the same general requirements, which are intended to prove that the company is doing whatever is specified in the regulations and is doing it well at the process level. Typically, this involves some type of documentation process, change control, security, confidentiality, and auditability. Data integration and aggregation may also be required.

For IT, then, the challenge becomes one of documenting systems and processes; applying change control; tracking usage across systems, networks, and data; implementing and enforcing information security policies and practices; and maintaining and preserving the audit trail. Depending on the specific regulatory mandate, IT may have some specific technical issues to deal with.

HIPAA, for example, requires that IT make its systems comply with specific data format rules. This will involve various data mappings and data translation middleware. "Healthcare companies need to get their systems to the point where they can accept and send standard electronic transactions," explains Shishida.

Sarbanes, on the other hand, requires that IT be able to test the business process by firing off synthetic transactions to stress every potential problem in the system. "IT must understand the business process and see where the fracture points are," says Cronin. And lightweight testing is unlikely to be accepted. Especially with Sarbanes, the outside auditors, who will be held accountable, will be unlikely to accept anything not thoroughly tested.

Although software vendors are slapping compliance-friendly labels on many software tools, from ERP systems to enterprise content management tools, new software implementation is not shaping up as a big compliance opportunity for many consulting firms. "There are tools for mapping and translation of data sets," says Shishida, but few healthcare organizations are going to deploy these tools internally. Typically, the consultants will use these tools. At the least, healthcare providers will turn to third-party transaction translation service providers.
For various financial compliance mandates, Aster Group generally recommends OutlookSoft, a reporting tool from OutlookSoft Corp., Stamford, CT. Breakaway Technologies more often implements Applix TM1, a business intelligence tool from Applix Inc., Westborough, MA. Fujitsu offers a unified corporate compliance framework that supports a variety of tools.

In the end, compliance from the IT standpoint is far less about deploying technology, although there is an element of that, than it is about understanding what's required, documenting processes, managing change, and maintaining an audit trail. Helping IT with this is where the compliance opportunities lie for most consulting firms.