U.S. companies are expected to invest billions of dollars this year in technologies and consulting services to help them comply with Sarbanes-Oxley, HIPAA and other regulations. But few will be able to quickly leverage those investments to improve their internal business processes, IT executives and analysts said this week.
That’s because most companies are focused on meeting rapidly approaching regulatory deadlines, according to speakers at a compliance-related conference held by IBM Corp.
For instance, the race to meet the Sarbanes-Oxley deadline for documenting internal controls is preventing companies from making far-reaching changes to their operations as part of their projects, said Susanne Ruschka-Taylor, who works at IBM’s Business Consulting Services unit.
“If you’re going to spend (billions of dollars) on these initiatives, you might as well get something out of it,” said Adrian Bowles, an analyst at the IT Compliance Institute, a Seattle-based research organization that focuses on government regulations and their effect on technology.
But that’s easier said than done for companies that are wrestling with compliance deadlines for a slew of federal regulations, including Sarbanes-Oxley, the Health Insurance Portability and Accountability Act and the USA Patriot Act. Some regulatory analysts have said it makes more sense for companies to install compliance frameworks than it does to buy stand-alone systems to support each regulation. Such frameworks would provide users with a set of monitoring tools that they could apply to all regulatory requirements.
“We’re not that sophisticated yet, but it’s something we’re trying to work toward,” said John Benninger, senior vice-president of risk management and corporate governance at Huntington Bancshares Inc. The Columbus, Ohio-based bank has set aside about US$500,000 for compliance with Section 404 of Sarbanes-Oxley, Benninger said. The project includes the use of IBM’s Lotus Workplace for Business Controls and Reporting software.
Huntington began entering data about its financial controls into the system in October. By the end of this month, it plans to go live with Version 2 of the software, which was announced this week.
“I have to admit, we have a lot of work ahead of us,” said David Lindstrom, chief privacy officer at Pennsylvania State University.
Students at the university’s School of Information Sciences and Technology are developing a wireless system based on IBM’s DB2 Everyplace mobile database to create, update and delete patient records securely from any location at Penn State’s Milton S. Hershey Medical Center. The wireless system will help Penn State meet HIPAA’s data requirements for patient privacy. But Stan Aungst, assistant professor of information sciences and technology, said school officials haven’t decided when the technology will be put into use.