Six Practices to Help Ensure Continued Corporate Compliance
By Sylvia Feldman, Corporate Writer, Optical Image Technology, Inc.
View printable PDF (opens in new window)
Running a business today is a far cry from what it was even five years ago. Government regulations have mandated strict policies that have changed the way that companies staff their businesses and keep their records. Whether HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, FERPA, the USA PATRIOT Act, or other compliance measures dictate your procedures, chances are good that within the past several years, your company has had to scramble to address a multitude of requirements prior to mandated deadlines.
At times, these measures can seem bewildering. Compliance is no longer the sole responsibility of a select few businesses. Smaller companies—which are usually subject to the same constraints as larger organizations—have difficulty addressing regulations if they do not have the manpower or resources to do so. Larger companies also struggle with compliance, as their infrastructure may be scattered and regulation management may be difficult. Compliance measures sometimes vary from state to state, which further complicates the scenario.
Failure to comply with industry regulations can result in criminal penalties (including imprisonment) for public companies doing business in the United States. Private companies that do not demonstrate compliance can be subject to significant civil penalties that potentially could result in substantial monetary fees and irreparable damage to an organization’s reputation. Most compliance-related requirements dictate the implementation of administrative, physical and technical precautions, but they do not necessarily recommend specific measures to take.
Ideally, you are already well aware of the regulations that apply to your business. Your organization has probably implemented control measures to facilitate compliance and has tested those controls. But once you have achieved compliance, how can you be assured that your organization will remain compliant? In a perfect world, compliance measures should be incorporated as part of your day-to-day business process. Below are six suggestions to help you to achieve that aim.
1. Collaborate and coordinate. In order to ensure continued success, it is essential that different departments work together and communicate about whether business processes fulfill compliance requirements. Involve IT in your compliance measures, but do not delegate it solely to your IT department. These days business processes transcend individual departments; it is critical to have involvement from all areas that are affected by regulations. As you implement new processes to facilitate efficiency, consider whether your existing compliance efforts will cover those processes.
Try to identify isolated compliance measures, and determine whether you can integrate them enterprise-wide. If different departments have implemented measures to address compliance requirements, integrating response efforts into one approach will eliminate the incidence of redundant systems. Often, your electronic document management system (EDMS) can be configured to use the same reporting tools to address different compliance requirements. A coordinated, holistic strategy will be much more effective than one made up of separate, disparate responses.
2. Evaluate security measures. Regularly encourage people from different departments to brainstorm about hypothetical ways in which information could be compromised, and take appropriate measures to ensure that security is not breached. If flaws exist within your system that put your company at risk, they are probably more apparent to your employees than to outsiders.
In order to become compliant, you probably had to examine and improve your security measures. What procedures can you apply that will ensure future security? If your system is still paper-based, it is important to make sure that your information will continue to be sufficiently protected in the future. Document your security procedures and continually reevaluate them. Have you implemented a means to authenticate who has accessed which files, and when? It is important to recognize the difficulty associated with ensuring continued security of paper files, and to look to technology to help your business ease that burden. Consider implementing a budgeting timeline that will help to alleviate a future transition to electronic files.
If your organization has already transitioned to an EDMS, make sure that accessibility to sensitive information is restricted to authorized users. The ability to monitor and report upon who has accessed files should be inherent within your EDMS, as should the ability to alert administrators if security has been compromised.
3. Examine privacy measures. Privacy is inexorably linked to security. A breach in one usually results in the compromise of the other. It is important to implement measures that eliminate the potential for protected information to be jeopardized. Using a paper-based system, it is almost impossible to guarantee the privacy of your customers’ information, or even that of your employees. EDMS is more secure, but again, it must have stringent encryption and protection capabilities—especially if your company is doing business over the Web.
4. Automate compliance measures. One aspect of compliance involves identifying weak internal controls. A good way to improve upon those control measures is to automate them where possible. With automation, you eliminate the potential for human error and loss of documentation. Automation also provides a quantifiable trail, identifying each step of the processes involved. After you have implemented, tested, and verified the validity of controls, determine which processes can be launched into automated workflows.
Some EDMS systems even allow organizations to automate retention and destruction of documents. This ability ensures that information that is integral to business processes will be preserved, and that non-essential information will not consume storage space.
5. Document your efforts. At the heart of compliance measures is corporate responsibility. Duties should be segregated, and management should provide documented policies that outline employee responsibilities. Measures should be implemented to ensure that requirements and ethical practices are followed.
One common mistake that organizations make is documenting processes as they should be rather than as they currently exist. Even if there is room to improve your processes, it is important to portray them accurately. This sets a baseline, and provides outside auditors with a well-defined picture.
6. Manage your information. Regardless of whether your processes are paper-based or electronic, you must be able to both access and control your information. Management will ultimately be accountable for any documentation that is lost or misfiled. If auditors should request specific information, often it will have to be produced within a twenty-four hour timeframe. Can your current system fulfill that requirement?
Information should be transparent; outside auditors should be able to trace and account for any financial interactions. The challenge is to implement far-reaching controls that can fulfill these requirements and at the same time be applied to new processes. If your organization is still using paper files, a transition to an EDMS will significantly ease your compliance efforts.
If you have already implemented EDMS, consider strengthening your current system by incorporating broad-spectrum controls. Do you have controls that are currently successful in isolated areas that can be applied to your enterprise? What reporting capabilities are available with your software? Does your current EDMS allow you to automate the capture and control of email messages? When you investigate the benefits of indexing and automated workflow as they apply to efficiency, consider ways in which those tools can improve your compliance measures. If you are serious about incorporating and demonstrating ethical business practices, you can ensure the continuity of your checks and balances long after your initial efforts to comply with regulations.
To learn about DocFinity document management and workflow software, or how to automate your processes to help facilitate compliance, please contact Optical Image Technology (http://www.docfinity.com) at 814.238.0038 or email info@docfinity.com.
©2006 Optical Image Technology, Inc. All rights reserved. DocFinity, IntraVIEWER, and XML FormFLOW are trademarks or registered trademarks of Optical Image Technology, Inc.
