Third in a series.
High-level directives that set the tone for managing compliance policies may come from corporate accounting or, in the largest companies, from the office of the chief financial officer or chief information officer.
But most of the day-to-day planning and responsibility for the operational success of a compliance program
For example, the finance department at Paxson Communications Corp., in West Palm Beach, Fla., is the source of decision making when it comes to the Sarbanes-Oxley Act (SOX) of 2002. Scott Saunders, director of systems technology at Paxson, said he spent more than 50% of his time between May and December writing narratives that describe process controls.
Since policy is really about governing behavior across the whole company, putting the compliance burden on the IT staff is not always helpful, said Scott Crawford, an analyst at Enterprise Management Associates, a Boulder, Colo., consulting firm. "In reality, everyone from the top executives to the help desk employees must play a role in helping to guide process management," he said.
But it is important to make sure there is one department in charge of all compliance. Michael Rasmussen, an analyst at Forrester Research Inc., a Cambridge, Mass., consulting firm, cited an example of an insurance company that had a
Rasmussen envisions a corporate security team -- led by either a chief security officer or a chief policy officer -- as the most logical group to develop an organization's compliance policy. However, he said, an operations staff must also be in the loop so it can install technologies that support the requirements of compliance.