When the US Sarbanes-Oxley Act was first enacted in 2002 in the wake of several very visible accounting scandals, small to medium enterprises (SMEs) may have felt they dodged a very expensive bullet. The requirement to document processes for governance, risk management and compliance (GRC), and have them confirmed by outside auditors, applied only to publicly traded companies. Unlike their publicly traded brethren, SMEs were not forced to purchase costly GRC software, did not have to redirect resources from their normal daily tasks to prepare for audits and did not have to change their methods of operation to comply with a government mandate.
Yet a funny thing happened in large enterprises as a result of that “bullet.” While at first they did it just to check off the “compliance” box on their list of tasks, in time they found that they were operating more efficiently, lowering their costs, driving innovation and becoming more agile. The focus in GRC shifted from the “C” to the “G” and the “R.” And as SMEs stood on the sidelines and watched, suddenly the idea of following a GRC regimen started looking more attractive.
What was not attractive was the price tag for those first-generation GRC solutions. Now, with the introduction of second-generation GRC solutions, the price has come down significantly. In fact, some second-generation GRC solutions are one-third the cost (or less) of the first-generation products.
Still, SMEs are not required to demonstrate compliance to outside auditors or to the government. So how does an organization decide whether the benefits of implementing a second-generation GRC solution outweigh the cost? Here are some things to consider:
Compliance may not be required for SMEs, but sound business practices, tight controls and agility are—especially in the current economy. Second-generation GRC solutions give SMEs the tools they need to act like the “big boys”—and reap all the attendant benefits. They also make SMEs more attractive business partners for enterprises that are required to demonstrate compliance. When all the factors are considered, it is apparent that GRC is not the bullet that SMEs thought they dodged, but a powerful weapon to increase competitive advantage. And, now is the time to seize the opportunity.
Collaborate with ISACA members and access additional resources on this topic in the ISACA Knowledge Center located at www.isaca.org/knowledgecenter.
Dan Wilhelmsis president and chief executive officer (CEO) of SymSoft Corp., the makers of ControlPanelGRC, professional solutions for compliance automation (www.controlpanelgrc.com). He can be reached at [email protected].
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.