Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance.
Ensure that the enterprise is compliant with all applicable external requirements.
Identify External Compliance Requirements
Assign responsibility for identifying and monitoring any changes of legal, regulatory, and other external contractual requirements relevant to the use of IT resources and the processing of information within the business and IT operations of the enterprise.
Identify and assess all potential compliance requirements and the impact on IT activities in areas such as data flow, privacy, internal controls, financial reporting, industry-specific regulations, intellectual property, health, and safety.
Assess the impact of IT-related legal and regulatory requirements on third-party contracts related to IT operations, service providers, and business trading partners.
Obtain independent counsel, where appropriate, on changes to applicable laws, regulations, and standards.
Maintain an up-to-date log of all relevant legal, regulatory, and contractual requirements, their impact, and required actions.
Maintain a harmonized and integrated overall register of external compliance requirements for the enterprise.
Optimize Response to External Requirements
Regularly review and adjust policies, principles, standards, procedures, and methodologies for their effectiveness in ensuring necessary compliance and addressing enterprise risk using internal and external experts, as required.
Communicate new and changed requirements to all relevant personnel.
Confirm External Compliance
Obtain Assurance of External Compliance
Obtain regular confirmation of compliance with internal policies from business and IT process owners and unit heads.
Perform regular (and, where appropriate, independent) internal and external reviews to assess levels of compliance.
If required, obtain assertions from third-party IT service providers on levels of their compliance with applicable laws and regulations.
If required, obtain assertions from business partners on levels of their compliance with applicable laws and regulations as they relate to intercompany electronic transactions.
Monitor and report on non-compliance issues and, where necessary, investigate the root cause.
Integrate reporting on legal, regulatory, and contractual requirements at an enterprise-wide level, involving all business units.