Purpose:

Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance.

Objective:

Ensure that the enterprise is compliant with all applicable external requirements.

Description:

<?>

Inputs:

  • Compliance audit results
  • Results of installed licence audits
  • Licence deviations
  • Insurance policy reports
  • Rules for validating and approving mandatory reports
  • Assessment of reporting effectiveness

Outputs:

  • Compliance requirements register
  • Log of required compliance actions
  • Updated policies, principles, procedures and standards
  • Communications of changed compliance requirements
  • Identified compliance gaps
  • Compliance confirmations
  • Compliance assurance reports
  • Reports of non-compliance issues and root causes

Controls:

  • Legal and regulatory compliance requirements

Task Instructions:

Identify External Compliance Requirements

    1. Assign responsibility for identifying and monitoring any changes of legal, regulatory, and other external contractual requirements relevant to the use of IT resources and the processing of information within the business and IT operations of the enterprise.

    2. Identify and assess all potential compliance requirements and the impact on IT activities in areas such as data flow, privacy, internal controls, financial reporting, industry-specific regulations, intellectual property, health, and safety.

    3. Assess the impact of IT-related legal and regulatory requirements on third-party contracts related to IT operations, service providers, and business trading partners.

    4. Obtain independent counsel, where appropriate, on changes to applicable laws, regulations, and standards.

    5. Maintain an up-to-date log of all relevant legal, regulatory, and contractual requirements, their impact, and required actions.

    6. Maintain a harmonized and integrated overall register of external compliance requirements for the enterprise.

Optimize Response to External Requirements

    1. Regularly review and adjust policies, principles, standards, procedures, and methodologies for their effectiveness in ensuring necessary compliance and addressing enterprise risk using internal and external experts, as required.

    2. Communicate new and changed requirements to all relevant personnel.

Confirm External Compliance

    1. Regularly evaluate organizational policies, standards, procedures, and methodologies in all functions of the enterprise to ensure compliance with relevant legal and regulatory requirements in relation to the processing of information.
    2. Address compliance gaps in policies, standards, and procedures on a timely basis.
    3. Periodically evaluate business and IT processes and activities to ensure adherence to applicable legal, regulatory, and contractual requirements.
    4. Regularly review for recurring patterns of compliance failures. Where necessary, improve policies, standards, procedures, methodologies, and associated processes and activities.

Obtain Assurance of External Compliance

    1. Obtain regular confirmation of compliance with internal policies from business and IT process owners and unit heads.

    2. Perform regular (and, where appropriate, independent) internal and external reviews to assess levels of compliance.

    3. If required, obtain assertions from third-party IT service providers on levels of their compliance with applicable laws and regulations.

    4. If required, obtain assertions from business partners on levels of their compliance with applicable laws and regulations as they relate to intercompany electronic transactions.

    5. Monitor and report on non-compliance issues and, where necessary, investigate the root cause.

    6. Integrate reporting on legal, regulatory, and contractual requirements at an enterprise-wide level, involving all business units.