"Unfortunately, most IT compliance programs are ineffective at sustaining compliance with regulations and other governing sources," he says.

The report cites a lack of consistency in control mechanisms, most notably among multi-site locations. Such inconsistencies logically lead to disparities in both audit findings and general compliance matters.

In addition, these same controls are often isolated from business risk and can be contradictory. Compliance can then lag as well, as business and IT controls fail to align. Finally, these listed weaknesses combine to create ineffective control testing ripe with misleading, contradictory and inconclusive data outputs.

However, these same faults–if recognized early as potential pitfalls–can be turned to good use. According to Othersen, any organization can create a robust, sustainable and consistent approach to regulatory and compliance processes through an emphasis on four capabilities.

Perhaps not surprisingly, good IT programs stem from good leadership, the Forrester report says. Arguably the greatest weakness in such programs lies in poor management, a problem easily resolved through clear, pre-practice specification of IT controls, Othersen says in the report. Rigid control mechanisms ensure consistency, as does the ability to easily handle necessary changes and maintenance, he says.

This same rigidity should then also be applied toward proactive regulatory research. This research–in conjunction with compliance–ensures control mechanisms are being both continuously monitored and assessed. And, these processes ensure true traceability of IT controls within a bigger, business risk framework, Forrester says.

The report also emphasizes the sister element–and weakness–of control deficiencies. Identification and remediation of control deficiencies are critical to fluid IT compliance. A common flaw in compliance, according to Forrester, is an over-emphasis on internal audits versus self-testing of controls.

Self-testing–when executed regularly–picks up on IT problems before they become full-fledged compliance issues, the research and advisory firm argues. A similar approach should be employed in addressing problems if and when they emerge. Establishing clear decision support mechanisms can quickly resolve identified problems plus record such decisions for future reference, the Forrester report says.

Along these same lines, measuring and reporting mechanisms should mirror decision support processes both in efficiency and specificity. IT control reporting must not only produce results, but also information useful to key IT and business executives to determine context within a bigger, business risk framework.

Othersen says the same holds true when establishing business requirements for these frameworks, most notably among analysts and system developers reviewing controls prior to full-fledged implementation. The same goes for reporting requirements for these consultants.

To summarize: IT compliance begins and ends with consistency. Proactive and proper governance, metrics, reporting and control mechanisms combine to create a systematic, efficient process more easily measured and implemented. Automation can further enhance the process when it's available and can help an organization go a long way toward achieving omnipresent compliance and regulatory challenges.

–[email protected]