Compliance for Multinationals

By Elizabeth Wasserman

Globalization helped BasWare, a financial management software manufacturer founded in 1985 in Finland, to expand into eight different subsidiaries scattered throughout Europe and the United States. But now that the company is multinational, executives are grappling with how to comply with a growing assortment of regulations covering data privacy, accounting, and financial reporting in each of these locations.

BasWare CIO Sakari Perttunen says the IT department helps the company comply with regulations in many different countries at once by focusing on some common principles underlying the laws. BasWare achieves transparency in its operations by deploying an enterprise-wide software system that connects all financial, human resource, and manufacturing data. The company has also developed a document management policy to help it comply with everything from privacy regulations covering employees to accounting rules.

These days, meeting compliance requirements in one country is enough of a challenge. In the U.S. alone, new state and federal laws mandate companies to file more accurate financial reports, attest to the accuracy of their internal controls, and better protect the private data of customers and employees. Many other nations around the world and some cross-governmental bodies -- such as the European Union -- have approved their own sets of laws. 

CEOs are clearly worried. PricewaterhouseCoopers surveyed 1,300 CEOs worldwide and reported in a study released earlier this year that while 68 percent of respondents were confident in the ability of their organizations to meet domestic laws, only 26 percent were confident in their organization's ability to respond to foreign laws. The bottom line: A majority of CEOs answering the survey -- 60 percent -- see over-regulation as a significant threat to future business growth.

CIOs of multinational corporations must help their organizations comply with requirements from several countries at once by being efficient, sharing knowledge, and -- foremost -- understanding the various rules. CIOs need to pay attention to recurring compliance requirements and develop a framework to coordinate compliance efforts with other risk and security programs already under way.

First, it's important for a CIO to understand the various categories of laws and how they vary in different regions of the world:

• Corporate governance  The rash of corporate accounting scandals -- such as Enron and WorldCom in the U.S. and Parmalat and Royal Ahold in Europe -- led to a series of laws requiring stricter financial accountability for publicly traded companies. In the U.S., the Sarbanes-Oxley Act of 2002 was the most far-reaching, requiring companies to not only certify their financial reports and have oversight by directors and auditors, but to attest to their underlying internal financial reporting processes, or controls. This law goes further in setting rules than the European measure it is most often compared to, the EU's proposed 8th Company Law Directive on Statutory Audit. Like Sarbanes-Oxley, the EU proposal -- which must be approved as national law by all member states -- requires directors and auditors to take more responsibility for protecting investors. But it doesn't require as much documentation of internal controls as Sarbanes-Oxley, which has become a costly and time-consuming process for U.S. companies.
• Customer data  The EU led the way with the Data Protection Directive, first proposed in 1995 and put into law by most member countries. This regulated basic privacy principles, requiring that "data" -- both electronic and paper-based -- be collected only for legitimate reasons and shouldn't be stored longer than necessary. The organization collecting information must give the "data subject" notice, explaining who will have access to the data and why it is being collected. The U.S. currently has no overall federal -baseline privacy law. However, laws exist requiring the financial services industry to protect customer privacy (Gramm-Leach-Bliley), and other laws require the health care industry to protect patient privacy (Health Information Portability and Accountability Act). New state laws -- starting in California but spreading to other states -- now require companies that collect data to notify consumers when files containing their personal information have been stolen or lost.
• Accounting  An EU regulation mandates that all companies publicly listed in member countries need to produce their financial statements under International Financial Reporting Standards (IFRS) as of 2005. That spurred more than 90 countries to move to the IFRS accounting standards. The U.S., which requires companies to follow the Generally Accepted Accounting Principles (GAAP), agreed earlier this year that EU nations would no longer have to adapt to the U.S. standards by 2009. For the banking industry, which is already heavily regulated around the world, the adoption of the Basel II accords last year adds an additional layer of compliance. Basel II came out of deliberations by central bankers from around the globe striving for uniformity in regulations pertaining to risk management. Basel II requires banks to allocate adequate capital to cover possible future losses and directs them to identify and separate credit risk, market risk, and operational risk. There is some overlap between many of these regulations -- Sarbanes-Oxley and Basel II share some operational risk components -- but the challenge for the banking industry is to find commonality and build a strategic IT approach to compliance.

"Compliance is expensive. IT and the CIO can play an important role in helping control compliance costs," says Paul Hamerman, vice president of enterprise applications for Forrester Research. One way to keep compliance expenditures under control is to seek technologies that support a wide variety of compliance processes. "A foundation of content management systems and records management and data repositories -- these building blocks can support a variety of these compliance requirements." Hamerman adds.

Here are some ways that CIOs can help their organizations comply more efficiently:

• Invest in technology tools  Software is available to help companies catalog and document the existence and effectiveness of internal controls, as required under Sarbanes-Oxley. Web services also have the potential to help organizations pull information from different data sources into reports.
• Consolidate applications   For better efficiency and faster reporting of financials, look at the organization's applications infrastructure with an eye toward streamlining.
• Create document management policies   Some new regulations require companies to document processes and decisions. This includes everything from e-mail archiving to better protection of customer privacy by limiting access to personally identifying information in documents.
• Automate testing process  For companies that need to verify and analyze internal controls, it is possible to automate the testing process so that all of the transactions can be analyzed more easily.

Finally, the way companies approach compliance is also important. "We saw a separation between those who approached this topic as a way to create value and competitive advantage versus those who look at it more as a cost" said Dan DiFilippo, PricewaterhouseCoopers' Global Leader for Performance Improvement. "Those who look at compliance as an investment report that they are getting more out of it in the end."

Elizabeth Wasserman has written about technology and business for Inc., CIO Insight, and the San Jose Mercury News. She is a freelance writer based in Fairfax, Virginia.