Wednesday, Lumigent Technologies CEO John Capobianco wrote a guest opinion piece for IT Business Edge about his company's compliance IQ quiz. The 25-question, multiple-choice quiz is designed to be a reality check for those who take it, he says, regarding their awareness of the impact compliance can have on a business."You don't have to be an auditor to take it," he says.
He's right. I took the quiz and got 20 questions correct. It's not great, but for someone who merely writes about these things rather than actually doing them every day, it's not horrible, either. And it did make me aware of a few areas that could probably stand more discussion here, for the sake of variety, if not to improve my own knowledge. More on that in a bit.
For those who would prefer not to actually take the quiz, Capobianco cuts to the chase and lays out the lessons he and the others at Lumigent hope it will teach us. He writes:
When you break compliance out of its traditional IT GRC niche - the general computer controls, operational controls, and other issues associated with IT governance, risk and compliance - and automate compliance processes elsewhere in the organization, you discover some rewarding opportunities.
Those opportunities include saving money, the ability to meet reporting mandates that come out of the ongoing reform efforts and protection from the prosecution that Wall Streeters who didn't care about regulatory requirements have eventually faced.
All of these are valid points, and I'm sure those who implement automation technology like that offered by Lumigent would readily agree. But taking the quiz also yields more immediate benefits. One, it reveals gaps in your compliance knowledge, which you can then work to fill. For example, the first question on the quiz asked what the acronym DCAA stands for. I was sure it had something to do with government contractors, but I had no idea what it actually stands for and did not take the time to Google it. I just chose an answer. And even though the quiz results page didn't tell me which five questions I answered incorrectly, this was most likely one of them.
The correct answer? The Defense Contract Audit Agency. Since I don't cover the DCAA much, I didn't know what it was, really, other than a vague notion. But that doesn't mean I should continue to be clueless about defense contractors and the requirements they must meet. In fact, it might prove to be an interesting change of pace for readers.
Also, I most likely missed questions that addressed COSO standards and other IT best practices. Though I read about them quite a lot, I am more comfortable writing about legal and regulatory standards because, for the most part, I can wrap my brain around those a little easier. I am not a techie at heart. And though that's a tad embarrassing given I work for an IT Web site, it reinforces the idea that so many of my sources have espoused in the last several years. In order for compliance efforts to be successful, IT, legal and business management teams have to buy in. No one department is equipped to handle compliance alone.