Felix Kramer
Senior Manager, IT & Controls Assurance
Regulatory requirements
There are hardly any industries left in which IT has not become a key element for the implementation of strategic goals. In addition to the realized efficiency benefits, dependency is also increasing - in which company does an IT failure not yet lead to significant disruptions in business operations? The availability of IT support is only one aspect of a multitude of factors that are essential for business success.
Regulatory authorities use the means of regulatory requirements, i.e. the definition of minimum requirements (not only) for IT, to improve the security level of IT and deliberately establish risk-oriented decisions in IT management processes. This applies across the board to regulatory requirements, regardless of whether these requirements have been formulated by BaFin for the financial sector (such as VAIT in the insurance sector and BAIT in the banking sector), by BSI for critical infrastructures (such as the Security Act and the KritIS Regulation) or are uniformly specified throughout Europe by the EU General Data Protection Regulation (GDPR). In addition to a purely cost-oriented, quantitative evaluation basis, decisions must therefore also take qualitative aspects into account.
Challenges and opportunities
The implementation and compliance with regulatory requirements for IT cannot be managed by the IT department alone, but regularly affects several business areas and therefore requires a holistic approach. In order to assess existing risks as well as to define necessary measures, an understanding of the business impact is necessary. For example, which business processes are dependent on the use of e-mail? Which business processes depend on the functions of the document management system? What effect does a malfunction have - are regulatory requirements affected? How do customers react?
Regularly, companies are adequately positioned in the operative areas to deal with individual requirements. However, there are often weaknesses in overall control and responsibility, both within the sub-areas (tactical gap) and across the board at company level (strategic gap). In our experience, assigning measures to the required management level leads to an efficient and more effective implementation. Ideally, the measures for compliance with regulatory requirements are implemented in the form of a management system (e.g. data protection management system, tax compliance management system, information security management system). Risks and control objectives are often addressed by joint controls - thus, if the management systems are well planned and integrated, redundancies can be avoided and multiple requirements can be covered with the same measure.
Regulatory requirements regularly extend to all management levels of a company. At which control level are measures required to optimize their effectiveness?
We offer you a proven approach to transparently identify gaps in the fulfillment of regulatory requirements - but also the hidden potential - and implement them with suitable measures.
A one-time, point-in-time implementation does not correspond to the ideas of the regulators. Within companies, such an approach leads to frustration and additional costs due to recurring comments from audits and ultimately failed projects. Companies with appropriate processes are able to implement new or changed regulatory requirements quickly and economically. A continuous improvement process (CIP) ensures that regular readjustments are made and that even changed requirements are recognized and taken into account in time.
Regulatory requirements must be fulfilled by the company - but the successful implementation is the responsibility of the employees. In order to be able to deal successfully with the topic of regulatory requirements in the long term, the organization should "live" an appropriate awareness. We support you with workshops and coaching in the successful implementation!
The BDO difference
Our team in the IT Controls & Assurance department uses interdisciplinary expertise from auditing and consulting projects to help you determine the status of implementation in your company and to identify and understand gaps. Together with you, we discuss suitable measures to enable you to implement them quickly and efficiently. Starting on a strategic level, through tactical measures to operational processes.
You can find further informationen on our following sites as well:
