A survey of multinational corporations found those companies that performed internal audits spent less per capita on compliance than those that didn't perform any.
The penalties for being out of step with compliance mandates are not
going away, and neither is the cost of keeping up with regulations.
However, a new report from the Ponemon Institute revealed that more
compliance audits can actually have the effect of lowering the price tag.
to the study
(PDF), which included responses from 160 business leaders
spanning 46 multinational companies, the average cost of compliance is more
than $3.5 million. Twenty-eight percent of those surveyed said they do not
conduct internal compliance audits, while 22 percent responded they conduct
between three and five a year.
Those in the latter group had a lower per capita compliance cost than those
in the former. Organizations with three to five internal compliance audits each
year averaged a cost of $154 per capita. In contrast, those that did not
perform internal audits had a compliance cost of $341 per capita, and their noncompliance
of the consequences
of compliance failure-stands at $1,275 per capita.
"I believe that the reason why internal audits reduce compliance cost
is that they help prioritize the organization's overall compliance efforts,"
explained Larry Ponemon, chairman of the Ponemon Institute. "This
leads to greater efficiency in managing the total compliance burden. In other
words, companies that do not conduct audits appear to be less efficient in
their ongoing program management of data protection and privacy efforts."
If companies spent
more on compliance
in areas such as audits, enabling technologies, training
and expert staffing, they could recoup their expenditures and possibly
more by reducing the cost of the consequences of being out of compliance, the
The total cost of compliance varies significantly between industries,
ranging from $6.8 million for education and research to more than $24
million for the energy sector. In terms of budget allocation, the areas of
considerable cost include complying with laws and regulations
($1,588,900), addressing internal policies and procedures ($1,190,005),
and funding contractual agreements with partners, vendors and data
protection authorities ($564,230), according to the report.
A consistent theme in the institute's studies on data breach and compliance
issues has been the role of strong management in maintaining and
reaching regulatory compliance, Ponemon said.
leadership or sponsorship
of data protection, privacy and information
security initiatives almost always leads to a more favorable program effort and
outcome," he said. "One reason for this finding is that executive
support translates into a larger program budget, which results in the purchase
of cutting-edge technologies, professional staff and more."
Unfortunately, compliance regulations have become a necessity because
very few organizations have voluntarily created a secure environment for
sensitive data, opined Rekha Shenoy, vice president of strategy at Tripwire,
which commissioned the study.
"I believe that executive leadership involvement is imperative to be
able to create a culture of not only compliance, but also of security," she
said, adding that no industry or public sector is really improving in this
"The difference between companies that are improving and those that
have a wider gap is likely executive leadership," she said. "We see
the common thread being the number of internal audits occurring-which happens
with executive support. So when the compliance dollars go toward investing in
automated compliance and good security practices, the business reaps the
benefits. We are excited that we have good economic data to prove what the
industry has been debating for some time."