In response to these inadequacies, governments and private organizations have created myriad standards and regulations with which businesses must comply. In the last decade alone, we've seen the creation of SOX, PCI, a number of state regulations, and now HITECH for protecting sensitive information. Regardless of whether yours is a public or a private company, local, regional, national, or multinational, you probably have to go through at least a few audits every year.

One common thread when undergoing an audit is the scramble to collect - and on most occasions, generate - documentation and evidence required to prove compliance. The audit team gathers whatever they can and somehow submits it to the auditors/assessors. The most challenging part is that this happens during the next audit and the next audit after that - it really is a never-ending cycle.

Compliance management is a well known problem; there is no silver bullet. An effective and efficient compliance management solution requires the following three components to work harmoniously: process, people, and technology.

Process: To change an audit from an unpleasant experience to something that's part of "normal" operations, create a business process for compliance management. With senior management support as its key prerequisite, a compliance management program that is aligned with clearly defined objectives can be very effective, especially when the right combination of people and technology is deployed to execute the program.

People: Regardless of whether you have qualified (and available) internal staff, or if you choose to partner with consulting firms, you need resources that have established expertise in the area. In the short term you can get help performing pre-assessment and associated remediation, and in the long term you are able to integrate the requirements into the compliance management and information security programs, or create one if one doesn't exist. Which ever way you decide to proceed, the end result should be to have a competent team of individuals responsible for managing and maintaining compliance.

Technology: It's a shame that there really aren't enough solutions in the market that can help organizations with their overall compliance management programs. Those that are available are limited to some parts of technical compliance, or not as widely known; hence, many companies are still using Excel spreadsheets. Simply stated, organizations need a central point or portal that can be used to collect status responses for all applicable requirements, along with required documents and evidence needed to prove compliance. It would be even better if the tool included a mapping of requirements across all applicable regulations and standards. The idea is to automate as much of this process as possible so that the audit team can obtain all required information from one location during an audit.

Bottom line - if an organization wants to get away from the chaos that an audit creates, they must commit to putting together a compliance management program built on a process with clear objectives, a competent team with expert support, and the right automation tool with comprehensive and flexible coverage.