The overwhelming range of new duties brought on by corporate reform legislation has prompted many companies to create the position of chief compliance officer.
The problem is, companies are not always clear on who the chief compliance officer should report to or even what that person should do, the Wall Street Journal reported.
The Sarbanes-Oxley Act does not require the new position, but 36 percent of companies now have a chief compliance officer, according to a recent study from market research firm Meta Group. In the pre-Enron era, the chief financial officer usually handled financial compliance work, while other types of compliance fell under the duties of a chief operations officer or were spread throughout the business.
The Meta Group found two common problems with how companies handle the new position: too many companies are allowing the CEO to supervise the CCO, and companies are not working on developing a good relationship between the CCO and chief information officer.
Meta, which surveyed 300 executives, says 45 percent of companies with a CCO have that person reporting to the top executive, which is a bad idea. The CCO would be in an awkward position if the CEO was involved in any compliance problems.
"We believe this role should report directly to the board of directors," said Meta in its study. CCOs should meet regularly with board members, at a minimum. Only 10 percent of CCOs reported to the chairman or the board; 17 percent reported to the CFO, 13 percent to the chief information officer and 6 percent to legal personnel. And 7 percent of respondents didn't know who their CCO reported to, the study said.
Another problem was the lack of coordination between the CCO and the CIO, who can help the CCO understand software used in compliance work.
"The chief compliance officer absolutely has to lean on the CIO to understand where the hooks and liabilities are," said David Yockelson, a senior vice president at Meta Group.
The CIO should create a technology blueprint for compliance functions as various Sarbanes-Oxley requirements require different kind of technology, the Meta Group says. The IT department's compliance is also a major part of a company's overall compliance work, according to the research group.