IT risk: More rhetoric than action

IT risk: More rhetoric than action

There's no silver bullet but a well-resourced and capable internal audit function is critical for success

A sample report summary chart

A sample report summary chart

Several recent spectacular IT system failures causing millions of dollars impact on pre-tax profit indicate the framework to identify and treat risks in organisations is more rhetoric than action, according to Tabcorp's Dean Sleigh, Chief Audit Executive and Devan Naidoo, Head of Audit for Technology.

Examples include an airline’s booking system causing a $15–20 million impact on pre-tax profit following an IT failure of 11 days, and numerous bank payment and ATM system failures that have occurred over the last 12 months.

“Amazingly, these have been more common or more widely published in industries that place a high degree of reliance on IT to conduct their business,” Sleigh said.

Sleigh said the root cause of the problems is “poor IT controls”.

“The reality is that rhetoric is the poor cousin to action,” he said.

Naidoo said there was no “silver bullet to prevent IT failures”, but that “a commonsense approach with the right people focusing on the right things” was required.

Both Sleigh and Naidoo argue a well-resourced and capable internal audit function is critical for success.

“However, it is more often the case that the resources given to the internal audit team and their capability are not sufficient. The consequence of this is that the internal audit function fails to gain the necessary depth and coverage in its work to provide the assurance that stakeholders demand,” Sleigh said.

Naidoo said an appropriately resourced internal audit team should have an annual audit plan that considers all major risks at minimum. Management also has a role to play in bridging the gap if internal audit resources are fully committed elsewhere.

“Latent in this is the need to review IT applications and key elements of IT infrastructure,” he said. “In relation to IT applications, a high-performing internal audit team should be resourced and capable of conducting IT general controls (IT GC) testing against each and every critical IT application that the organisation relies upon to operate the business

Sleigh said the application population of nimble organisations is relatively small — “perhaps up to 20 applications” but larger and more diverse organisations with multiple lines of business, could use more than 100 applications, or separate instances, across the business.

“The scope of IT GC is not new and has been well defined over time. What is new is the risk associated with individual system failure and the growing proliferation of systems across organisations,” he said.

Naidoo cautioned that the audit response needs to keep pace with this growth while not seeking to review each and every application.

“The risk of failure of a particular application needs to be assessed in order to determine specific IT applications on which to focus,” he said.

The scope of IT general controls

Basic IT controls[if gte mso 9]> IT User IT User 1 2 2011-09-28T03:52:00Z 2011-09-28T03:54:00Z 1 66 381 IDG 3 1 446 10.6870 Clean Clean MicrosoftInternetExplorer4 /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0; mso-font-charset:2; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:0 268435456 0 0 -2147483648 0;} @font-face {font-family:"Palatino Linotype"; panose-1:2 4 5 2 5 5 5 3 3 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-536870265 1073741843 0 0 415 0;} @font-face {font-family:Cambria; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-536870145 1073743103 0 0 415 0;} @font-face {font-family:"MS Minngs"; panose-1:0 0 0 0 0 0 0 0 0 0; mso-font-alt:"MS Mincho"; mso-font-charset:128; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:fixed; mso-font-signature:1 134676480 16 0 131072 0;} @font-face {font-family:"\@MS Minngs"; panose-1:0 0 0 0 0 0 0 0 0 0; mso-font-charset:128; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:fixed; mso-font-signature:1 134676480 16 0 131072 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:Cambria; mso-fareast-font-family:"MS Minngs"; mso-bidi-font-family:Cambria; mso-fareast-language:EN-US;} @page Section1 {size:595.3pt 841.9pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:253129533; mso-list-type:hybrid; mso-list-template-ids:1837267704 201916417 201916419 201916421 201916417 201916419 201916421 201916417 201916419 201916421;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Symbol;} @list l1 {mso-list-id:1713530495; mso-list-type:hybrid; mso-list-template-ids:-977519522 201916417 201916419 201916421 201916417 201916419 201916421 201916417 201916419 201916421;} @list l1:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Symbol;} @list l2 {mso-list-id:1864897987; mso-list-type:hybrid; mso-list-template-ids:-128783420 201916417 201916419 201916421 201916417 201916419 201916421 201916417 201916419 201916421;} @list l2:level1 {mso-level-number-format:bullet; mso-level-text:\F0B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-18.0pt; font-family:Symbol;} ol {margin-bottom:0cm;} ul {margin-bottom:0cm;} [if gte mso 10]> [if gte mso 9]>

Basic IT controls

Extended IT controls (examples)

Security and access

             physical security

             logical security

             access rules and segregation of duties






Performance and capacity

Service desk and incident management

Data management

Third-party services

IT continuity

Change management

             authorisation and approval


             migration and implementation


Computer operations

             job processing

             backups and restoration

             incident management





“Based upon our experience, we estimate that each application should take less than 10 days to test — hardly an onerous commitment when considered against the possible cost to the business if one of these applications fails,” Sleigh said.

In their professional experience, management (both business and IT management) should easily be able to provide the evidence required to pass IT GC. It should be working to a standard well above basic IT GC compliance. However often, while management says it is doing this, testing reveals otherwise.

They said the most common areas of weakness when testing IT GC are:

  • Systems access (password configuration and lack of user access reviews);
  • Change and release management controls; and
  • Backup and recovery processes.

It is also common to find issues relating to the maturity of processes for availability and capacity management, patching and virus management.

“Regrettably, the ability of many IT audit teams to clearly articulate weaknesses is compromised through reports that are overly technical. In our experience, a simple summary chart outlining pass or fail criteria is a more effective way to present findings to management,” Sleigh said.

Sample report summary chart

Sample report summary chart

Management has prime responsibility for ensuring that the risk appetite is being satisfied as it applies to IT applications, leading by example in four simple ways, according to Sleigh and Naidoo.

“The first contribution management can make is to establish IT GC as a minimum standard. Building and enforcing policies to ensure IT GC is met is a tangible way of demonstrating such commitment.

“In simple environments, this can be easily achieved,” Naidoo said.

However, in complex environments with multiple applications and often large elements outsourced, this requires active engagement and clear expectation setting with the outsource providers. Many organisations outsource parts of their IT operations to third-party providers and rely on Statement of Auditing Standards No 70 (SAS 70) reports to provide assurance over IT controls for the outsourced services.

The passive receipt of SAS 70 style comfort letters is often insufficient, says Naidoo, as Ithese are often unclear regarding:

  • Exactly what was tested — the controls selected and the extent of testing for the control objective may be insufficient to provide the level of assurance required; and
  • Scope and coverage — SAS 70 reports often cover multiple organisations and therefore it is important to understand if the same level of controls is applied by the third-party provider over your organisation’s IT systems.

Sleigh says the second contribution management can make is to “actively expect relevant members in management teams to accept that they have a role to play in IT GC”. This emphasis, he says, can be used to push down the importance of IT GC to those best placed to ensure it is met, and gives those team members the opportunity to spend the time required to ensure it is met. Many IT organisations have adopted elements of the COBIT maturity model to assess the current state and define the target maturity level for IT controls. COBIT also provides a common language and can be mapped to international standards such as ITIL and ISO 27000.

“When properly articulated, we have not seen a business owner argue against IT GC as being important!” Sleigh said.

He said the third thing management can do to support broader adoption of IT GC across the organisation is to reduce the expectation on external audit. The focus of external audit is on the financial statements. This responsibility will rarely extend to testing for IT GC across every major application; it may only extend to testing the key financial systems, and even this is not always clear. Reliance on external audit in relation to broad IT GC assurance is not wise.

Management should also support an improved environment advocating internal audit has a comprehensive program of work to review IT GC for each material application. “This advocacy may require a long-term commitment, but the rewards via a better-controlled environment and broader understanding of IT GC across the business will be well worth the effort” Naidoo said.

“As we increase our reliance on IT applications to execute everyday transactions, it is critical that we continue to evolve the control environment of the organisation. The rapid growth in customer-facing and customer-impacting applications is actually making the IT environment more complex and fragile,” he said.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags risk managementapplicationsITILcobitIT auditingIT auditSAS 70IT GCIT general controlsISO 27000IT risk

More about IDGISOLinotypeMicrosoftSASSymbolTechnology

Show Comments