Several recent spectacular IT system failures causing millions of dollars impact on pre-tax profit indicate the framework to identify and treat risks in organisations is more rhetoric than action, according to Tabcorp's Dean Sleigh, Chief Audit Executive and Devan Naidoo, Head of Audit for Technology.
Examples include an airline’s booking system causing a $15–20 million impact on pre-tax profit following an IT failure of 11 days, and numerous bank payment and ATM system failures that have occurred over the last 12 months.
“Amazingly, these have been more common or more widely published in industries that place a high degree of reliance on IT to conduct their business,” Sleigh said.
Sleigh said the root cause of the problems is “poor IT controls”.
“The reality is that rhetoric is the poor cousin to action,” he said.
Naidoo said there was no “silver bullet to prevent IT failures”, but that “a commonsense approach with the right people focusing on the right things” was required.
Both Sleigh and Naidoo argue a well-resourced and capable internal audit function is critical for success.
“However, it is more often the case that the resources given to the internal audit team and their capability are not sufficient. The consequence of this is that the internal audit function fails to gain the necessary depth and coverage in its work to provide the assurance that stakeholders demand,” Sleigh said.
Naidoo said an appropriately resourced internal audit team should have an annual audit plan that considers all major risks at minimum. Management also has a role to play in bridging the gap if internal audit resources are fully committed elsewhere.
“Latent in this is the need to review IT applications and key elements of IT infrastructure,” he said. “In relation to IT applications, a high-performing internal audit team should be resourced and capable of conducting IT general controls (IT GC) testing against each and every critical IT application that the organisation relies upon to operate the business
Sleigh said the application population of nimble organisations is relatively small — “perhaps up to 20 applications” but larger and more diverse organisations with multiple lines of business, could use more than 100 applications, or separate instances, across the business.
“The scope of IT GC is not new and has been well defined over time. What is new is the risk associated with individual system failure and the growing proliferation of systems across organisations,” he said.
Naidoo cautioned that the audit response needs to keep pace with this growth while not seeking to review each and every application.
“The risk of failure of a particular application needs to be assessed in order to determine specific IT applications on which to focus,” he said.
The scope of IT general controls
Basic IT controls
Extended IT controls (examples)
Security and access
• physical security
• logical security
• access rules and segregation of duties
Performance and capacity
Service desk and incident management
• authorisation and approval
• migration and implementation
• job processing
• backups and restoration
• incident management
“Based upon our experience, we estimate that each application should take less than 10 days to test — hardly an onerous commitment when considered against the possible cost to the business if one of these applications fails,” Sleigh said.
In their professional experience, management (both business and IT management) should easily be able to provide the evidence required to pass IT GC. It should be working to a standard well above basic IT GC compliance. However often, while management says it is doing this, testing reveals otherwise.
They said the most common areas of weakness when testing IT GC are:
- Systems access (password configuration and lack of user access reviews);
- Change and release management controls; and
- Backup and recovery processes.
It is also common to find issues relating to the maturity of processes for availability and capacity management, patching and virus management.
“Regrettably, the ability of many IT audit teams to clearly articulate weaknesses is compromised through reports that are overly technical. In our experience, a simple summary chart outlining pass or fail criteria is a more effective way to present findings to management,” Sleigh said.
Sample report summary chart
Management has prime responsibility for ensuring that the risk appetite is being satisfied as it applies to IT applications, leading by example in four simple ways, according to Sleigh and Naidoo.
“The first contribution management can make is to establish IT GC as a minimum standard. Building and enforcing policies to ensure IT GC is met is a tangible way of demonstrating such commitment.
“In simple environments, this can be easily achieved,” Naidoo said.
However, in complex environments with multiple applications and often large elements outsourced, this requires active engagement and clear expectation setting with the outsource providers. Many organisations outsource parts of their IT operations to third-party providers and rely on Statement of Auditing Standards No 70 (SAS 70) reports to provide assurance over IT controls for the outsourced services.
The passive receipt of SAS 70 style comfort letters is often insufficient, says Naidoo, as Ithese are often unclear regarding:
- Exactly what was tested — the controls selected and the extent of testing for the control objective may be insufficient to provide the level of assurance required; and
- Scope and coverage — SAS 70 reports often cover multiple organisations and therefore it is important to understand if the same level of controls is applied by the third-party provider over your organisation’s IT systems.
Sleigh says the second contribution management can make is to “actively expect relevant members in management teams to accept that they have a role to play in IT GC”. This emphasis, he says, can be used to push down the importance of IT GC to those best placed to ensure it is met, and gives those team members the opportunity to spend the time required to ensure it is met. Many IT organisations have adopted elements of the COBIT maturity model to assess the current state and define the target maturity level for IT controls. COBIT also provides a common language and can be mapped to international standards such as ITIL and ISO 27000.
“When properly articulated, we have not seen a business owner argue against IT GC as being important!” Sleigh said.
He said the third thing management can do to support broader adoption of IT GC across the organisation is to reduce the expectation on external audit. The focus of external audit is on the financial statements. This responsibility will rarely extend to testing for IT GC across every major application; it may only extend to testing the key financial systems, and even this is not always clear. Reliance on external audit in relation to broad IT GC assurance is not wise.
Management should also support an improved environment advocating internal audit has a comprehensive program of work to review IT GC for each material application. “This advocacy may require a long-term commitment, but the rewards via a better-controlled environment and broader understanding of IT GC across the business will be well worth the effort” Naidoo said.
“As we increase our reliance on IT applications to execute everyday transactions, it is critical that we continue to evolve the control environment of the organisation. The rapid growth in customer-facing and customer-impacting applications is actually making the IT environment more complex and fragile,” he said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.