Credit Suisse is pioneering the automation of IT risk
controls to meet its compliance obligations around the
world.
The move to automate follows three years of preparation by the
global investment bank to cross-reference all of its key IT
controls against a single framework.
Credit Suisse will use the automated platform to process the IT
controls it has established to comply with regulations such as
Sarbanes-Oxley in the US and Basel 2 and the forthcoming Markets in
Financial Instruments Directive in Europe.
"Mapping IT control frameworks onto a single framework and
automating regulatory outputs is a fantastic move by Credit
Suisse," said Forrester analyst Bill Nagel. "Not only will it allow
them to satisfy the requirements of auditors but it must have
boosted transparency internally to give the business a clearer view
of the value that IT provides."
The bank, which has operations in 30 countries and more than
£600bn in managed assets, built the automated IT controls platform
with Swiss compliance specialist BIT-map.
The bank is already using it to track some group-level controls,
and it expects to roll it out across its private banking operations
in Europe, the Middle East and Asia by the end of the year.
"Our original deadline under Sarbanes-Oxley was April 2005, but
later that became 2006," said Andrew Brice, Credit Suisse's head of
IT risk and IT security risk control.
"Through our Sarbanes-Oxley activities we started to leverage
our other compliance initiatives and to trace the connections
between them. We soon realised the benefits of mapping them all as
one."
Brice said the bank's IT governance framework was based on Cobit
(Control Objectives for Information and related Technology), which
was identified early on as the best overall IT governance framework
for its purposes.
"By mapping all of the work going on across our operations to
meet a raft of different regulations, we found what you would
expect: a lot of duplication of effort and a lot of manual
processes."
The bank has worked since 2003 to automate manual controls
wherever it can to cut down on unnecessary testing, but Brice said
there was still some way to go.
"In many ways we are still in the first phase of establishing
best-practice IT controls. We are still primarily using
spreadsheets to correlate and filter, and we still have to modify
and update them as the frameworks change. But a lot of the core
work on integrating IT frameworks with regulatory and business
needs is there now, and IT is aligned much more closely with the
business and has a higher corporate profile than previously," he
said.
More information
www.credit-suisse.com
www.isaca.org/cobit