Sarbanes-Oxley. Control effectiveness. Management assurance.
These are now stock terms within the vocabulary of the CIO and a
sign of the heightened level of attention now being paid to
controls. Over the last decade, IT organisations have significantly
increased their expenditure on governance, risk and compliance
(GRC) to enable them to meet the ever increasing demands of both
internal and external regulation. Whilst this investment has
enabled organisations to demonstrate compliance and driven a
controls culture into their work forces, the question often remains
"....and what value is this adding?"
In an environment of economic recession, enterprises are now
looking to reduce costs and drive efficiencies wherever possible
and GRC expenditure is not immune. IT governance and compliance
teams are now been asked to deliver increased value to the
organisations often at a reduced budget without increasing the
organisation's risk profile. Not a simple task. So how can this be
achieved?
At the core of the solution is a central repository of controls
data that can be utilised by multiple users and for multiple
purposes thus avoiding the high cost and inefficiency of
unnecessary duplication. The concept of "silo behaviour" may be an
old one but it is still alive and no more so than in the world of
GRC.
As new regulations or requirements appear, the knee-jerk
reaction is to create a new team and a new set of processes to
demonstrate compliance. By bringing together the disparate data
sources that organisations utilise for their GRC activities, be
this for industry attestations, internal compliance, regulatory
activities or any governance work, inefficiencies through
duplication of effort can be removed as departments are driven to
work together. It is not uncommon for organisations to have
separate data sources for every piece of compliance activity
leading to end user overload, apathy and the age old problems of
data integrity and duplication.
And then there are the controls themselves. Many organisations
have documented so many controls and risks that IT and compliance
staff find themselves trying to maintain, update and adhere to a
plethora of requirements. Whilst these controls may be valid,
perhaps based on ITIL or Cobit frameworks, the likelihood is that
they are "down in the roots" and highly specific.
By standing back and attempting to identify activities that
monitor the core operations of the IT department in a holistic
manner, significant opportunities can be found to reduce time and
costs associated with compliance activities. Take change management
as an example. By taking reliance on key steps that IT management
use to ensure the successful implementation of change into the
organisation, including change advisory boards and sign-offs, the
core controls can often be found. These are aligned to the manner
in which management operate the business rather than the detailed
control points within the individual processes followed by separate
teams.
The use of technology as a mechanism to drive consistent
monitoring across the organisation has been recognised as a market
opportunity by many software houses. By deploying 'catch all'
monitoring solutions, available both at an infrastructure and
system level, organisations can rely upon a single point for
assessing IT control efficiency including appropriate hardware
configurations, adherence to policies or completeness of
transactions rather than a multitude of specific controls. Through
the use of such automated monitoring tools, organisations can
replace "manual" controls which are costly to maintain and test
with more efficient and reliable system based automated
controls.
The concept of automated controls is not new, however many
organisations have not realised the benefits of existing systems
management and related technologies they may already own and
operate to provide oversight of IT that can also be used to provide
a cost effective approach to controls management. Squeezing
additional value from existing investment in IT has to be a 'no
brainer' for the CIO.
Jonathan Wyatt is a managing director at Protiviti