Sarbanes-Oxley. Control effectiveness. Management assurance. These are now stock terms within the vocabulary of the CIO and a sign of the heightened level of attention now being paid to controls. Over the last decade, IT organisations have significantly increased their expenditure on governance, risk and compliance (GRC) to enable them to meet the ever increasing demands of both internal and external regulation. Whilst this investment has enabled organisations to demonstrate compliance and driven a controls culture into their work forces, the question often remains "....and what value is this adding?"
In an environment of economic recession, enterprises are now looking to reduce costs and drive efficiencies wherever possible and GRC expenditure is not immune. IT governance and compliance teams are now been asked to deliver increased value to the organisations often at a reduced budget without increasing the organisation's risk profile. Not a simple task. So how can this be achieved?
At the core of the solution is a central repository of controls data that can be utilised by multiple users and for multiple purposes thus avoiding the high cost and inefficiency of unnecessary duplication. The concept of "silo behaviour" may be an old one but it is still alive and no more so than in the world of GRC.
As new regulations or requirements appear, the knee-jerk reaction is to create a new team and a new set of processes to demonstrate compliance. By bringing together the disparate data sources that organisations utilise for their GRC activities, be this for industry attestations, internal compliance, regulatory activities or any governance work, inefficiencies through duplication of effort can be removed as departments are driven to work together. It is not uncommon for organisations to have separate data sources for every piece of compliance activity leading to end user overload, apathy and the age old problems of data integrity and duplication.
And then there are the controls themselves. Many organisations have documented so many controls and risks that IT and compliance staff find themselves trying to maintain, update and adhere to a plethora of requirements. Whilst these controls may be valid, perhaps based on ITIL or Cobit frameworks, the likelihood is that they are "down in the roots" and highly specific.
By standing back and attempting to identify activities that monitor the core operations of the IT department in a holistic manner, significant opportunities can be found to reduce time and costs associated with compliance activities. Take change management as an example. By taking reliance on key steps that IT management use to ensure the successful implementation of change into the organisation, including change advisory boards and sign-offs, the core controls can often be found. These are aligned to the manner in which management operate the business rather than the detailed control points within the individual processes followed by separate teams.
The use of technology as a mechanism to drive consistent monitoring across the organisation has been recognised as a market opportunity by many software houses. By deploying 'catch all' monitoring solutions, available both at an infrastructure and system level, organisations can rely upon a single point for assessing IT control efficiency including appropriate hardware configurations, adherence to policies or completeness of transactions rather than a multitude of specific controls. Through the use of such automated monitoring tools, organisations can replace "manual" controls which are costly to maintain and test with more efficient and reliable system based automated controls.
The concept of automated controls is not new, however many organisations have not realised the benefits of existing systems management and related technologies they may already own and operate to provide oversight of IT that can also be used to provide a cost effective approach to controls management. Squeezing additional value from existing investment in IT has to be a 'no brainer' for the CIO.
Jonathan Wyatt is a managing director at Protiviti