Reflections on IT Risk and Audit

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.

 

All the studies show an increasing pace of change in and around technology. It’s not only that we run the back-office with enterprise software, but it is invading both the front office and the products and services offered by organizations around the world.

Would you use a bank for your checking account that does not have online banking? I don’t think so. I would not use one that doesn’t also have a mobile app.

Would you prefer an airline that offers online booking, check-in, flight status, and boarding passes, or do you still use a travel agent and get printed tickets?

Are you as amazed as I am by some of the things that Amazon is doing? Consider the fact that as they build replenishment centers across America, they are staffing them with robots! Robots in the warehouse are far cheaper than employees in China and enable Amazon to set targets of “click to ship” of no more than 2.5 hours, with some items shipping 20 seconds after the customer clicks the purchase icon. They are also using dynamic pricing (see here for an explanation) to balance inventory and demand.

CEOs are saying (see IBM’s study) that technology is now the #1 driver of change in their organization, and they use some of the latest tools to maintain contact with their customers. My bank is suggesting that I contact them on Twitter if I have a problem, and the best way to complain to United Airlines is on their Facebook page.

Add the fact that the combination of advances in analytics (of all kinds, from mobile analytics to sentiment analysis to predictive and visual analytics) provides the capability to make leap changes in the quality of decision-making. Now, instead of relying on their experience and intuition, executives can have timely, current, insightful, and useful information on which to base their decisions. The insight can be on customer experiences and views of their current or future offerings, of the level of risk, or simply of their ability to fine tune their manufacturing and other processes to drive revenue up and cost down.

But have the practitioners (and by extension those responsible for board oversight) kept pace?

Protiviti has shared with us their 2013 IT Audit Benchmarking Survey. It contains some useful information, which I will comment on momentarily.

First, though, I want to address the use of the terms ‘IT risk’ and ‘IT audit’. Personally, I look to ISACA for insight on ‘IT risk’ and they don’t disappoint. This is what they have to say:

“COBIT 5 for Risk defines IT risk as business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.”

In other words, we should stop talking and thinking about ‘IT risk’ as something separate. Instead, we should be talking and thinking about technology-related business risk.

This is very important!

It is much more than semantics!

For most of us, IT is a department. It has processes and addresses risks that may arise from failings in those processes through the operation of IT general controls (ITGC).

But we should be expanding our view to consider all the technology that is relied upon across the enterprise.

In my years as CAE, I ran into several situations where a focus on IT would have been too narrow:

·         At Tosco Corporation, at that time the largest oil refining company in the US, every refinery was run using sophisticated process control and other computer equipment. It was relied upon for the safe and reliable operation of the various units (catalytic cracker, hydrogen plant, etc.), blending of fuels, measurement of receipt and shipping of crude oil and finished products, and much more. All of this equipment was acquired, maintained, and operated by individuals in the Engineering and other refinery departments. IT had very little involvement, and arguably all the technology-related business risk was outside IT’s span of control – and awareness.

·         At Maxtor Corporation, a $4 billion manufacturer of hard drives (later acquired by Seagate), the Engineering department (responsible for product development) managed its own network and devices. The IT team only managed the wider network.

·         At Business Objects, a major software company (later acquired by SAP), the largest number on the balance sheet was the warranty reserve. This reserve is for potential repairs and replacement of units that had been sold and failed within their warranty period. The software used to calculate the potential cost of such repairs or replacement was maintained outside the IT department.

I think it is time to stop talking about IT risk and instead talk about technology-related business risk, which I would shorthand to technology risk. Similarly, it is time to stop talking about IT audit and instead talk about specialists with a deeper understanding of technology.

In addition, the word “information” in IT leads us to focus on data, rather than the business that relies on the technology and how a failure in the use of technology can affect business strategies and objectives.

At the same time, we need to avoid letting our technology specialists live in the weeds. While they may love playing around with all the cool stuff, they need to focus on how the business depends on technology to work as designed and not to fail. In other words, they need to understand business objectives and how they are both enabled and potentially affected by technology successes and failures.

That brings us back to the Protiviti survey and report. Have they taken the technology-related business risk approach, or are they in the weeds with the IT auditors?

I will let you decide for yourself, but for me I suspect that the survey they sent out and which therefore drove the answers they received was all about IT risk. There seems to be little focus on getting the most from technology. Fear wins the day, with a major focus on what can go wrong – such as the statement that “Data security is of paramount concern”.

When I consider an organization making massive bets on big data and analytics, on the provision of new services via mobile apps, running warehouses with robots, and changing prices every hour or more using dynamic pricing algorithms, I suspect the “paramount concern” of the executive team is not “data security”.

OK, I hope I have made my point and we can consider all the useful information in the study.

The first point of discussion is whether organizations have a separate or integrated IT audit function (leaving aside the issue of whether it should be a technology audit function). Most have an IT audit function within internal audit, but many – especially small and medium sized companies (SME) – do not. However, it is difficult to draw any conclusion from the survey results as many of the companies that responded “no” to this question probably answered “yes” to the question of outsourcing/co-sourcing IT audit.

However, with technology being probably the greatest source of risk at every organization, I would agree with Protiviti that those companies with no internal IT audit resources may not be paying sufficient attention to this critical area.

It is interesting, although perhaps ‘alarming’ is a better word, to see that the individual (typically a Director) leading IT audit sometimes does not report to the CAE or a direct report to the CAE. Some report to the CIO or through the compliance function, which I would consider unacceptable.

No audit committee should tolerate an IT audit function that is not integrated within the overall internal audit function.

An interesting chart can be found on page 8. It shows the percentage of internal audit headcount designated as IT audit. I find the chart a little confusing, but if I am reading it correctly the great majority of organizations (around 70%) have less than 20% of their resources (presumably including co-sourced staff) designated as IT audit. I agree with Protiviti that the level of resources is probably out of balance with the number and level of technology-related business risks.

When I was running internal audit, I certainly had more than 20% of my resources working on technology-related risks. In today’s environment, I might target 40% or more – quite likely more than 50%.

The next troubling area is whether technology-related risks are identified and assessed as part of, or separate to, the overall internal audit risk assessment process. Even in the largest companies (those with over $5 billion in revenue), 26% do not have an integrated risk assessment process. Many do not identify and assess technology-related risks at all!

How can this be?

How can any organization say they are providing assurance on the effectiveness of management’s processes for governance, risk management, and the related controls if they do not consider the whole landscape of risks?

How can any organization understand technology-related risks if they don’t do so within the context of the business as a whole, its strategies and objectives?

 At the foot of page 16, Protiviti reports that 65% of organizations only assess IT risk annually.  That is far from best practice. The risk assessment should be updated as risks change, and I find it difficult to believe that risks change only once a year! My congratulations go to the 8% who update the risk assessment continually, with a silver medal to those who do so monthly (2%).

It is very disappointing that few organizations have a major involvement in “significant technology projects”. 14% have NO involvement!

The greatest risk is where there is change!

The change driven by technology these days is often likely to make or break an organization! The investment is huge and typically the foundation for the organization’s primary strategic objectives.

When I was with Tosco, the CIO told me that he would not go live with a major technology project without first hearing from my IT audit team – and he was right to take that position! I had as many as four auditors assigned to every significant technology project. On the project that led the CIO to say what he did, my team (led by Tim Cox and Bruce Taylor) reported to the project board that if they went ahead, the risk of failure was high. After the board decided that for business reasons they needed to accept the risk, my team came back and told them where the technology (a combination of hardware, software, and security tools) was most likely to fail. The technology failed precisely where my team said it would, but IT and users had deployed teams to monitor those locations and were able to respond and take corrective action promptly.

Less than half of the organizations surveyed had assessed IT governance. Personally, although it is mandated by IIA Standard 2110, I would only audit IT governance if I considered it a high risk. The portion of IT governance that I would be most concerned with relates to the leadership of IT in enabling business strategies (see this earlier post), and its processes for managing significant technology projects.

This is a useful report and I commend Protiviti for it. My suggestion to them is that they focus more on technology-related business risk in their next survey, including questions around whether internal audit assesses technology that is not managed by IT.

I welcome your views and commentary.

Posted on Nov 22, 2013 by Norman Marks

Share This Article:    

  1. I agree totally with what you have said and am seeking to get involved with projects with a high ICT content early. Just a point of clarification re IT Governance. Along the same lines of your article shouldn't this really be Governance of IT (not just a symantic change but meaningful shift in thinking shift) or combine this within "Corporate Governance" without any special distinction i.e. it is just governance like for any other business process/plant etc. If we split "IT" off as having seperate governance we may fall into the trap of seperating them from the business processes that they support rather than looking at the complete governance over that process, plant etc.

    Thanks for your reflections.

  1. This IT risk and governance issue is something I am facing in my company currently. And I agree with you Brain Robb that governance is just governance and that it applies to all process. So why make a distinction in IT governance. Thanks Norman Marks on your approach of looking into IT risks.

  1. The points raised up have challenged the contemporary approach in "IT audit".

    One of the big issues in integrated audit is, the organization has integrated approach in internal audit, as well as the team consisting of both operating and IT audit, then one is "comfortable" and claiming that this is integrated audit, as IT audit become part of it, that's meant, integrated audit are performed by 2 separate teams, namely operating and IT audit teams (no surprise, most team from Big 4 firms are still doing that).  If the assessment / audit of business risks are assessed by 2 different teams, how could we expect the IT risks are completed assessed in business risk context?

    Regardless of the categorisation of risks, such as IT risk, operating risk or compliance, ultimately, management is only concern about one type of risk, there is business risk, risk that threaten organization achieving its business objectives.

    Thus, auditor should be well trained in assessing all kind of risks, including IT risks.  The ideal team composition will be an auditor is well trained in both operating and IT risks (business process driven), and leave the very technical driven assignment (such as intranet security, penetration test) to the true "IT auditor".

     

  1. I love the foresight of this article! 

    With regards to auditors performing both operating and IT risks, I have this experience to share - the development of systems and applications have gotten so complex/layered/multi_sourced over the years that sometimes even IT (or the developers, who often just build on something someone created over the years or use default libraries blindly) don't have an idea what went wrong.  It usually ends up taking e.g. a 'focused' (i.e. someone who has invested both acadamic and professional time in pursue of the science of computers) IT auditor that can 'dig deep' and discover the root cause.    I still remember my first audit at a company that traditionally had general auditors looking at logical access controls.  They were surprised that I knew the reports generated for the auditors were actually edited (or 'cleaned') versions (pretty good job on faking the doucment, I must say, but some alignment misses on the data column and the absence of the usual default-but-not-relevant data, records made me suspect).  IT had been fooling the general auditors in that company for a good many years!

    We can't be all subject-matter experts, but the increasing complexity of systems only makes root causes of issues more in-depth and buried than a checklist can handle.

    My two-cents.

     

    Thanks!

Leave a Reply