August 2009

The Impact of Regulation on Information System Planning

With evidence that new regulations will emerge in the coming months in response to the global financial crisis, IT auditors can play a key role in an organization’s compliance with regulations requirements throughout the life cycle of the information system.  

Joe Nadivi, CISA, CGEIT, ITIL
IT Auditor and IT GRC Expert
Strategic Business Solutions

Most information systems today are affected by one or more regulations, and some would argue that industries as a whole are over-regulated. That is particularly true in industries such as banking and insurance. There are many valid reasons for regulations, especially when it comes to information systems. A significant portion of business processes and activities in most organizations depends completely on information systems, and could not function without them. The vast amount of information generated by information systems is used by publicly-traded companies to report to authorities and regulatory agents. Additionally, decision-makers and stakeholders use financial reports published by organizations to make business decisions about investments, mergers, and acquisitions.

Internal and IT auditors are in a unique professional position. Their traditional and primary duty is to inspect and verify that business processes and practices are carried out as required by various regulatory bodies. Additionally, the main output of an audit activity is an audit report that describes risks, control deficiencies, and breach of existing controls. Auditors also can assume the role of trusted advisor and suggest ways to improve existing processes and add new processes, tools, and best practices that improve performance and reduce operating costs. This article presents some ways in which internal and IT auditors can bring tremendous value to organizations in the course of conducting an audit.

PREPARING FOR MORE REGULATIONS

In spite of the overwhelming number of existing regulations, there is strong evidence that a tidal wave of new regulations will emerge in the next 12 to 18 months. The new regulations will ensure that better controls are applied as an oversight on activities performed by particular groups within an organization. One thing IT departments can do now is use this grace period to prepare for complying with new regulations.

A paradigm shift and thinking outside of the box regarding current practices will help in accepting a different approach to complying with regulation requirements. For example, the notion that regulation is not the chief information officer’s or IT department’s responsibility and the view that regulation requirements are not part of system requirements no longer apply. Instead, IT departments should accept the involvement of stakeholders and subject matter experts (SMEs) within the organization as critical and necessary for successful implementation of regulation requirements in information systems.

The following represents the primary key players and SMEs who should be directly involved in complying with regulations requirements throughout the life cycle of the information system:

  • Chief compliance officer.
  • Chief risk officer.
  • Information system manager.
  • IT project manager.
  • Information security manager.
  • Quality assurance manager.

Internal and IT auditors cannot and should not take an active part in the design or implementation of regulation requirements in order to prevent potential conflicts of interest in future audits.

A key point of this new approach is that regulation requirements are an integral part of the set of requirements that are defined for an information system (functional, technical, performance, security) and therefore:

  • Regulation requirements must be documented and managed along with all other requirements. (The use of a requirements management tool is recommended.)
  • Regulation requirements must be translated into tasks and activities to be performed throughout the life cycle of the information system and clearly defined in all project work plans.
  • The test plan for information systems must include specific tests to ensure effective and accurate implementation of regulation requirements.

Internal and IT auditors can bring an important added value to organizations by raising the level of awareness among managers and stakeholders of the benefits to be gained by adopting a new approach to meeting regulation requirements. Auditors can express such opinions in audit reports and during audit closing meetings as general comments and recommendations.

LIFE CYCLE PHASES

“Information System Life Cycle Phases” (below) represents a typical life cycle model for information system development, implementation, and sustainability. The model includes some key activities that are related to regulation requirements in each phase of the life cycle. The activities relating to regulation requirements development, testing, and implementation can be easily incorporated into other life cycle models.

Life Cycle Phases

Information System Life Cycle Phases

Source: MethodA, by Methoda Computers Ltd.

 

There is no need to invent a new methodology for information systems development or to alter existing methodologies drastically. Instead, organizations should change and upgrade concepts that are currently used by IT departments. The involvement and active participation of SMEs is essential to successful implementation of this approach.

FOUR STEPS TO IMPLEMENTATION

The adoption and implementation of the proposed approach to complying with regulation requirements consists of four steps. Activities in these four steps can be easily incorporated into the Software Development Life Cycle (SDLC) currently in use by the organization. “Information System Life Cycle Phases” is a model that demonstrates integrating regulation requirements into a popular SDLC.

1. Discovery and Identification
Specific regulation requirements relevant to information systems should be documented. A current risk survey report may be used if available.

Identification and classification of binding enterprise regulations, standards, and frameworks should be included in a dictionary of terms and definitions. This dictionary should be the basis for a common language among all the organizational units in the enterprise that are involved in implementing and sustaining regulatory compliance measures. Existing and planned information systems and the identification of gaps between regulation requirements and their implementation should also be surveyed.

It is possible to have regulation requirements from multiple regulatory agents. Conversely, IT controls that were developed in response to a particular regulation requirement may be applicable to several information systems. One byproduct of this exercise is the identification of duplicate controls that were implemented to remedy regulatory requirements. A list of information systems, their risk classification, and associated controls presents an excellent opportunity to streamline and consolidate the number of IT controls in the organization.

Once IT controls are documented, a logical next step would be to expand the knowledge base by linking relevant policies, procedures, work instructions, forms, process owner information, and system managers. A repository of such information could help reduce the burden and high demand on IT professionals and make the audit process more efficient.

2. Classification
Information systems should be classified to facilitate prioritization according to criteria such as:

  • The importance of a system to a business process. An existing risk survey report can be used as a source for information system classification and serve as a starting point. Control self-assessment is a popular tool that can be used for establishing information systems classification.
  • The impact of the information system on one or more business processes and the risk factors associated with information systems.
  • The interdependency with other internal and external information systems.

Once prioritized, a viable work plan for implementing regulation requirements can be developed for the information systems managed by the IT department.

3. Mapping
To establish ownership and direct responsibility for each information system in the organization, it is necessary to map information systems. Mapping should identify the following relationships:

  • Information system to business process.
  • Regulation requirements to organizational unit(s).
  • Information system ownership.
  • Identification or discovery of “orphan” information systems.
  • Identification of multi-owner information systems.

Any identified gaps must be investigated and resolved. Additionally, the mapping information collected in this effort should be well-documented and maintained as an ongoing regulation compliance activity.

4. Development, Testing, Implementation, and Maintenance
The development, testing, implementation, and maintenance of regulation requirements include:

  • Development of code necessary to satisfy regulation requirements.
  • Testing and validation of regulation compliance of information systems developed in-house.
  • Validation that all vendor-supplied information systems comply with regulation requirements.
  • Testing, validation, and approval of external information systems services compliance with regulation requirements (including software as a service-based (SaaS) systems).

Certification demonstrating regulatory compliance of information systems by all stakeholders is required to authorize systems for production use. During tough economic times and budget cuts, improving business processes is a good way to prepare for the up-turn cycle and for the inevitable wave of new regulations that are sure to hit our shores.

The prevailing best practice of doing more with less applies to internal and IT auditors just as it does to other stakeholders in business enterprises. Internal and IT auditors can add value to their audited parties, in particular, and to business organizations in general, by playing the role of trusted advisor. The primary role of an auditor is to verify compliance; identify risks, control deficiencies, and the effectiveness of existing controls; and produce an audit report for management.

An experienced auditor can suggest and recommend improvements to existing processes and recommend new tools and methods for consideration. Furthermore, over time this approach can improve work relationships between the auditor and audited parties in the organization.

To comment on this article, e-mail the author at joe.nadivi@theiia.org.

 


Share This Article:    


Interesting Approach
I recently studied such typologies of risk in the workplace and it's great that such measures were taken. One important aspect fellow students were discussing was that where there is human involvement, there will always be an increase in risk as opposed to using computer systems. Thanks Desmo Web Design Cape Town
Posted By: Desmo
2013-08-20 7:26 AM
GRC Requirements Management
It is rewarding to see references made to GRC requirements management. Good message! Also a great work practice discipline. One that can assist any technical or business function. This is the next practice after project management basics that help all organizations move to the next level of work excellence (i.e. process maturity). Most organizations have never considered using a requirements management system to improve their cross-functional collaboration capabilities, manage risk portfolios cheaply and effectively, and increase the level of overall complinance sustainability across the enterprise. AuditNet.org seems to be leading the charge in GRC requirements management with a focus on Audit Work Programs (AWPs). They are now looking for individuals that leverage this best practice and would like to identfy industry leaders to help them to guide the key areas that need requirement definition. Phil
Posted By: Phil Wilson
2009-09-29 2:54 PM
Good Approach!
As the article points out, integrating regulatory requirements into the SDLC can be advantageous. It assures that compliance is a consideration at the system level, as opposed to a post-implementation lesson learned. I would only add Chief Information Security Officer, Chief Privacy Officer, and Chief Counsel to the key player list.
Posted By: M.P. Schmidt
2009-08-14 2:17 AM
Your Artical
This is the first time I see a referance to this topic. We in Siemens have developed tools for that. If there will be a forum meeting on the topic I will be interested and can contribute. Best Regards Dani Tal
Posted By: Dani Tal
2009-08-08 4:12 AM


COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:


To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

 

April 2014IaCover 

 IPPF_Ap42014

IIA Academic_Nov 2013

IIA SmartBrief

 Write for FSA Times

 

 Twitter

facebook IAO 

IA APP