April 2007

Managing Information Risks in Complex IT Systems

Validation, reconciliation, and consolidation of information can help internal auditors minimize data management risks in complex IT systems.

Francesco Metalli, CISA, CISM, CISSP, PMP, MCSA
IT auditor, Group 4 Securicor

Oftentimes, risks deriving from the way mission-critical information and applications are stored and accessed is a recurring problem in IT audits. This is especially true in decentralized organizations in which data is stored in and processed by several systems. Unfortunately, many internal auditors may not be aware of how to properly identify information management risks in decentralized IT environments. Thus, the notion of complex IT systems and their risks represents a gray area in terms of knowledge and audit practices in many organizations. Given this lack of knowledge, it is especially important for all auditors to examine how the organization manages its information assets. This in turn will help auditors to better identify information management risks and provide recommendations that are geared to mitigating these risks.

INFORMATION MANAGEMENT RISKS

A key information management risk in many complex IT environments is the organization's inability to find an effective way to validate, reconcile, and consolidate data, also known as the VRC process. Other sources of risk may be perpetuated by the audit process itself. For instance, many internal auditors focus their reviews on companywide risk management processes and internal controls without paying close attention to information management vulnerabilities and procedures. Audits also tend to focus on the technical aspects of the management process, such as access control and configuration and password management, which rarely concentrate on the way information is managed.

Complex IT environments are mostly the result of two situations. First, the organization may control different satellite offices, each operating with a large degree of autonomy, which results in the presence of multiple information management systems and, consequently, system fragmentation. Second, if the IT solutions that manage corporate data are not integrated with each other, there could be multiple information repositories (e.g., one data repository per IT solution), which leads to information fragmentation.

The presence of system fragmentation is usually associated with information fragmentation because most solutions use a specific dataset. It is rare to find situations where multiple solutions are used in combination with a unique and centralized database. The combination of system and information fragmentation leads to a number of risks. These risks include the use of manual VRC activities, as well as information availability and confidentiality vulnerabilities. Below is a brief description of each risk.

The Use of Manual VRC Activities
The VRC process is a critical element in many organizations because it includes many of the activities needed to guarantee that company information is accurate, such as financial data. If current IT systems and applications are unable to manage information assets effectively, which is likely when system and information fragmentation are present, the VRC process usually is performed manually or not at all. In the latter case, the auditor might - and should - find evidence of the company's lack of adequate controls, whereas in the former case, the auditor might not find any control problems at all. However, there are several risks connected to the manual processing of information, especially in large and complex IT environments, that all auditors should be aware of, including:

  1. Large overhead. The VRC process can be labor intensive when performed manually. This may create the risk of high staff costs and the reduction of the company's profit margin because many staff members from different organizational levels could be needed to validate, reconcile, and consolidate information in the absence of an effective IT application.
  2. Staff dependency. Manually performing the VRC process creates dependency on a number of individual staff with the experience and ability to perform the work required. Because these staff might be difficult to replace, extensive training might be needed for new employees.
  3. Information inconsistency. A manual process could introduce or encourage the continuation of data inconsistencies, which can remain undiscovered for a long period of time until a problem arises or a specific ad hoc manual control takes place. Ad hoc controls or solutions are developed or deployed frequently outside of management's control by computer-savvy staff members. Furthermore, manual processes are performed rarely in a consistent way over an extended period of time. The risk involved in using manual processes is higher when frequent business changes, lack of policy enforcement, high staff turnover, staff inexperience, and lack of training are present.
  4. Information unavailability. The entire VRC process can take time when performed manually. Most of the time, a manual VRC process takes place only when all relevant information is available due to its high use of company resources. Therefore, consolidation of information takes place at predetermined times in connection with the reporting activity. The unavailability of consolidated business information outside of the reporting cycle can affect the decision-making process. For instance, a drop in new contracts during the first half of the year would be visible only after the sales department manually collects contract data and issues a report to management. However, by the time management receives the report, the drop in new contracts may have already affected the company negatively.
  5. VRC changes. Modifications to a manual VRC process can be complex because different datasets, solutions, procedures, and systems must be taken into account. For example, mandatory changes affecting salaries and taxes could cause the need to reevaluate different elements across the organization. Also, it is not uncommon for large customers (e.g., public companies) to request that certain processes (e.g., invoicing and reporting) be performed according to customer-specific preferences, thus requiring the need to modify the VRC process.
  6. Presence of ad hoc solutions. A manual VRC process could cause the creation of ad hoc solutions to compensate for the lack of effective end-to-end applications and tools. These solutions can represent a serious challenge if the company decides to consolidate its information into a more solid system because they may not be documented. For instance, the auditor might notice that different persons, functions, or departments use applications such as Microsoft Excel or Access to manage their information. As a result, corporate data is scattered throughout different databases, which leads to data inconsistencies, hinders the company's control on the software development process, and complicates the implementation of disaster recovery (DR) and business continuity (BC) plans.

Information Unavailability and Confidentiality Vulnerabilities
Information and system fragmentation can lead to problems when accessing company data and make it difficult for the organization to secure data assets properly and maintain data confidentiality. Following is a description of the main problems associated with information unavailability and confidentiality risks:

  1. Single points of failure. Many companies believe that having multiple data management tools is beneficial - when one tool or application fails, the other tools will continue working. However, the loss of only one dataset could affect the organization's ability to maintain control of its critical information because the information contained in the other datasets may not be sufficient to compensate for the loss. Therefore, the more information management tools a company uses, the less information is likely to be available, as each application can become a single point of failure.
  2. Possible loss of data. Many times local solutions, databases, and spreadsheets are stored in local systems that are not backed up or protected to the same degree as data stored in a server, creating a major risk in terms of permanent data loss. During audits of Excel spreadsheets or Access databases, internal auditors need to keep in mind that Excel spreadsheets tend to cause more problems. This is because organizations sometimes use multiple spreadsheets that are linked together to store raw data, which creates a complex system one or few people know how to debug in case of a problem.
  3. Information confidentiality risks. Protecting multiple data management tools is a more difficult and costly process than protecting one centralized system, especially if the tools are spread across a decentralized environment. Furthermore, technology is available online that can help people recover lost or forgotten passwords for Word, Excel, or Access documents, which makes its hard to maintain the information's confidentiality because these tools can be downloaded by anyone.

THE "HOW TO"
Auditing information management tools and applications in complex IT environments requires time and effort. Below are steps auditors can take to determine whether data assets are protected effectively followed by recommendations that can help companies enhance their information management efforts.

Audit Steps
During information management audits of complex IT environments, auditors should:

  1. Visit local branches to understand where information is coming from and what systems are used to store and process the information. Determining the time required to perform all activities and the number of persons involved in this process is important when assessing the risks affecting local offices.
  2. Interview operational staff and observe how activities are performed. It is not unusual to discover that local IT management may not have a complete picture of how data tools are used and the challenges and risks involved.
  3. Follow the information flow and document the way data is stored, processed, converted, communicated, consolidated, and reported. Different factors must be considered, such as the number of interactions and time necessary to move information from operations to corporate balance sheets.
  4. Evaluate the extent to which the company relies on manual activities to compensate for the absence of standardized, centralized solutions and identify whether the activity introduces any information inconsistencies. Staff turnover, missing or unclear procedures, and poor training should be looked at as well because they enhance the risk that data inconsistencies are introduced manually. Auditors should keep in mind that in some cases, it is more cost-effective to use manual activities for parts of the VRC process rather than investing in an automated solution. As a result, the presence of some manual activities might be acceptable.
  5. Determine how identified risks are impacting or could impact the organization. Auditors can derive useful risk indications by assessing the organization's exposure to financial or reputation risks and by examining contractual agreements. For instance, contractual agreements between the company and its customers could contain penalty clauses if the company fails to provide timely and accurate services. Errors in the payroll process could lead to staff complaints and end up in legal litigations. Reputation damage (i.e., damage to the company's image) can originate from information mismanagement, such as inadvertently releasing sensitive information to unauthorized persons.
  6. Evaluate the organization's business continuity and disaster recovery plans to identify whether information management policies and procedures are documented and what steps are included in the plan. In addition, auditors need to assess how the organization plans to cope in the event of an application malfunction, especially in the areas of information storage, processing, and access.
  7. Validate the existence of issues affecting the VRC process and the effects of using complex IT systems by requesting that the organization produce status reports on things such as currently employed staff, last month's sales, recent profitability analyses, and current business contracts. Because the data is more than likely scattered throughout various locations and tools, reports may not be available on short notice or could contain errors. This could be used as an example of why the manual VRC process is unable to manage information effectively and why changes are needed.

Audit Recommendations
Once risks are identified, auditors could provide recommendations that can help the organization reduce existing risk levels and enhance information management controls. Following is a description of some of the main recommendations auditors can make.

Recommend the consolidation of datasets and data management tools and applications. An ideal information management solution preserves information integrity and is based on a single database system. Because this involves the centralization of existing activities, which could be costly, management could resist the idea of investing large amounts of resources, particularly if there is no clear evidence that a fragmented VRC process is contributing to decreased profits. If the auditor encounters resistance, he or she should discuss the benefits of centralization and ways to centralize information. For instance, to centralize information storage, a central database could be built with interfaces that convert information from legacy systems so they can be imported into the central location. In this case, the software solution used to perform business activities would not need to change. Storing data centrally enables the organization to enhance data analysis, identify data inconsistencies, compare information with more ease, and determine data trends.

Recommend the implementation of fewer information management solutions. If management is still resistant to using one central data repository, auditors could recommend that the organization employs fewer standard solutions to reduce data fragmentation and the number of systems in place. Which systems should be kept depends on the organization's complexity and work requirements. Criteria that can be used when selecting which solutions to keep are the cost involved in consolidating information from one solution to another and the effectiveness of the tools available. For instance, if multiple human resources applications are used, information could be consolidated in the system that is most widely used, better supported, and easier to maintain. Determining which solutions to keep should not be part of the audit report's recommendations because this would affect the auditor's independence in evaluating the solution's effectiveness in the future.

Recommend that the IT structure (i.e., hardware and software) and data flow process are properly documented. By knowing which equipment is performing what function, it is possible to identify redundant or illogical elements as well as streamline and enhance the way information management is performed. In addition, documenting the company's current IT structure and data flow process enables the company to create a blueprint of its information management assets. Without this blueprint, it may be difficult to introduce new solutions or enhance those already present.

Furthermore, auditors should recommend that the procedures used to manage the VRC process, the organization's data flow, and IT structure be documented in sufficient detail, including the company's DR and BC plans. Documentation should identify redundant or illogical elements, such as retyping of information from one system to the other. This will provide managers with a clearer picture of the processes taking place in the organization and increase their awareness of the risks and costs involved in complex IT environments. Documented procedures also will help train new staff, as well as gain and preserve some consistency in the way activities are conducted.

Recommend that a DR and BC plan is in place and that they are tested at least yearly. The absence of DR and BC plans may put the organization at risk if IT systems are interrupted. The presence of complex IT systems, data fragmentation, and manual VRC activities increases the complexity involved in disaster recovery and in the continuation of business activities.

Recommend that the organization perform detailed internal audits to identify the presence of fragmented information. These audits also should determine whether currently used information management tools and applications are impacting negatively the organization's level of information management control. Although performing audits does not really change the overall level of inherent risk (i.e., risk that is impossible to manage or transfer away), it reduces residual risk (i.e., the portion of risk remaining after security measures have been implemented) by introducing an additional level of manual controls that are reactive in nature and costly in the medium to long term.

MOVING FORWARD

To provide added value to the organization, internal auditors should identify existing information management threats and provide recommendations that can help organizations control and reduce existing and future risks. Besides the existing risk level and information management activities under way, recommendations should be based on the organization's financial means and the level of additional control needed to better manage companywide information.

For additional information about management best practices, auditors can read:

  • Managing Enterprise Information Integrity: Security, Control, and Audit Issues and IT Governance Implementation Guide, available for purchase on the ISACA Web site.
  • Strategies for Information Technology Governance (2004) by Wim Van Grembergen.


Francesco Metalli is an IT auditor at Group 4 Securicor (G4S), a provider of security solutions. Metalli has worked in the field of IT for more than 15 years and has experience in the areas of IT management, security, and strategy. Prior to his tenure with G4S, he worked for Europol and for the Organization for the Prohibition of Chemical Weapons.

The author wishes to thank Phillip Summerton, head of internal audit at G4S, for his support and advice on this article.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 

 Write for Gaming Auditorium

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP