control, and governance
Choosing the Right On-demand Compliance Software
Organizations are starting to see the many advantages on-demand software can bring. Learning as much as possible about the benefits and risks posed by these solutions will enable auditors to help organizations choose the right on-demand compliance software.
Vice President Of Enterprise Risk & Compliance Management
Forrester Research Inc.
On-demand software is becoming an increasingly considered option for companies looking to automate their risk and compliance processes. While interest in this kind of software has increased, so has an understanding of the real and perceived risks it introduces. As part of their work, IT auditors are often tasked with the job of making recommendations to IT management on the kinds of compliance software available to organizations. To help companies and IT departments select an on-demand software product that meets the organization's needs, auditors first should understand the benefits and risks posed by these IT solutions. Once armed with this knowledge, auditors can work with IT management in a consulting capacity to make recommendations that benefit the entire organization in its quest for more effective and efficient means of compliance.
KINDS OF ON-DEMAND SOFTWARE
Types of On-demand Software
Once organizations subscribe to this service, each company runs the same code. Any code modifications, customizations, and configurations required by the organization are then stored as metadata parameters within the hosted application. In addition, these applications can be used by multiple users within the company at all layers of the stack (i.e., at the database, server, and application layers) and outside the company through a virtual private network, if needed.
Application Service Provider (ASP)
Outsourced Licensed Software
On-demand software usually consist of software-as-a-service (SaaS) applications, active server pages (ASP), and outsourced licensed software. For more on these three elements, see "Types of On-demand Software" at right.
BENEFITS OF ON-DEMAND SOFTWARE
Although awareness and adoption of managed application risk and compliance software has grown during the past two years, companies still approach on-demand software with speculation (Forrester Research, SaaS Gathers Steam in Large Enterprises, June 23, 2006). To help organizations in the decision-making process, auditors should work in partnership with IT management to come up with recommendations that weigh the capacity of the company's IT infrastructure as well as its ability to support, secure, and sustain reliable risk and compliance software against those of the on-demand application provider.
The following is a list of benefits auditors should recommend IT management keep in mind during the selection and evaluation process of an on-demand vendor.
Enterprise risk and compliance software is usually sold to the senior manager responsible for overseeing the organization's corporate governance, risk, or compliance activities. Unfortunately, not all senior managers have a clear understanding of IT and they may be hesitant to get engaged in a long, drawn-out IT initiative. On-demand applications, however, make it easy to start small, achieve success, and expand further if needed, thus matching costs to benefit flow and reducing overall project risks. For instance, risk and compliance executives can make a short-term decision to implement a solution as an on-demand application and later migrate it to a traditional software implementation, retaining their investment in setup and configuration.
Ability to Fit Within the Budget
Risk and compliance are often seen as a cost of doing business. However, allocation of funds for capital expenses can be problematic and stall risk and compliance software implementation. On-demand applications offer an alternative to outright license purchases because they typically offer pay-as-you-go subscription pricing (i.e., software rental charges rather than purchase costs).
Quicker Response to Regulatory and Reputation Pressures
On-demand applications are a good solution for companies under internal or external pressure for rapid change, as with regulation compliance. When the organization is being investigated, oversight organizations and regulators may want to see changes in 30 days or less. However, installation of a risk and compliance software can take months to complete. In contrast, firms can start using on-demand applications in weeks, thus reducing the amount of time it takes to fix the problem.
Lower Ownership Costs
Because on-demand applications bundle the management of software, network, data center, and the company's system infrastructure, organizations can lower ongoing IT management costs. Therefore, companies can benefit from lower implementation and software maintenance fees, shorter learning curves, and lower upfront investment costs, allowing IT departments to focus on core IT processes. In addition, updates to on-demand software typically occur frequently, thus putting minimal resource burdens on the organization.
Faster Deployment Schedules
On-demand applications offer the benefit of quicker deployment times because there is no need to install new hardware. On-demand applications are simply "switched-on" and only need to be provisioned. This deployment approach delivers the simplicity of an already installed solution set and removes the complexity of traditional software deployment.
On-demand applications also relieve companies of the need to install and use business intelligence programs, document management systems, or enterprise content management platforms and of integrating those platforms to build a single solution to measure, manage, and monitor risk and compliance processes.
Flexible Change Management Options
On-demand applications allow organizations to take advantage of the latest technology and content to support current regulatory requirements and security needs because vendors use the latest software version and update software as needed. Furthermore, companies face difficult challenges. They often must support different IT functions across multiple business units and geographies and handle risk and compliance processes extending into supply chains and business partners. On-demand applications, as externally-hosted environments, provide simplicity of access across organizational boundaries because they are accessible via the Internet without having to open additional ports or "holes" in the corporate network.
More Focus on Ensuring That Customers Derive Value From Investment
Many IT departments are unable to upgrade traditional software fast enough to keep abreast of new or changing business risk and compliance requirements. In contrast, on-demand application vendors have greater incentive to maintain value and meet service levels because vendors depend on recurring subscriptions rather than large upfront license fees. Thus, they typically provide frequent upgrades and regular "health checks" to clients for the technology and business aspects of their relationship.
RISK OF IMPLEMENTING ON-DEMAND COMPLIANCE SOFTWARE
Like any new application or venture, on-demand applications come with risks that must be evaluated and taken into consideration before the organization invests time and money. Below is a list of the common problem areas auditors need to recommend IT management keep in mind as part of the selection and evaluation process.
Fear of the New
The relatively short history of on-demand software fails to instill the comfort that a traditional software model does. Some firms still cite concerns over security, reliability, and customization and integration capabilities. Additionally, on-demand vendors tend to be smaller companies with a short history that have not shown a track record of client satisfaction, business performance, or financial stability.
Questions About Legal Discovery
On-demand risk and compliance applications store data on internal investigations, whistleblower complaints, and risk assessments. As a result, organizations must consider whether hosting data in an external environment limits the reach of attorney-client privileges — contracts with on-demand application providers may not limit law enforcement or regulators' ability to get data. Furthermore, a third-party subpoena to a managed application in an ongoing criminal investigation may not be disclosed to a client. Therefore, organizations also should investigate the possibility of unnecessary data disclosures resulting from the process of complying with subpoena and discovery requests.
Retention and Disposition of Information
Is the on-demand application vendor following defined retention policies? Risk and compliance software houses critical information that could criminalize or hold the organization liable. Organizations, therefore, need to be concerned that risk and compliance information may be archived in backup media or retained in storage when it should be destroyed.
Vendor Staff Becoming the Whistleblower
Vendor access to corporate information could turn staff into whistleblowers. What's worse, information pertaining to wrongdoing or a company scandal could be leaked before the organization is prepared to deal with the legal ramifications of the issue at hand. In some cases, vendor staff also may have access to client information despite the best encryption and security controls.
Ownership of Intellectual Property
When using an on-demand application, the control of intellectual property rests in the hands of the provider. This introduces the possibility of compromise, theft, or transfer of intellectual property. In addition, on-demand vendors that don't offer an on-premise alternative put the customer at the most risk because the customer will have to migrate to an entirely new application if the vendor goes out of business.
More Limited Flexibility
On-demand applications are only financially viable if providers can reuse most software components. This poses challenges when a client requires unique extensions or new software configurations or when a client needs to integrate the on-demand application with its own proprietary systems. Multiple service demands may put pressure on on-demand application providers to prioritize features that are common to all customers over individual client requirements — just like traditional software vendors. Although customers can write code to extend or modify the functionality of traditional software, an on-demand application provider may not be able to offer that option.
Reliability and Continuity of Hosted Environments
Companies have shown concern about the reliability of third party networks and data centers — it may be difficult to determine whether an on-demand application has the proper controls in place to maintain compliance and the continuity of services. As a result, organizations should review the service provider's most current Statement on Auditing Standard 70 (SAS 70) report to better understand what internal controls are being monitored for their effectiveness. In addition, companies should consider using existing best practices and frameworks when auditing the hosted environment, such as standards by the International Standards Organization, the IT Infrastructure Library, and ISACA's Control Objectives for Information and related Technology.
Security and Content Controls
In the past, organizations have been hesitant to allow highly confidential information to be stored in a system over which they have little to no control and into which they have limited insight. As a result, IT management needs to weigh the risks associated with the on-demand application against the company's current security, access, and content control needs.
Integration and Access
Beyond security, IT management should focus on the application's ability to integrate into the company's IT environment. For example, enterprise resource planning (ERP) systems do not lend themselves to an on-demand model unless there is significant bandwidth capacity and tight security. Some organizations have experienced difficulty integrating on-demand software into lightweight directory access protocol (LDAP) authentication environments or doing any real-time integration.
Organizations in need of risk and compliance software need to thoroughly address any control issues before signing a contract. For instance, there may be contracting issues that require the vendor and client to ensure there is a clear understanding of how things will work and who has what obligations. Specifically, auditors should recommend that IT management ensure the following steps are completed:
The Contract Is Reviewed by the Legal Department
The organization's legal department or counsel should review the contract with the on-demand vendor to determine whether it contains any sensitive information. The bottom line is that issues of attorney-client privilege, work product, and subpoenas should be identified and controls need to be built into the contract (e.g., information security controls such as encryption and authentication requirements, availability, and disaster recovery controls). This requires that organizations insert appropriate legal notification provisions into contracts, including dispute resolution, mandatory disclosure, and right-to-audit clauses.
The Right Deployment Model Is Chosen
Companies may be reluctant to store and house their sensitive information in the same server or database as another organization. If multi-tenant capabilities — as in the SaaS model — are too risky, organizations should look to a hosted environment where each client has its own database and application server.
Infrastructure Facilities Are Checked for Resiliency
IT staff need to ask for and review documentation on the vendor's security, business continuity, application, and infrastructure controls, as well as review the vendor's policies for IT operations management.
Client References Are Reviewed
Ask the vendor to provide references of clients using the platform for a similar purpose. When IT staff check the references, they should inquire about the diligence they did during the contracting process and their experiences with the vendor.
Determine if Retention Policies Are Followed
Risk and compliance information is extremely sensitive and often tightly regulated. As a result, the auditors and IT departments need to check whether the vendor has a defined lifecycle process for the access, retention, disposition, and destruction of risk and compliance information. In addition, the auditor and IT staff need to determine whether the vendor adheres to these requirements when using the application and during the data's backup and archival process.
Verify Whether Encryption and Data Management Is Used
Auditors need to determine whether vendors can correlate client data with the on-demand software without a key, such as the use of encryption, data scrambling, dummy data, or another technical solution. This key should prevent the vendor from associating data to a specific client or have access to the data without the client's consent. However, organizations need to be aware that most vendors today do have staff that can access client data. Even if data access is highly restricted, it only takes one person to make a security breach possible. Therefore, background checks, segregation of duties, and audit logs are necessary when managing security risks.
Review the Vendor's SAS 70 Report
SAS 70 audits need to address whether the infrastructure used to host the data and application is in a certified SAS 70 Level II facility rather than a Level I facility. This is because a Level II audit is more detailed. In addition, the SAS 70 report needs to identify how the data is stored and archived within the vendor's back-office operation.
The organization also must investigate what the audit evaluated. This is because a SAS 70 audit merely verifies that an organization is fully compliant with selected controls, whether these controls are effective or poorly implemented. Therefore, a SAS 70 audit validates the framework of controls it is given and is only as good as the framework the organization is auditing against.
Check if Background Checks Were Conducted
Standard risk and compliance procedures require that organizations do not give access to sensitive information and processes to individuals that have a bent toward criminal behavior. This requirement extends to business partners and service providers. Organizations, therefore, need to validate that the vendor has performed proper employee screening and background checks on all individuals who will service and support the application and infrastructure they will be using.
Determine if Integration Requirements Are Addressed
The service provider needs to understand the organization's integration needs for enterprise applications and systems. Hence, the organization needs to have a service-level agreement that stipulates the performance and enterprise integration activities that will take place once the on-demand application is purchased or leased and ask the vendor for references who have successfully completed similar integration projects.
On-demand applications for risk and compliance are a growing market. A few years ago, only a small number of vendors offered SaaS or ASP applications. Today, the majority of risk and compliance software vendors offer both deployment options — allowing clients to choose between a traditional or an on-demand model — while some vendors stick to one model or the other. As a result, preparation is a critical component of the selection process. Although many of the benefits, risks, and recommendations discussed in this article can be applied to all software applications, knowing what these risks and benefits are will enable IT departments to choose on-demand services that best meet the company's risk and compliance needs.
Michael Rasmussen is a vice president and analyst in Forrester's IT management and services research group. A risk professional with more than 12 years of experience, Rasmussen advises clients around the world on issues pertaining to enterprise risk and compliance management, as well as public policy, legislation, and regulation.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.