control, and governance
Discovering IT: Identifying New Technology Trends
Identifying and navigating the latest technologies that will have the greatest impact on organizations ― and internal audit activities ― might require auditors to do a little detective work.
When it comes to technology, one thing is certain: There will always be a new application or product to enhance work productivity or streamline an existing process. Take, for instance, the change from floppy disks to CDs to external flash drives ― which have become fixed commodities in key chains all over the world ― as a way to meet people's and organization's data storage and mobility needs. And, what about the change from mainframes to client servers, and now to virtualized servers? As these examples show, newer and faster technologies will continue to exist and enhance the way organizations perform their day-to-day work. Consequently, keeping abreast of the latest technologies, IT trends, and audit tools will enable internal auditors to be prepared for the next audit. However, identifying what these technologies might be harder than anticipated.
THE QUEST BEGINS
Discovering which technologies will have the greatest impact in the business world is not easy. Depending on whom you ask, responses may vary from the use of extensible business reporting language (XBRL) and radio frequency identification (RFID) tags to major initiatives like business continuity management, as exemplified in the latest American Institute of Certified Public Accountants (AICPA) survey. For instance, according to James Bourke, an accountant with certified public accounting firm WithumSmith+Brown, the main trend is for organizations to go paperless.
"I see mobile and remote computing and document management as huge trends affecting organizations today," Bourke says. "Hence, the big push in organizations is to go paperless and store information in a digital format."
Some internal auditors, such as Ken Askelson, senior IT audit manager at JCPenney, have different technologies in mind. As Askelson explains, the technologies that are having the greatest impact on organizations are those used to enhance logistics and supply chain applications (e.g., those that provide greater visibility and help manage inventory levels more effectively) and help organizations secure and protect their intellectual property and customer files.
Are There Any GRC Tools Out There?
Some auditors believe that governance, risk, and compliance (GRC) technologies are becoming increasingly common, while others are not sure of their presence. Gibbs is one of those auditors who believes in their popularity.
"GRC tools are becoming increasingly common, likely because of the increasing risk resulting from the complexity of managing compliance with an increasing number of concerned parties and requirements," Gibbs comments.
Bourke agrees: "Today, all of the testing that is done by our Section 404 group is all about using technologies that assist them in looking at governance, risk, and compliance issues."
For auditors using or considering these kinds of tools, there a number of issues to keep in mind. "An important issue is the complexity and critical nature of the initial stages of planning," Gibbs explains. "An improperly executed implementation can be worse than not using the tool at all due to a false sense of security or a lack of awareness of unaddressed risks." In addition, Gibbs notes that as a relatively new technology, "comprehensive GRC tools are costly and complex to acquire and implement correctly."
Finally, many audit professionals, such as Nelson Gibbs, a senior manager with Deloitte's Audit and Enterprise Risk Services, focus on the organizational areas that are impacted the most in addition to the presence of a particular trend or technology. "Big impacts are occurring in several areas. One is the adoption and deployment of newer standards into the business world, such as XBRL, and another is the use of longstanding technologies for newer applications, such as the use of voice over Internet protocol [VOIP]," Gibbs says. To this list he adds the experimentation with and adoption of newer technologies themselves, such as RFID; the responses to legal, political, and social concerns such as green IT and digital asset management; and the rapid adoption and increasing availability of integrated and automated risk management applications, also known as governance, risk, and compliance (GRC) tools. (For more information, see "Are There Any GRC Tools Out There?" at right)
However, for auditors who are looking for a more definitive answer, surveys such as those conducted by the AICPA might provide a good source of information. According to the AICPA's Top Technologies Initiatives Survey, for instance, information security management is the number 1 technology initiative for 2008. Now in its 19th year, the survey asked nearly 1,200 U.S. finance, accounting, and IT professionals working in different industries, public accounting firms, academia, and the government sector to rank a list of 29 technology initiatives that will have the greatest impact in 2008. Besides information security management, other technology initiatives identified include IT governance; business continuity management and disaster recovery planning; privacy management; and business process improvement, workflow, and process exception alerts.
While the search for technology trends currently affecting organizations worldwide continues, some audit professionals believe it's better to take a different approach. Rather than trying to identify the technologies that will impact organizations the most, auditors should concentrate on the technologies they should keep in mind as they plan their annual work based on the organization's latest risk assessment. These technologies include currently used security applications, tools that facilitate audit work, and the applications that were least examined during previous audit cycles.
In the realm of security, explains Gibbs, there are two kinds of tools auditors should incorporate into their yearly annual reviews: preventive and detective. "On the preventive side is the use of automated security response systems, such as properly configured intrusion detection and prevention systems, and on the detective side is the use of automated segregation of duties applications," Gibbs says.
An area auditors need to note during their assessments is whether the tools were used correctly. This is because deploying preventive and detective tools is difficult and costly in terms of time and money; consequently, mistakes can happen in their configuration that might put the organization in jeopardy of a security breach. However, "once deployed, they are relatively easy to use," Gibbs adds.
Askelson takes a more regulation-driven approach when identifying some of the main security tools used by organizations: "In light of the attention given to the privacy of customers' personally identifiable information and breach notification regulations, encryption and identity management technologies are receiving a renewed look for organizations to effectively manage business risk."
Lisa Johnson, chief financial officer at TWM Associates Inc., takes a different view. "Some organizations are pushing single sign-on methods, which have their vulnerabilities and can result in a single point of entry for intruders," she explains. "In addition, automated tools for scanning and evaluating configurations are continuing to forge ahead. The downside of using these kinds of tools is that they may result in false positives."
An easier set of tools to identify are those that auditors should consider part of their audit toolkit. "With documents being stored digitally, the days of randomly selecting manual documents to test are over," Bourke notes. "Today, every auditor should carry a data extraction tool like IDEA or ACL. These tools allow auditors to read large amounts of data, manipulate that data into a format that facilitates testing, and test the data."
Other tools auditors need as part of their audit arsenal, Askelson says, include:
Regardless of the tools chosen, training is especially important, as Steven Hunt, director of enterprise solutions for Enterprise Controls Consulting LP, explains: "In general, auditors need the training, experience, and tools necessary to execute those duties based upon risk assessments and audit plans." Gibbs agrees: "Certainly a strong understanding of the relevant technology environment is essential, including knowledge in common risks, best practices, and available tools. Although the specific audit tools should be tied to the specific environment, more important than the tool is adequate training and an understanding of its strength and weaknesses before using it in the field."
Least Examined Tools
Another set of applications internal auditors need to pay close attention to are those in the least examined or audited category. "Least examined technologies are specific to a particular industry segment or that serve a highly specialized function, such as VOIP," Gibbs comments. "The reason they are not widely examined is because there are fewer deployments to be audited, hence, there is less available information on their business risks and audit processes."
According to Gibbs, this lack of available information leads to a decreased understanding of the associated risks represented by these tools and their business impact, as well as a slower adoption of commonly accepted best practices for their use. As a result, "auditors and managers must work harder to obtain an adequate understanding of the risks faced by their organization," he adds.
Specific areas that may not draw as much audit attention, such as legacy systems and mainframe platforms, "should be a concern to management and auditors if they play a significant role in the successful operation of the organization," Askelson explains. To this list, Johnson adds existing manual procedures, personnel records, clearance forms, and badge requests. "Anything that has personal information either in electronic or hardcopy form tends to be monitored less frequently," she says.
This year's AICPA survey can help auditors identify some of these technologies. According to the survey, the bottom five technology initiatives for 2008 include customer relationship management tools, contracted services activities, secure money applications, enterprise system management tools, and inventory and asset tracking software. "These areas should be a concern to management and internal auditors to the extent that they are relevant to their organization," Hunt comments.
WHAT TO DO
Considerations for Auditing Wireless and Portable Devices
When encountering wireless and portable storage technologies (e.g., USB thumb drives, music players, smart phones, and storage cards) as part of their organization's IT repertoire, auditors should keep in mind that these technologies have not changed the underlying risk due to data loss, but have increased the likelihood that data loss could occur without detection.
As Gibbs explains, "the organization's response to the use of wireless or portable technologies should be based on an understanding of the risk environment and its risk tolerance. In some cases, it might be appropriate for auditors to recommend that the organization disable USB ports to prevent the use of thumb drives, ban the use of smart phones for remote access, redesign the network to prevent wireless access to critical subnet segments, or possibly not use wireless technologies at all."
Johnson agrees: "Some organizations are preventing the use of wireless and portable devices on any machine in the organization due to the occurrence of too many leaks or losses of information, while some organizations are going as far as shielding their building so wireless devices of any kind cannot be used."
"Like any other technology, organizations need to develop safeguards to protect data that may be exposed through the use of these technologies," Bourke comments. "Certified IT professionals, for example, can help identify ways to encrypt wireless data and secure data stored on portable memory storage devices like thumb drives and storage cards."
While organizations continue to deploy new technologies in their quest to streamline business processes, internal auditors can take a number of steps to make their journey a more pleasant one as they plan their audit work.
Step 1: Try a different approach
Bourke believes that internal auditors should try a different audit tactic: "In the past, auditors were notorious for developing procedures and tests to audit around new technologies. Today, the best auditors will audit through and test the technologies that are in place."
Step 2: Get to know the technology
A more obvious but sometimes skipped step is for auditors to get to know the new technology. As Askelson explains, "auditors should spend the necessary amount of time to ensure they understand the control environment and the risks and exposures raised by the use of new technology."
Johnson concurs: "Understanding the basics of how the technology works is important as well as understanding how that new technology introduces and prohibits information passing through the tool. No matter what the technology at hand, basics such as change and access control, configuration management, and contingency planning need to be addressed."
Step 3. Don't be shy; ask for help
In addition, Askelson advises auditors to consider soliciting help from others through co-sourcing, outsourcing, or networking, depending on the complexity and significance of the new technology to the organization. Bourke even goes as far as recommending that auditors bring in a certified IT professional to help bridge the knowledge gap between the auditor and the new client technology, while Gibbs advocates the use of training. "If possible, the best approach is to get formal training before performing an audit on a new technology for the first time either from an independent industry body with relevant educational offerings or through a vendor," Gibbs says.
If formal training is not possible, Gibbs also recommends networking with others who already have gained experience, preferably through professional organizations such as The Insitute of Internal Auditors, ISACA, or industry organizations. His least preferable method is self education ― due to its steep learning curve ― by reading material developed from organizations that issue best practices, such as the International Organization for Standardization, the U.S. National Institute of Standards and Technology, and the Open Web Application Security Project.
Step 4: Keep it simple
Others like Hunt and Brian Spindel, senior IT auditor at Wisconsin Physicians Service Insurance Corp., take a more simplistic approach. "Auditors should never blindly start working on an application without first understanding how it supports the organization, the business processes, and related data that flow through it, and the relationship to qualitative and quantitative aspects of the risk portfolio," Hunt explains. Or as Spindel comments, "in general, any piece of technology mirrors a non-technological process such as input, processing, and output. Therefore, rather than finding out how the application works, the auditor needs to look at what the application does."
"Once you understand the basic functionality of the application you can determine what needs to be audited within the application," Spindel continues. "More likely than not, auditors will look at the same controls, such as those dealing with segregation of duties or output activities."
ARRIVING AT THE DESTINATION
As auditors continue to identify the technologies that will have the greatest impact in their organization and newest technology trends, it's important to realize that some of the tools will vary from industry to industry. "The definition of what constitutes a technology trend varies," Spindel explains. "There's simply no answer; in my experience everything is a technology trend depending on the organization and the technologies the auditor has been hired to look at. There isn't necessarily a trend, so to speak."
Once identified, auditors should follow a simple process when conducting their first audits. "One of my mantras is 'you can't audit what you don't know or understand,'" Hunt concludes. "Based on that, auditors need to go through the same type of training that users go through, process business transactions in a test environment, attend any available risk and control training courses or conferences related to the product, and Google, Google away."
To comment on this article, e-mail the author at email@example.com.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.