24 Aug 2010
However, their aim is often to reduce audit findings rather than to address the true issue of the organisation’s exposure to risk.
When compliance is the primary objective, an organisation may implement or redesign its operational processes to adhere to the industry standard or regulatory controls. This can lead to embarking on large-scale remediation activities and control frameworks intended to remove the risks and achieve compliance. Laudable in principle, the danger is that the controls then dictate the processes, rather than supporting them to operate with adequate control.
The end result is various compliance controls that add very little value to the business and merely create overheads in the form of the cost and time they take to define, implement, test and review. In addition, although the auditors may be appeased, the culture of the organisation can become over-focused on a checklist of process-orientated controls without understanding the reasons that they are required. Paradoxically, organisational compliance is often achieved at the expense of an increased exposure to risk.
Having ensured that they are not undertaking compliance for compliance sake, organisations would also be wise to address how they demonstrate adequate approval of requests. Many people responsible for approving application changes may not be close enough to the functionality, and therefore will not fully understand the nature of the revisions they are signing off. This background knowledge is essential to perform effective governance – without it the approval addresses only the process and not the key issue that is the potential risk to the organisation.
Another key audit area is that of compliance and authorisation conflict to ensure there is adequate segregation of duties (SoD). This requires that there are no ‘conflicts’ in the duties that an employee is required to perform (for example that they are not responsible for ordering goods as well as receiving and paying for them).
In the focus to achieve compliance, it is easy to be blinded by the numbers and aim to manage SoD conflicts down to zero in order that – at least from a ‘tickbox’ perspective – the business risk is reduced. However, in reality it is rarely possible to do this without transferring the risk to a different area, such as increased use of the emergency systems access process. Rather than over-emphasise the management of SoD conflicts solely for the sake of compliance, a true IT security expert will understand what constitutes business risk for the organisation, along with its risk appetite and risk profile. This knowledge is key to understanding where to draw the line of acceptance of the residual risk.
There is no doubt that controls and remediation activities perform a vital role in safeguarding the organisation. However, when looking to enhance the internal control environment it is essential to focus on the genuine reduction in risk exposure that each control delivers to the business. This will ensure that risk management is the driving force behind all compliance activities and will help the organisation to avoid the very real risk of over-engineering controls to a point where they have a negative impact on operational activities.
Richard Hunt is Managing Director at Turnkey Consulting