Robert Kugel's Analyst Perspectives

Companies Need Unified Approach to GRC for IT

Written by Robert Kugel | Jul 12, 2012 6:55:22 PM

One of the most important trends in business over the past 20 years has been the broadening use of information technology to manage and support activities. In the early decades of business computing, companies developed islands of automation for largely numeric functions such as billing, inventory management and accounting. Each ran on a proprietary system and engaged the time of a relative handful of employees. Today, just about everyone works with an IT system for at least some of their operational or administrative tasks. They rely on these systems to support many of their daily routines, from recording transactions to using analytics to provide alerts, insights and decision support.

Because the technology is involved in a wide-ranging set of business roles and deeply woven into business processes, companies need a comprehensive approach to addressing corporate governance, risk and compliance (GRC) requirements for their IT environment. In many organizations these systems are increasingly interdependent, necessitating comprehensive controls for the entire IT environment that are coherent and efficient from the users’ standpoint and potentially more effective from the IT department’s perspective; a comprehensive approach requires less work to manage and offers fewer points of potential failure.

The need for this kind of approach was revealed in Ventana Research’s recent GRC benchmark research, in which 25 percent of participants in IT roles said they are dissatisfied with the technology their company uses to manage GRC requirements, and another 35 percent were only somewhat satisfied with what they have. Just 4 percent said they are very satisfied; the remaining one-third (36%) are simply satisfied.

More effective technology for control systems is valuable because well-controlled IT environments are an effective barrier to control failures in risk and business management. And comprehensive governance methodologies are not only more effective but more efficient. In the old days, IT departments had to erect barriers to protect each stand-alone proprietary system and manage and monitor them separately (if they did it at all). Today, systems can be managed holistically, replacing the many little walls around islands of automation with a single secure perimeter within which many individual systems operate. Thus, rather than having to erect and manage new walls every time new systems are added, companies already have these components in place.

For example, companies benefit by having consistent identity management and process controls to ensure they are effectively managing and mitigating the risk of fraud, errors, omissions and intrusions. As to the last, our GRC research shows that one-fourth (26%) of very large companies (those with 10,000 or more employees) experienced a breach of data privacy or data security in the prior 12 months.

Although some organizations have already adopted a comprehensive approach to identity management and process controls, most have not. The research shows that just 10 percent of large companies (those with 1,000 or more employees) have fully automated their identity controls, and another 43 percent have mostly automated them. The rest have limited or no automation in place.

Historically, these issues have been handled largely as afterthoughts; we assert that this is a mistake. The importance of managing risk more effectively and the expanding list of regulatory and legal requirements corporations face have increased the need for software and systems that can provide full control, aid oversight and automate the execution of mechanical tasks. Since information technology can (and should) play an ever more integral role in governance, risk management and compliance functions, and because individual software applications and tools can (and should) be applied to these requirements, companies need to approach their GRC efforts comprehensively and consider the information technology requirements for identity and access management and process controls to be a core discipline.

Identity and access management and process controls are two sets of IT infrastructure elements that can make risk and compliance management efforts more efficient and more effective. Companies must be certain that they give permissions and rights to the appropriate people, and that these people are who they claim to be. Thus, access controls, which depend on managing user identities effectively, are central to enforcing the separation-of-duties (SOD) controls that are applied where more than one person is required to complete a task. Historically, separation of duties was largely a finance department issue, driven by fraud concerns; today it’s a necessary part of IT department management, needed to ensure the integrity of systems – people who make changes to code can’t be the same people who certify these changes. Similar controls are needed for processes throughout a company where it’s necessary to separate duties for external regulatory or legal compliance or internal compliance and risk management.

Process control software enables companies to monitor activities within software applications and IT systems to ensure that things are being done “by the book,” with all steps in a process defined and executed in the correct order and in a timely fashion after the required sign-offs have been obtained. The escalation in outsourcing activities and the globalization of supply chains increase the importance of these process controls to keep things from falling into cracks, and to check, inspect and document work performed by suppliers or contractors.

Process control systems also can be used to spot suspicious activities, in real time if necessary. And such systems allow internal and external auditors to verify that controls are working. They enable easy analysis of system logs to spot suspicious activities such as intraday granting and rescinding of permissions or a higher-than-usual number of changes at the end of a month. Indeed, these are electronic versions of what auditors once used to do by hand, checking paper ledgers for erasures and examining handwriting to spot suspicious marks. Forensic accountants and other risk and fraud experts now can design controls that eliminate the need for heavy manual oversight. By having these controls in place, corporations can minimize the costly need for external and internal audits.

Each of these basic capabilities – access control, identity management, transaction monitoring and controls monitoring – reduces the amount of audit activity needed, cuts the expense and effort of performing these tasks manually and significantly reduces the risk of fraud or errors stemming from poor or nonexistent controls. To the extent that it is feasible, we believe companies need to incorporate these infrastructure elements as a standard practice. Because IT systems are now at the center of handling most key processes, corporate governance and risk management increasingly call for a comprehensive approach on the part of IT departments. It’s time for IT departments that are lagging in their adoption of more effective controls to take a safer and more cost-effective approach.

Regards,

Robert Kugel – SVP Research