In today’s world, information technology (IT) organizations, within companies, face the challenge of dealing with an array of compliance requirements, including Sarbanes-Oxley (SOX), external auditor requirements and state regulations. As part of such compliance, they need to deliver information requested by external and internal auditors, state regulators and a host of others.

This raises an important question for IT groups: How do they create a structure that makes it easy to have one set of documentation and one set of control structures in place to satisfy all of these parties? The idea is to create a set of processes and built-in controls so that regardless of the regulation or requirement, there is a strong, stable environment that satisfies these multiple requests – without the need for extra work by the IT organization.

Such an approach can also help improve business performance and reduce risk. From a risk perspective, if IT organizations ensure they understand the business risks and link their process and control efforts to those risks, they can make certain those risks are addressed and minimized, or at least reduced to an acceptable level. By making sure they have an understanding of those risks and controls that are ultimately built into the organization, they know they have created a set of processes and controls that align with the business. These links are crucial. Ultimately, creating one set of processes and controls eases the burden of testing – it can be done once to meet the multitude of requirements, rather than having multiple sets of controls that have to be tested for the individual entity requesting control results.

These are timely issues. IT organizations have begun to question the reasons for, and benefits of, the various compliance requirements that fall under their purview. Studies demonstrate the upsides of these efforts, including increasing an organization’s effectiveness in managing its own risk and processes. By sorting through and questioning compliance requirements, IT organizations have been able to step back and ascertain if more efficient ways exist to establish and maintain IT control structures.

The demands are considerable, especially since there is no single, established framework for an IT organization to turn to for all of their compliance needs. No single document spells out the best processes and controls. IT organizations have hung their hats on COBIT (Control Objectives for Information and related Technology) in the past, but even that is not designed to meet all of the compliance obligations that exist. Other frameworks address only limited areas, such as information security.

IT itself is also a moving target. IT organizations are being driven by the changes in business, such as business strategy and approaches to cost-effectiveness. The IT environment is evolving accordingly. But change management is difficult. IT may be called on to create more infrastructure (or less), or to absorb a new piece of technology that may provide a new competitive advantage. It can be difficult to determine whether change is even occurring, or to determine its potential impact (especially in cases involving a shift in personnel, and the subsequent possible effect on controls). Without knowledge of changes occurring in the IT environment, it is difficult to track the potential impact to the control structures in place.

In the midst of the turmoil, Public Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS5) emerges as an important framework and approach to be used by companies complying with SOX. This standard evolved from what was originally referred to as Auditing Standard No. 2 (AS2), established by the PCAOB as part of initial SOX efforts.

Risk-Based Approach
One of the key aspects of AS5 is that organizations must make sure when they perform SOX work that they are performing the work using a risk-based approach. AS5 essentially states that when one is looking at the processes and controls within a particular area of the business, it is crucial to take a step back and acknowledge an important question: What is the likelihood of control failure leading to a material misstatement on the financials? When companies take that step back and begin to recognize that certain failures may result in only minor potential problems, they are better able to achieve appropriate scope. Scope needs to be appropriate and driven by the risk of and potential for material misstatement.

The IIA’s Guide to the Assessment of IT Risks (GAIT) is another framework that can help IT organizations appropriately assess control design. GAIT helps IT organizations understand that just because a business process has been defined to be in scope, along with its associated controls, it does not necessarily mean that all reliant IT applications, infrastructure and data are in scope. For example, the accounts payable process is in scope – what underlying IT components need to be considered?

Begin by looking at the application. Take a common application for accounts payable – PeopleSoft, for instance. If the accounts payable business process is not leveraging any so-called automated controls (i.e. any of the logic built into PeopleSoft), then it is possible to reduce concern about the application inclusion. Likewise, concerns about data that emerge from this process can be diminished if the data is not used for financial reporting process needs. Do not rely solely on what appears on the surface. Fortunately, GAIT has a methodical, outlined approach for companies to use to ensure they are scoping their IT environments appropriately for SOX compliance purposes.

In practice, companies have leveraged AS5 and GAIT to reduce their IT control coverage scope. AS5 has also helped produce more collaboration with external auditors to produce a risk-based approach. Nevertheless, companies continue to identify opportunities for making the SOX compliance process more efficient and effective, using a risk-based approach.

The IT Governance Institute (ITGI) has taken keen interest in the current state of IT processes and controls within businesses. ITGI conducted a study in which 749 interviews were conducted, asking C-suite personnel about priority and actions related to IT governance as well as acceptance by CIOs and other company executives.

The study revealed COBIT awareness has increased, but only 30 percent of companies reported implementing it. The punch line, so to speak, for this study is that
IT organizations continue to struggle with the adoption of any controls structure and framework. Although they have adopted various aspects of standards and control framework, there is no one framework available for organizations to rely on. Moreover, the study reports, companies lack adequate IT skills to address their internal risks.

The most commonly used IT frameworks include:

1. ITIL/ISO 20000
2. ISO 9000
3. Internally developed frameworks
4. COBIT
5. Various security standards (ISO 17799, 27000, etc.)
6. Capability maturity framework
7. IT balanced scorecard

Each framework has a different focus. One response can be to blend across the various frameworks and standards, considering different options without looking to one alone as a cure-all.

Another recent study performed by the IT Process Institute (ITPI), profiled leading IT organizations and identified what set them apart in terms of their control and process structures. From this emerged a set of controls that, if adopted, would put IT organizations well on their way to creating an environment that models those used by the leading groups.

Within the 21 foundational controls identified, four were access controls; four were change controls; three were service level controls; four were resolution controls; three were configuration controls; and three were release controls. Those within the change controls and configuration controls subsets were the ones primarily responsible for differentiating “top” from “medium” performers. Nonetheless, it is important to bear in mind that simply putting structures in place – no matter how solid – will not guarantee success overnight. Companies need to be aware that improvement will come only over time. Remember, part of the control environment is the human component – the individuals who need to follow, operate, and execute controls appropriately. Education around the controls is crucial.

Finding a Better Way
Here is a real-world example of how compliance requirements and actions played out for one organization. In this case, a financial services company was under pressure from multiple compliance requirements, including SOX, state regulators, external auditors, and third parties that used the company for business process outsourcing. What was the best way to handle the various requests? The current approach – basically reinventing the wheel for each request was highly inefficient.

When the company assessed its goals, they decided to satisfy the requirements it faced, and to ensure it had solid, well-defined processes in place that would create further benefits from an efficiency and consistency perspective.

The company looked to the previously mentioned ITPI study as a starting point, along with the IT Infrastructure Library (ITIL) framework and COBIT, taking aspects from all three areas to build a well-defined process and control environment that could be operated on a daily basis. This was linked to the business risks that existed within the organization. The nearly three-month effort entailed close involvement with leaders in the IT organization as well as with internal audit.

The whole project, in fact, was highly collaborative in nature. Other factors that influenced its success included the ability to account for the specific environments within the organization; communicating the reasons and anticipated benefits; and the support of senior IT leadership.

Measuring Results
The Capability Maturity Model (CMM) emerges as a useful mechanism to portray the maturity of the processes and controls in certain areas. (This model is leveraged by COBIT as well.) It can be used to illustrate the current capability maturity of a process area. Once the current status is established, future goal maturity levels can emerge. The CMM is a roadmap to help companies outline their current efforts as well as where they ultimately plan to drive their efforts.

IT leaders are quite familiar with this model, which, among other things, underscores the important point that these efforts are never complete. IT leaders must realize that once they establish the framework, it is not time to sit back and rest easy. Change constantly occurs within their IT environment, thus requiring modifications to control structures and control processes.

IT leaders should also recognize the importance of ongoing collaboration with the business areas, to ensure risks have indeed been minimized, as well as with internal audit and risk management organizations. As potential new requirements come into place, everyone will need to respond appropriately.

A challenge? Yes. But establishing a solid and concise IT process and control structure really is the best way to ensure ongoing compliance, and ultimately, the organization’s long-term health.

IT Process Poll