20 Apr 2009
Core business risks are being exposed by once-a-year-only IT internal audits, and firms should move to more pro-active rolling or quarterly reviews, says a report by consultancy KPMG.
With regulators likely to respond to the banking crisis that precipitated the global economic slump with yet more regulation, IT leaders are being warned that compliance reviewing practices may not be up to scratch.
"Because there's a perception of the lack of corporate governance, there'll be more regulation by government and agencies across different industry sectors, " warns Warren Middleton, global head of IT internal audit at KPMG.
However, most organisations only audit their internal IT systems annually, and with an increase in regulation likely, many may be caught out, predicts Middleton.
"In an environment where technology is a vital part of a business' make-up, and the opportunity for deliberate sabotage is high, the need for a more regular review of audit plans has never been greater," he says.
A recent survey exploring the internal IT audit practices of nearly 300 finance professionals in Europe, the Middle East and Africa, found that more than three-quarters (78 per cent) undertake audit planning once a year.
Middleton suggests that a rolling audit plan would enable firms to react far more effectively to changes in the regulatory environment. Just 16 per cent of those surveyed have rolling or quarterly planning processes in place.
Ollie Ross, research manager at blue chip user group the Corporate IT Forum (Tif), believes the KPMG figures may not be representative of all IT departments. Businesses of all sizes, structure and focus have been going to great lengths to ensure that governance processes are significantly better than they were, she argues.
"We would venture a little surprise at the findings of this report," she says.
Nevertheless, the importance of audit processes that can quickly take on board changes in regulation cannot be understated, she adds.
While instituting an effective IT audit process can be laborious, once it's established continuous monitoring is relatively straightforward, says Quocirca principal analyst Clive Longbottom.
Once the management tools are in place to monitor and measure what is happening and report against key performance indicators, policies can be set within the audit which allow for continuous compliance monitoring, he says.
Longbottom advises firms to give IT audit staff, "the capabilities to run reports so they can advise audit boards about any risks they find, and ask if it's acceptable to run these risks or not, dependent on what the organisation's risk profile is."
"It needs to be 'rolling' in the sense of picking up on events, and semi-rolling in the sense of needing to be revisited if rules engines and policies need updating, but there should be minimal impact once you've put the baseline in place," he adds.
Business Process Management (BPM) can help firms to identify and automate processes and thus drive efficiencies across the whole enterprise. Often processes concerning regulations are human centric, so by adopting BPM technology and disciplines you help in getting the right information to the right people at the right time so that they can make more informed decisions. The technology also provides an automatic audit trail, not as an add-on but as a result of how it operates: with BPM you have a clear view of who has done what and when.
The other benefit of using BPM is that the firm will have a flexible system which can be easily adapted to the ever changing market regulations. You won't need to do annual or quarterly reviews of your IT systems because BPM can highlight any divergences or variations as they happen and bring it to the attention of compliance officers so that appropriate action can be taken.
BPM is also a technology that finds its use and shows its value across many industries, from Financial Services to Pharmaceutical to Manufacturing - where there are processes and regulations, BPM should be there too.
Laura Mooney,
Vice President Communications,
Metastorm
www.metastorm.com
Posted by: Laura Mooney 21 Apr 2009
The majority of compliance officers are all too well aware of the presence of gaps and holes in systems, often created by unauthorised changes, that can rapidly undermine the compliant status.
Unfortunately, for many organisations, compliance has become little more than a box ticking exercise that attempts to deliver a compliant organisation at one point in time. Yet change to the IT infrastructure is both rapid and constant - and an essential component of business development and growth.
As a result each audit process is fraught with problems. Compliance officers know without any doubt that a manual spot check by auditors could well reveal some breach of compliance or audit finding that requires expensive, investigation. The result is increasing audit costs and a growing risk of major compliance failure - with attendant fines and negative publicity.
With the compliance burden increasing year on year, organisations cannot maintain their reliance on the 'after the fact', manual audit process; it is neither effective nor efficient. Automation has to be introduced into the process to drive down both cost and risk.
It is only by creating a continuous compliance process that leverages real-time monitoring to highlight changes that could take the infrastructure into a non-compliant state that any organisation will be able to effectively achieve multi-standard compliance in the long term.
Yours sincerely
Andrew Heather
General Manager, EMEA
Tripwire
www.tripwire.com
Posted by: Andrew Heather 20 Apr 2009
Have your say on this article
Newsletters
Latest stories from Finance and Reporting
You may also like
Finance and Reporting jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Computing is pleased to announce the first Computing Summit, looking at how organisations can harness value and insight from big data. This one-day conference will provide practical insight into discovering and exploiting the value of unstructured data for improved business decision making, long term growth and competitive advantage.
Date: 28 Jun 2012
Time: 8.30am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
