Information Technology plays a very crucial role in the operations of an organization. IT systems are deeply embedded in initiating, authorizing, recording, processing and reporting of financial transactions. Almost all financial reporting processes in an organization are driven by IT systems. As a result of their tight linkage to the overall financial reporting process, internal controls over relevant IT systems need to be assessed for their compliance with the Sarbanes-Oxley Act (SOx). Other regulations such as FDA, GLBA and HIPAA also require assessment of internal controls of relevant information systems.
Most organizations regularly test the internal controls within their IT organization to ensure secure and continuous operation of their entire information systems in order to identify and mitigate risks with financial reporting. Such controls are typically derived from a standard framework such as COBIT and when implemented, it not only reduces IT related risks in financial reporting, but also forms the basis for good IT Governance.
The following are some of the key internal controls defined within an IT organization for compliance with SOX. These controls are based on the COBIT framework. This list can be extended to support HIPAA or GLBA compliance. The controls include:
- Acquire (or develop) application system software : These controls provide reasonable assurance that the user requirements for new application system (that affects financial reporting for SOX compliance) are adequately defined & approved and the software is acquired or developed against these requirements.
- Acquire technology infrastructure: These controls provide reasonable assurance that technology infrastructure including servers, networks and databases that are acquired provide a secure and reliable information processing platform to support financial reporting applications.
- Install and test application software and technology infrastructure: These controls provide reasonable assurance that the systems are appropriately tested and validated prior to being placed into production processes and associated controls operate as intended and support financial reporting requirements.
- Manage changes: These controls provide reasonable assurance that any system changes of significance to financial reporting are authorized and appropriately tested before being moved to production.
- Develop and maintain policies and procedures: These controls provide reasonable assurance that policies and procedures include the SDLC methodology, the process for acquiring, developing and maintaining applications, as well as service level agreements, operational practices and training materials etc. have been developed and are maintained, and that they define the documentation needed to support the proper use of the applications and the technological solutions for financial reporting.
- Service Levels: These controls provide reasonable assurance that service levels are defined and managed in a manner that satisfies financial reporting system requirements and provides a common understanding of performance levels with which the quality of services will be measured. The controls typically also support Information Technology Infrastructure Library (ITIL) guidelines.
- Third Party: These controls provide reasonable assurance that third-party services are secure, accurate and available, support processing integrity and defined appropriately in performance contracts.
- Access Control: These controls provide reasonable assurance that a user ID in any of their enterprise systems that affect financial reporting matches to a specific person, their password format and access rights to sensitive files, directories and programs comply with security policies.
- Security: These controls provide reasonable assurance that financial reporting systems and subsystems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. These controls are also in compliance with ISO17799 specifications.
- Configuration Management: These controls provide reasonable assurance that all IT components, as they relate to security, processing and availability, are well protected, would prevent any unauthorized changes, and assist in the verification and recording of the current configuration.
- Incident Management: These controls provide reasonable assurance that any problems and/or incidents are properly responded to, recorded, resolved or investigated for proper resolution. The controls also support ITIL guidelines.
- Operations: These controls provide reasonable assurance that authorized programs are executed as planned and deviations from scheduled processing are identified and investigated, including controls over job scheduling, processing, error monitoring and system availability.
Issues with IT Audits
The IT Auditing and Compliance process is inherently very complex within a company. This complexity is primarily due to the following three reasons:
- Multiple internal and external stakeholders involved in the process
- Evolution of audit infrastructure from bottom up
- Lack of a single system of record, preventing top down visibility and control
Multiple Stakeholders: In many Fortune 500 companies, the IT function is decentralized. In such companies, the corporate IT function sets policies and guidelines and is responsible for shared resources, but most of the IT investments are made by and managed at the divisional level by a Divisional CIO, who reports to their line-of-business head, as well as to the corporate CIO. As a result, multiple internal organizations are involved in assessing compliance with IT controls. In addition, some IT operations, including application development and software/infrastructure management may be outsourced to a third party. This outsourcing partner typically uses their own organization to assess compliance with their client's IT controls guidelines for the systems they manage. Finally, some of the IT assets within a data center may be leased from a third party and maintained or serviced by them. These service providers typically also ensure that such systems comply with their client's IT control guidelines. As a result, there are a number of internal and external stakeholders involved in an IT audit and compliance process, creating a huge amount of complexity.
Evolution of the infrastructure bottom-up: Companies have implemented various tools in their environment to automate testing of specific controls, identify non-compliance and drive its remediation. These tools include point solutions such as Virsa or Logical Applications for testing Segregation of Duties (SOD); solutions such as Symantec Bindview for defining and enforcing security policies and solutions such as Active Reasoning for change management compliance. While these tools address very specific issues, each has their own 'perspective' on compliance and publishes their own compliance report about the narrow domain they address. These systems do not address overall IT audit and compliance from a top down perspective.
Lack of a single system of record: IT organizations typically end up with multiple checklists to test various controls and multiple spreadsheets containing results from the tests. In addition, people responsible for testing specific controls may keep their own checklists or records of audit and publish their own compliance reports. As a result, multiple Excel and Word files and emails keeps the overall process working. However, there is no single system of record for the entire IT Audit and Compliance process. As a result, it takes a lot of manual work to understand the status at any given time or gain visibility into key issues or track the remediation status on a non-compliance event. A lot of time spent is spent in chasing status information and in gathering evidence of compliance. In addition, implementing a sustainable change management process on multiple documents that are managed in a federated manner becomes very difficult.
In order to sustain compliance with IT controls at significantly lower costs, organizations need to streamline their IT Audit and Compliance process, enable multiple stakeholders to have visibility and control and provide a single system of record for IT audits, while leveraging the various point solutions that have already been implemented to automate the testing of various controls.
How MetricStream addresses these requirements
MetricStream, a leading provider of Governance, Risk Compliance and Quality solutions, provides a comprehensive solution for IT Audit and Compliance. Designed to support the COBIT framework, the solution addresses the issues mentioned in the previous section. Key capabilities of MetricStream suite for IT Audit and Compliance include:
- Control Hierarchy: Enables the organization to document the control hierarchy according to COBIT framework, design assessment plans and setup the IT compliance environment within the organization.
- Assessments: Enables the organization to schedule and perform assessments of design effectiveness and operational effectiveness of the IT controls. It provides a framework that automates the testing of IT controls and reports the results for the entire test - including manual and automated controls, in an integrated manner.
- Remediation: Enables the organization to manage the remediation, exception, and disclosure processes, track their status, and ensure successful completion.
- Dashboards and Reports: Provides visibility into the ongoing IT compliance efforts within the organization through role based dashboards, scorecards and reports.
- Document Management: Provides a central repository for all documents required for compliance including IT policies, procedures, system lifecycle documents etc.
- Training: Enables the organization to make compliance a part of the company's culture by driving consistency by managing all aspects of employee training.
- Audit: Performs process-level self-assessments and provides support for internal and external auditors.
By learning from the experience of an ISO 9000 implementation and embedding the steps listed above in the employee's daily work, SOx Program Managers can deliver SOx compliance at significantly lower costs.
By implementing the MetricStream IT Audit and Compliance solution, the customers get a single system of record for the IT audit process, while supporting a complex organizational model, including external stakeholders. The graphic above displays the IT audit and controls process for a typical IT organization, after it was streamlined and automated using MetricStream solution. Upon implementing the solution, the MetricStream customers will enjoy the following environment for their IT Audits:
- A single repository of all policy, procedure and system lifecycle documents, with change control procedures to ensure only authorized people can update the documents using a well defined approval process
- A Control Hierarchy that enables an organization to use standard frameworks such as COBIT for IT Audits. The control hierarchy contains the following elements in a structured format, with multiple references attached to each of them for additional documentation about that hierarchical element.
- Control Objectives
- Key IT Assets
- Results (Evidence)
- Integrated support for automated controls (via point solutions such as Virsa, Logical Apps, BindView etc) or manual controls (checklists that are workflow enabled). Results are automatically combined to provide a comprehensive and integrated view of test results to the user
- MetricStream leverages its test automation APIs to easily integrate with point solutions for testing controls such as Virsa or BindView. MetricStream is not designed to replace any of these 'specialist' point solutions.
- Change Management
- Enables change control process on policies, documented procedures, control tests, references etc.
- Information-rich dashboards, risk matrix and operational reports provide visibility into the end-to-end process across all controls. As a result, IT SOX compliance manager and IT audit manager can easily monitor and manage the entire process from one location.
- Integrated remediation process, so nothing falls through the cracks. The system also ensures that various stakeholders from multiple organizations, based on their roles, have visibility into and control over the remediation process.
IT systems are inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes, for compliance with the Sarbanes-Oxley Act. Today the IT Audit and Compliance process to support the Sarbanes-Oxley Act is chaotic. Most companies have implemented limited bottom-up automation infrastructure for control test automation through point solutions. However, lack of top-down approach to IT Audit and Compliance, along with lack of a single system of record, makes the entire process very disorganized. MetricStream, a leading provider of Governance, Risk, Compliance and Quality solutions, addresses these issues through its solution, specifically designed to manage the IT Audit and Compliance process at large companies.