This guest post is from Joe Hewitt, an IT compliance specialist for American Honda Finance Corporation. His views do not represent those of Honda, any of its divisions, or employees.
The 2009 ISACA International Conference held in Los Angeles had a much different feel than those of the past. While IT controls were consistently a primary talking point, the emphasis was on how to better align business and IT goals. Even though theoretical concepts like risk and value information technology were discussed at length, many of the presenters addressed real-world issues with respect to advancing along the compliance spectrum.
Oracle representatives Mark Sunday, CIO and SVP, and Gail Coury, VP of, kicked off the festivities with a detailed and insightful keynote address that outlined the challenges of compliance amid heavy acquisition periods. Attendees then proceeded to presentations along one of four tracks:
- IT governance
- IT compliance audit practices
- Information security management
- IT risk management and compliance
While useful information was abundant and widespread, here are some of the more interesting discussion points:
- Risk is often counter-intuitive
- Privacy regulations are here to stay…and will only become more strict
- Reputation risk is increasing for all businesses
- Financial return and value of governance is realized across silos, not from within them
- IT should be used to reduce business costs, not IT costs
- Acceptance of authority in younger generations has gone down, increasing the need for control automation
- The current economic environment emphasizes the need for controls over fraud at every level
- Business = Demand; IT = Supply
- ACCOUNTABILITY IS KEY!
If controls are the key, governance is the lock
Much discussion was held about progression beyond creating a control environment and moving towards overall governance. With compliance budgets decreasing at a record pace, governance is the only way that auditors will be able to show value of audit activities.
Risk was the real elephant in the room. Discussions concluded that, while we cannot fully eliminate risk in a cost effective manner, the process of implementing a monitoring or review process provides an eye opening set of data for many businesses.
Even though attendance appeared to be down, the group was very diverse and included representatives from all over the globe. ISACA members from international companies enlightened the group with unique and challenging regional issues.
Overall, the conference delivered as promised. It had legacy theory, risk management theory, international diversity, and real-world solutions for almost any IT compliance issue. ISACA continues to be on the cutting edge of IT governance.