governance

IT audits versus reviews

I had mentioned in my last post a recent conversation with my partner regarding a proposed IT general controls (ITGC) audit. My primary role in our practice is to head up regulatory compliance services which includes audits, assessments and program development; my partner’s primary role is head of sales and business strategy. However, there’s a significant amount of overlap between our two sides and I sometimes forget that I’m the compliance expert when we’re discussing the industry. His knowledge of the myriad regulations is impressive and there are times where I’ll vet ideas through him to validate my own thinking.

Anyway, he’d mentioned a conversation with the client around the proposed ITGC audit in which the project sponsor asked what the difference is between an audit and a review. I knew right away where the question stemmed from because of my experience in the industry. Many firms we compete with (and some I’ve even worked for in another time and place) don’t conduct audits, they conduct reviews. Sometimes they don’t even conduct a review or an audit but rather an assessment. I’ve struggled with this blurred use of terms because in my mind there are very clear delineations. The lifecycle of the governance, risk and compliance (GRC) domain is as such: identify and assess risk, design controls to mitigate those risks and test to validate that those controls are functioning as expected. And so, a risk assessment is conducted, governance elements are introduced in the form of policies and procedures, and regularly scheduled tests occur to make sure that the whole enchilada is actually getting the job done. And so when practitioners offer services that aren’t specific to one of the key areas of the GRC spectrum, it bothers me.

See, an audit is an audit is an audit; you determine the control objectives that are supposed to be supported by the entity that are in scope for the type of audit, identify the related control activities that either are or should be in place and then design a series of test steps to determine if those activities are occurring and tie back to the overall objective. The auditor has some leeway when it comes to offering an opinion as to what the results actually mean (one auditors pass is oft times another auditors finding) but fundamentally the audit results tend to be binary, you either pass or fail. It’s all fairly straight forward.

Now a risk assessment is not an audit; it’s a bit more arbitrary. Management generally is polled to determine what areas of their infrastructure (including finance, operations and technology) they are most concerned with, factor in regulatory and industry requirements and then come up with a plan for conducting the risk assessments. As these assessments occur, what they reveal would be factored into the overall audit plan to make certain that the areas presenting the greatest risk to the business are being examined closely and in a timely fashion.

So here’s my question: what exactly is a review? If you’re conducting tests and examining evidence you’re conducting an audit. If you’re interviewing stakeholders and determining what controls are in place but not testing their effectiveness then you’re conducting a risk assessment (assuming you’re asking the right sort of questions – a post for another day). Is there some odd dimension between the risk assessment and the audit I’m unaware of where this review occurs? And what exactly are you expecting from the results of this review? Because I’ll tell you this much, examiners only recognize risk assessments and audits. You can present them with a report that’s called a review in the title and tell them it’s actually an audit but you’d better be prepared to produce work papers because they’re going to ask you for them, trust me on this point. But my experience is that reviews don’t produce work papers because evidence is generally not formally collected in support of the report and requires significantly less effort to conduct. Which is why when we discussed the semantics of our industry, my partner is fond of saying that the difference between an audit and a review is about 50% of the proposed amount.

And as long as I’m ranting on the topic, how many of you out there include work papers as a deliverable when you contract with external entities to conduct audits? I’ve long been amazed at how many audit projects I’ve managed where work papers weren’t required or provided because it wasn’t included in the statement of work. I’m of the opinion that a summary audit report by itself is useless if you don’t have the supporting documentation because it’s the only true way to confirm that the testing occurred and support the findings. And of course it’s important to loop back to my earlier comment: Examiners will absolutely ask you for the work papers. I routinely receive phone calls from clients I’ve worked with at my previous firms asking if I still had access to their work papers because their examiner is asking for them. It’s awful for me because I have to tell them that while the evidence is still available (I keep everything for seven years for fieldwork I’ve conducted) there are no formal work papers to provide. Thus the reason that when we started our firm and developed the methodologies, I made certain that part of the scoping process included asking the client if work papers were to be included in the deliverables. It adds time to the project and so there’s a cost implication, but it’s the right way to run an audit and so really a need-to-have. You can take a short cut where applicable and only document findings but even so, how can you prove that a successful test was actually successful? For those practitioners looking for shortcuts it provides the wrong incentive.

If you want/need an audit, schedule an audit. If you want/need a risk assessment, schedule a risk assessment. If you’re considering a review or a generic assessment reconsider; decide which of the two proper categories your work fits into and than schedule accordingly. This isn’t rocket science; the FDIC and NCUA have been quite clear as to what you’re required to do so keep it simple. And if the resources you’re using aren’t speaking in the common audit and compliance vernacular force their hand and make them do so. Audit or risk assess, pick one.

2 for 1 sale: How governance leads to compliance.

A while back I’d written about the Unified Compliance Framework from Network Frontiers, which takes quite literally every regulation and framework within the IT domain and maps them in such a way where you can identify how a single control addresses multiple requirements. In this day and age, the era of regulatory overload, with even more regulations heading our way I consider the product an essential tool in managing the required work. However there’s in important caveat to throw out there; the benefits of the UCF product can only be fully realized if it serves as the underpinnings of an IT governance program.

Ah yes, IT governance, a favorite topic of mine and one that’s a sure-fire way to get me to whip out my soapbox and fire-up the accompanying rhetoric. I’m a practitioner first and a theorist second and the combined perspective provided by both has forced me to become a huge advocate of governance as not only the best way to achieve regulatory compliance but perhaps the only way. I’ve reached the end of my rope when it comes to the currently popular way to pursue compliance, which is to build silos and assign each its own regulation or industry framework. How does it makes sense to have, for example, two or more groups of people testing user account provisioning when a single test can be used to satisfy both? It doesn’t and by doing so it wastes time, resources and money.

And so now I’m getting to do something about it.

My current “big” project has multiple parts. The client is managing the consolidation of two business entities including their regulatory compliance initiatives. It’s resulted in their needing to build out a plan to merge four sets of existing regulatory compliance frameworks as well as taking over responsibility for another that’s brand new to their mix. Beyond the doubling up of the required work, it’s also resulted in a new compliance team that’s sizable and using headcount within an IT organization doing work that’s not really IT-specific. That’s the bad news.

The good news is that the client had empowered the team responsible for managing compliance to switch to a governance approach a few years back. Rather than serve as an after-the-fact function that tests to make sure controls are working effectively, this group has served as both an adviser to IT, helping strengthen controls and has streamlined the testing process so that stakeholders pass along evidence of their daily activities, thus reducing the need for the typical testing cycle fire drill that most of know. It’s served two purposes for the IT organization: It eased their burden in the compliance process and made them more trusting of the audit and assessment function.

But in the short term, the consolidation has dramatically increased their workload and at a time when management is looking for ways to reduce expenses and get more for less. How do they proceed? How do they consolidate the related frameworks, assume oversight for the new ones and continue delivering the value and efficiencies that they’ve come to be known for? There’s only one way: by taking IT governance to the next stage of its evolution.

They already understand and practice the basic elements of IT governance and so the foundation has been laid. Now it’s time to take it up a notch to the next level. Thus the tie-back to the UCF approach. If you have multiple frameworks to comply with, the commonalities to be found between them are significant. I know this based on my own research and analysis and can now prove it courtesy of UCF. The manager of the IT governance function is also a believer of this approach and the plan is to build out a true IT governance program so that all in-scope frameworks are to be managed via a consolidated approach. All current and effective frameworks will be supported through the end of 2009 but along the way each control and related activity is being reviewed to identify opportunities for consolidation. Once done, all IT-based activity will be viewed through the lenses of the new governance framework so that compliance is maintained and changes to the infrastructure are evaluated for any potential regulatory impact. And the best part is that all of this will likely be done with less effort, thus freeing up resources to focus on more IT-centric tasks.

Imagine that, a world where compliance is achieved through a coordinated proactive governance approach and IT resources are free to focus on technology-based activities. It’s like solving two problems for the price of one with the added benefit of actually spending less money overall.   What CIO/CTO wouldn’t like that?

Who put the G in GRC?

I’m something of an advocate for Governance, Risk and Compliance (GRC) and have been for several years.  I’ve been known to rant a bit how it’s not properly organized as an acronym because everyone who knows knows that risk comes first and so it should’ve been RGC.  But as a discipline and as an approach to designing and implementing controls I’m all for governance being used as the driver to assess, measure and manage risk.  And of course if you’re properly managing risk you’re also naturally falling into alignment with all things compliance.

For the most part whenever I see references to GRC in the marketplace it almost always is associated with a software product and not a discipline or a methodology.  And in those rare instances where it is in reference to something being practiced it’s often depicted as an advanced formulaic concept that requires a PHD to understand, let alone practice.  But I’m certain that’s going to change.  With all of the layers of regulatory requirements already placed upon Corporate America and with the very real threat of even more looming large on the horizon I know that eventually companies and institutions are going to be forced to abandon their all-too-common one-off, silo-centric approaches to compliance and commit to a single, well thought out governance program.  My best guess is that once the economy begins the slow, steady climb out of its current abyss we’ll start seeing signs of progress on the this front.

And so I’m always monitoring the GRC landscape looking for subtle shifts and changes that may indicate a new advance or important discovery.

Two weeks ago one of those subtle shifts landed tap-dead center on my GRC tracking radar only it wasn’t so subtle.

While working for a client who is suddenly confronted with the demands of a brand new set of regulations I committed to building out a cross-reference matrix by which they can identify commonalities between their different frameworks and look for economies of scale in the work required to comply.  But I’m sometimes lazy and decided that somebody somewhere must have already done something like this; I’m smart but I’m not often the first one to think of something.  And so a-Googlin’ I went.  Imagine my surprise when I not only found what I was looking for but also found that there was a company that created a product that incorporates pretty much every regulation currently known to civilized man and developed a master cross-reference to illustrate all of their interdependencies.

The product is called the “Unified Compliance Framework” and for those people who understand governance and are committed to advancing it from theory to practice this is something akin to the Holy Grail.  Simply put UCF monitors the regulatory and industry landscape, identifies emerging requirements/frameworks as well as modifications to those that already exist and conducts an analysis to identify how it relates to other frameworks.  This allows any organization to take their existing control framework and use UCF to map those controls across the entire compliance spectrum identifying where one control satisfies multiple frameworks.

Think about that for just a minute.  If for example you’ve designed a control for password rules as part of your SOX framework you can use UCF to quickly identify which of the other frameworks that control addresses (several, by the way).  If your company conducts business in states that have or are about to have their own data privacy laws with which you have to comply (Massachusetts is the most recent) it’s very likely that not only don’t you have to re-invent the wheel but already have one to use.  UCF makes it easy to identify points of intersection thus making the impossible possible.  Or rather, it allows you to kill two (or more) birds with one stone (so-to-speak).

I’ve been railing for years against the common approach most companies use in which they design one-off solutions to align with the myriad frameworks they operate under.  But it’s been a difficult argument to establish and until finding UCF I’ve had to struggle to make my case.  But not any longer.

To validate my take on UCF I showed it to a colleague who is in senior management at a Fortune 500 company and who is himself responsible for IT Governance.  He immediately saw its potential and wanted to know who else was using it and how so.  I fear I’ve opened up a can of worms though because when I mentioned that I was researching early adapters of UCF he asked if he could join in on the interviews so that he can pick their brains and leverage off of their success.  I was looking for validation and instead inherited a partner.  But I feel as if though I’m helping create a mini-wave of excietment  in the governance space and I’m OK with that.

I’ll have more to share with you over the next few months as I continue to dig into how UCF is being used in support of GRC initiatives.  But in the meantime I encourage you to
check them out for yourself.  If you’re someone who has a governance role, hopes to have a governance role or simply wants a glimpse into the future of GRC it’s well worth your time.