Most information systems today are affected by one or more regulations, and some would argue that industries as a whole are over-regulated. That is particularly true in industries such as banking and insurance. There are many valid reasons for regulations, especially when it comes to information systems. A significant portion of business processes and activities in most organizations depends completely on information systems, and could not function without them. The vast amount of information generated by information systems is used by publicly-traded companies to report to authorities and regulatory agents. Additionally, decision-makers and stakeholders use financial reports published by organizations to make business decisions about investments, mergers, and acquisitions.
Internal and IT auditors are in a unique professional position. Their traditional and primary duty is to inspect and verify that business processes and practices are carried out as required by various regulatory bodies. Additionally, the main output of an audit activity is an audit report that describes risks, control deficiencies, and breach of existing controls. Auditors also can assume the role of trusted advisor and suggest ways to improve existing processes and add new processes, tools, and best practices that improve performance and reduce operating costs. This article presents some ways in which internal and IT auditors can bring tremendous value to organizations in the course of conducting an audit.
Preparing for More Regulations
In spite of the overwhelming number of existing regulations, there is strong evidence that a tidal wave of new regulations will emerge in the next 12 to 18 months. The new regulations will ensure that better controls are applied as an oversight on activities performed by particular groups within an organization. One thing IT departments can do now is use this grace period to prepare for complying with new regulations.
A paradigm shift and thinking outside of the box regarding current practices will help in accepting a different approach to complying with regulation requirements. For example, the notion that regulation is not the chief information officer's or IT department's responsibility and the view that regulation requirements are not part of system requirements no longer apply. Instead, IT departments should accept the involvement of stakeholders and subject matter experts (SMEs) within the organization as critical and necessary for successful implementation of regulation requirements in information systems.
The following represents the primary key players and SMEs who should be directly involved in complying with regulations requirements throughout the life cycle of the information system:
- Chief compliance officer.
- Chief risk officer.
- Information system manager.
- IT project manager.
- Information security manager.
- Quality assurance manager.
Internal and IT auditors cannot and should not take an active part in the design or implementation of regulation requirements in order to prevent potential conflicts of interest in future audits.
A key point of this new approach is that regulation requirements are an integral part of the set of requirements that are defined for an information system (functional, technical, performance, security) and therefore:
- Regulation requirements must be documented and managed along with all other requirements. (The use of a requirements management tool is recommended.)
- Regulation requirements must be translated into tasks and activities to be performed throughout the life cycle of the information system and clearly defined in all project work plans.
- The test plan for information systems must include specific tests to ensure effective and accurate implementation of regulation requirements.
Internal and IT auditors can bring an important added value to organizations by raising the level of awareness among managers and stakeholders of the benefits to be gained by adopting a new approach to meeting regulation requirements. Auditors can express such opinions in audit reports and during audit closing meetings as general comments and recommendations.
Life Cycle Phases
"Information System Life Cycle Phases" (below) represents a typical life cycle model for information system development, implementation, and sustainability. The model includes some key activities that are related to regulation requirements in each phase of the life cycle. The activities relating to regulation requirements development, testing, and implementation can be easily incorporated into other life cycle models.
There is no need to invent a new methodology for information systems development or to alter existing methodologies drastically. Instead, organizations should change and upgrade concepts that are currently used by IT departments. The involvement and active participation of SMEs is essential to successful implementation of this approach.
Information System Life Cycle Phases
Source: MethodA, by Methoda Computers Ltd.
Four Steps to Implementation
The adoption and implementation of the proposed approach to complying with regulation requirements consists of four steps. Activities in these four steps can be easily incorporated into the Software Development Life Cycle (SDLC) currently in use by the organization. "Information System Life Cycle Phases" is a model that demonstrates integrating regulation requirements into a popular SDLC.
1. Discovery and Identification
Specific regulation requirements relevant to information systems should be documented. A current risk survey report may be used if available.
Identification and classification of binding enterprise regulations, standards, and frameworks should be included in a dictionary of terms and definitions. This dictionary should be the basis for a common language among all the organizational units in the enterprise that are involved in implementing and sustaining regulatory compliance measures. Existing and planned information systems and the identification of gaps between regulation requirements and their implementation should also be surveyed.
It is possible to have regulation requirements from multiple regulatory agents. Conversely, IT controls that were developed in response to a particular regulation requirement may be applicable to several information systems. One byproduct of this exercise is the identification of duplicate controls that were implemented to remedy regulatory requirements. A list of information systems, their risk classification, and associated controls presents an excellent opportunity to streamline and consolidate the number of IT controls in the organization.
Once IT controls are documented, a logical next step would be to expand the knowledge base by linking relevant policies, procedures, work instructions, forms, process owner information, and system managers. A repository of such information could help reduce the burden and high demand on IT professionals and make the audit process more efficient.
Information systems should be classified to facilitate prioritization according to criteria such as:
- The importance of a system to a business process. An existing risk survey report can be used as a source for information system classification and serve as a starting point. Control self-assessment is a popular tool that can be used for establishing information systems classification.
- The impact of the information system on one or more business processes and the risk factors associated with information systems.
- The interdependency with other internal and external information systems.
Once prioritized, a viable work plan for implementing regulation requirements can be developed for the information systems managed by the IT department.
To establish ownership and direct responsibility for each information system in the organization, it is necessary to map information systems. Mapping should identify the following relationships:
- Information system to business process.
- Regulation requirements to organizational unit(s).
- Information system ownership.
- Identification or discovery of "orphan" information systems.
- Identification of multi-owner information systems.
Any identified gaps must be investigated and resolved. Additionally, the mapping information collected in this effort should be well-documented and maintained as an ongoing regulation compliance activity.
4. Development, Testing, Implementation, and Maintenance
The development, testing, implementation, and maintenance of regulation requirements include:
- Development of code necessary to satisfy regulation requirements.
- Testing and validation of regulation compliance of information systems developed in-house.
- Validation that all vendor-supplied information systems comply with regulation requirements.
- Testing, validation, and approval of external information systems services compliance with regulation requirements (including software as a service-based (SaaS) systems).
Certification demonstrating regulatory compliance of information systems by all stakeholders is required to authorize systems for production use. During tough economic times and budget cuts, improving business processes is a good way to prepare for the up-turn cycle and for the inevitable wave of new regulations that are sure to hit our shores.
The prevailing best practice of doing more with less applies to internal and IT auditors just as it does to other stakeholders in business enterprises. Internal and IT auditors can add value to their audited parties, in particular, and to business organizations in general, by playing the role of trusted advisor. The primary role of an auditor is to verify compliance; identify risks, control deficiencies, and the effectiveness of existing controls; and produce an audit report for management.
An experienced auditor can suggest and recommend improvements to existing processes and recommend new tools and methods for consideration. Furthermore, over time this approach can improve work relationships between the auditor and audited parties in the organization.