Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
TALK
ING
Poi
nts
Information Technology Risk Management Services:
Meeting the changing requirements and demands of today’s business enterprises
Gil SmithRSM Bird Cameron
July 2009
Meeting the changing requirements and demands of today’s business enterprises July 2009
2
TALKING Points
Information Technology Risk Management Services Meeting the Changing Requirements and Demands of Today’s Business Enterprises
Traditionally regarded as a technical exercise aimed at supporting external audits, Information Technology risk management has become a core corporate function engaging senior management.
Recent surveys illustrate the rising sensitivity of corporate executives and Board members to IT risks and their growing involvement in IT risk management.
As a result of the increased engagement of senior management and changes in the legal/regulatory environment, market demand for IT risk management services has expanded beyond audit support.
Corporate managers increasingly view information as a business-critical asset whose protection must be addressed at the highest levels of the organisation.
The holistic approach to Information Governance treats information security at the total enterprise level to ensure the proper protection of organisational information regardless of how it is handled, processed, transported, or stored.
Providers of IT risk management services should align their suite of services with shifting market demand, with special attention to improved services in the areas of IT governance, information security, disaster recovery, and business continuity planning.
•
•
•
•
•
•
3
Meeting the changing requirements and demands of today’s business enterprises July 2009
Information Technology Risk Management Services:
Meeting the changing requirements and demands of today’s business enterprises
Changes in IT Risk Management
As a leading provider of Information Technology risk management services in Australia and the Asia Pacific region, RSM Bird Cameron is closely following developments in the IT risk management sphere during the economic slowdown. In recent months, a number of changes have occurred that underscore the need to align IT risk management services with shifting market demand.
Traditionally, IT risk management has been viewed as a professional service whose foremost purpose is to support external audits:
Assessing the effectiveness of general IT controls (i.e., control procedures affecting all IT infrastructure but not related to specific business application systems)Evaluating the effectiveness of IT controls internal to computer application systems (the systems supporting business operations and administration)Conducting specialist reviews (e.g., disaster recovery planning, business continuity planning, access and data security, pre-implementation reviews)Undertaking data analysis and computer assisted audit techniques
These services remain vital to corporate clients. However, the needs of the IT risk management market have expanded due to (1) the rising importance of legislative and regulatory requirements pertaining to corporate governance, information and data management, and (2) the growing involvement of senior company executives and Board members in IT risk management. The concepts of IT risk management have now progressed far beyond traditional IT assurance, such that they are core components of organisational business and risk management strategies.
Increasing Exposure to IT Risks
Table 1 reports the results of a survey conducted at a recent workshop of Australian public sector risk management and internal audit executives gauging their views of IT risk. The survey demonstrates that risk management and internal audit executives are increasingly sensitive to the risks associated with enterprise IT systems and the data processed and stored in those systems.
•
•
•
•
Meeting the changing requirements and demands of today’s business enterprises July 2009
4
Table 1: The highest priority issues/systems/functions for examination by Internal Audit during 2009 (reflecting risk assessment, Board and Executive requirements)
Issue and area of risk Priority
IT systems implementation & IT security 1
Compliance with legislation, policies and procedures 2
Developing / implementing Enterprise Risk Management (ERM) framework 3
Procurement 4
Fraud & corruption risk assessment & related issues 5
Focusing on the results emerging from an enterprise risk assessment 6
Performance / operational audits of core functions 7
Asset management 8
NSW Public Sector Audit & Risk Practitioner Network; Chief Audit Executives & Chief Risk Officers Forum, Monday 6th April 2009
The same workshop demonstrated that senior risk management and internal audit executives are increasingly concerned about their ability to secure the human and technical resources required to manage and audit IT risks, especially the risk management capabilities needed to service the Internal Audit Strategic Plans approved by their Audit and Risk Committees (See Table 2 below.)
Table 2: The issues of greatest concern in running an effective Internal Audit function during 2009?
Issue and area of risk Priority
Resourcing (for staffing & contractors) 1
Meeting Audit Committee (AC) expectations and AC-related issues 2
Full support from management (including middle management) 3
Internal Audit staff skills (particularly with respect to IT) 4
Managing co-sourced Internal Audit arrangements 5
NSW Public Sector Audit & Risk Practitioner Network; Chief Audit Executives & Chief Risk Officers Forum, Monday 6th April 2009
5
Meeting the changing requirements and demands of today’s business enterprises July 2009
Information Governance
High on the list of recent focus areas for Boards and members of the Executive is Information Governance.
“Governance” is the set of responsibilities and practices exercised by the Board and Executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the Department’s resources are used responsibly.
“Information” and the knowledge based on it have increasingly become recognised as business-critical assets without which most organisations would simply cease to function. Information is a business enabler requiring careful attention by senior managers and Board members. In today’s complex, interconnected world, protection of information assets has become a core corporate function that must be addressed at the highest levels of the organisation and not be regarded as a technical speciality with accountability relegated to the IT department.
An enlightened approach to information security takes the holistic view that an organisation’s information must be adequately protected regardless of how it is handled, processed, transported or stored. This model addresses organisational information at the total enterprise level, engaging the universe of risks, benefits and processes involved with all information resources.
In brief, information governance is not only a technical issue, but a business and governance challenge that involves competent risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organisation’s response to them.
IT Governance
A related subject of growing interest to Boards and the Executive is IT Governance. The subject is complex and diverse, including the following themes:
1. Importance of IT to the organisation; the extent to which it is relied upon to service the business requirements and ensure the integrity, availability and confidentiality of information
• How important is IT to the enterprise, and why?• What is the contribution expected from IT to the overall business?
2. IT Performance
• How satisfied is the Executive with the current contribution of IT to the business?
3. IT Accountability
• What is the role of the business and IT stakeholders in governing IT?• Where does the CEO look for IT leadership (leadership of IT)?• Are accountabilities effectively defined and accepted?
Meeting the changing requirements and demands of today’s business enterprises July 2009
6
4. Effectiveness of IT Governance
• Are IT governance efforts integrated with overall enterprise governance arrangements?• How effective are IT governance arrangements within the organisation?
IT governance should be an integral part of corporate governance. Effective IT governance ensures that the technology investments generate value for the enterprise, IT resources are used responsibly, and IT risks are properly mitigated.
Views of Non-IT Executives
The Information Systems Audit and Control Association (ISACA) conducted research on information governance, surveying top non-IT executives to ascertain their views on IT’s contribution to the business and identify ways their enterprises are governing IT. The results support the need to provide more focus and assistance in all areas of information governance (highlighted in the charts below).
Thinking about your overall business strategy or vision, how important do you consider IT to be to the successful delivery of this strategy or vision?
2%
11%
36%
51%Not very important
Neither
Somewhat important
Very important
7
Meeting the changing requirements and demands of today’s business enterprises July 2009
Rate the importance of the role IT plays in relation to the innovation, efficiency, and effectiveness of your enterprise.
What is the typical focus of board discussions about IT?
0% 10% 20% 30% 40% 50% 60%
Improving IT opera�onal performance
Role of IT in future business success
Contribu�on of IT to innova�ve …
Reducing the cost of IT to the …
Analysing IT-related risks
Other
Do not know
59%
36%
30%
28%
28%
12%
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Innova�on Efficiency Effec�veness
4%
0% 0%
11%
1% 2%
26%
11%
18%
37% 37%
45%
22%
50%
36%
Not important at all
Not very important
Neither
Somewhat important
Very important
Meeting the changing requirements and demands of today’s business enterprises July 2009
8
Role of IT Risk Management Service Providers
The increased awareness of corporate managers of the importance of Information Technology risk management creates major opportunities for IT risk service providers:
Board members and senior executives are more approachable and willing to discuss IT risks and information management Company managers are more likely to request coverage of Information Technology and information about IT risks, unsolicited by auditors and risk managersThere is greater acceptance by members of Boards and the executive of the need to educate employees about information management and to strengthen IT processes and controls
As corporate managers and Board members become more engaged in information governance, professional service providers should focus on aligning their suite of IT risk management services with the changing needs of clients. RSM Bird Cameron provides the following the services:
IT Governance
• Control & Governance Frameworks• Strategic Alignment• Performance Measurement• Benefits realization reviews
Information Security
• Confidentiality & Security• Custodianship/Ownership• Accountability & Responsibility
•
•
•
IT Project Governance
• Integration Management• Time & Scope Management• Cost & Quality Management• Procurement Management• Compliance with Methodology
eDiscovery and CAAT
• Data Extraction & Analysis• Data Asset Management• External Audit Support
Disaster recovery and business continuity planning
Post implementation reviews
Gil Smith heads IT Risk Management Services in RSM Bird Cameron’s Sydney office and has many years of experience in Information System Security, IT governance and IT audit. [email protected]
RSM International is a worldwide member organisation of independent accounting and consulting firms. RSM International is represented in 72 countries and brings together the talents of 30,200 individuals worldwide. The organisation’s total fee income of US$3.62bn places it amongst the top seven international accounting organisations worldwide. Member firms are driven by a common vision of providing high quality professional services, both in their domestic markets and in serving the international professional service needs of their client base. www.rsmi.com
RSM International is the name given to a network of independently owned and managed accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. The network is administered by RSM International Limited, a company registered in England and Wales (company number 4040598) whose registered office is at 11 Old Jewry, London EC2R 8DU. Intellectual property rights used by members of the network including the trademark RSM International are owned by RSM International Association, an association governed by articles 60 et seq of the Civil Code of Switzerland whose seat is in Geneva. © RSM International Association, 2009
RSM Bird Cameron is a unique accounting firm, with over 850 staff providing pragmatic advice from 28 offices across Australia. As you would expect from a leading national firm, RSM Bird Cameron provides a full range of specialist corporate and business advisory services including assurance and advisory, corporate finance, taxation consulting and turnaround and insolvency.