September 2005 — PRINT EDITION    
 
The big 10 Table of Contents
   
 

The big ten

By Gerald Trites & Andrée Lavigne
Photograph: John Ueland

Every year ITAC consults with the profession regarding technology concerns. And this year is no different as it presents its exhaustive list of priorities facing CAs

In May, CitiFinancial, the consumer financial service division of CityGroup, one of the largest financial institutions in the world, announced that a box of computer tapes containing personal data on 3.9 million customers was lost in transit. The data included names, addresses, social security numbers, account numbers, payment histories and details on personal loans. In June 2004 a programming change, considered routine maintenance, led to cascading process problems at the Royal Bank of Canada. It was unable to process transactions, interrupting service to its 10 million Canadian customers. Almost monthly, worldwide financial institutions and their customers are targeted by phishing scams, where con artists mimic legitimate websites and communications to obtain private information and access to clients’ accounts.

In each case, a failure of control over processes and information led to interference in important business, a breakdown of systems, harmed corporate reputations and a risk of potential legal action. The RBC incident confirmed that good change management controls are just as necessary over maintenance as over any other program changes.

The lesson here is that good IT controls and governance are more important than ever for boards of directors, audit committees and senior management.

Every year, the CICA’s Information Technology Advisory Committee (ITAC) consults with members of the profession on major technology concerns, which are compiled into a list and published in CAmagazine. And this year the tradition carries on.

Year-to-year changes to the list usually occur because of significant events during that period. For example, thanks to the Sarbanes-Oxley Act (SOX) and the Investor Confidence Rules, IT governance and control systems top the 2005 list (see list at right). Items are presented in the order of importance that was assigned in the consultative process.

The top technology issues for 2005

1.    IT governance and control systems
2.    Wireless systems security and control
3.    Information privacy
4.    E-mail management
5.    Disaster recovery planning
6.    Identity theft
7.    IT outsourcing
8.    VoIP
9.    RFID usage
10.  Use of XBRL

IT governance and control systems
Many large companies in Canada, the US and elsewhere are struggling to comply with SOX, which was passed in the US in 2002 in response to such corporate scandals as those involving Enron and WorldCom. The full force of SOX’s implementation was felt in 2004 as companies required to file with the US Securities and Exchange Commission (SEC) started doing so. Canadian companies listed on US exchanges are also required to file with the SEC. Section 404 calls for management to attest to the system of controls over financial reporting, and that has serious IT implications as such systems are heavily IT-oriented.

Because CEOs and CFOs are responsible for an organization’s internal control over financial reporting and disclosure controls and procedures, including relevant IT controls, they need to ensure these receive appropriate attention. IT controls are fundamental to the reliability and integrity of the information processed by the automated systems on which most
organizations depend for business and financial transaction processing. Overlooking or minimizing their importance creates significant risk. The completeness, accuracy and timeliness of financial information and financial reporting are heavily dependent on a well-controlled IT environment.

In the past year, ITAC released a booklet, IT Control Assessments in the Context of CEO/CFO Certification. It examines the importance of IT controls in the context of recent regulatory changes (i.e., SOX and its Canadian equivalent, Investor Confidence Rules) and identifies IT-specific frameworks that can be used to provide CIOs with additional guidance to ensure their IT controls will support their organization’s certification processes and improve governance over IT.

Wireless systems security and control has grown in importance because of the significant increase in the use of personal digital assistants, such as the BlackBerry and the Palm Pilot, for e-mail, which carry concerns about security. Wireless systems include cellphones, pocket PCs, wireless local area networks (WLANs) and an assortment of special purpose devices.

WLANs, also known as WiFi, are widely used in business. There are security issues involving these technologies, particularly concerning the most widely used wireless protocol, 802.11b.

Information privacy was of foremost concern for people and organizations and was as high on this year’s list as it was on last year’s. In 2004, the federal government’s Personal Information Protection and Electronic Documents Act and similar provincial legislation came into full effect. Information privacy is a crucial issue and ITAC has published several documents on this topic. (They are available at www. cica.ca/itac.) There have been numerous incidents reinforcing the need for vigilance by organizations over the private information they possess. Take for example the CIBC case where the bank was accused of faxing confidential client information to a scrapyard operator in West Virginia.

E-mail management E-mail is frequently used to conduct business. In the event of legal action, the ability to locate and retrieve messages could be crucial to an effective defence. Many organizations have not implemented adequate retention, management and control policies for e-mail messages and attachments, leaving e-mail management up to individual employees. Such an informal approach is not adequate in today’s environment.

An important aspect of e-mail management is spam control, defined as the set of measures to combat the receipt of unwanted e-mail. Although such tools as spam filters are available to control spam, the problem consumes system users’ time. The problem with spyware and anti-virus measures are closely related to this issue. Spyware is software consisting of cookies and small tracking tools, placed on a user’s computer, without his or her knowledge, to gather information about the user’s Internet usage. Spyware removal software is widely used to deal with this.

Disaster recovery planning has been an issue since computers were first used in business. And it remains in the limelight as terrorist attacks and natural disasters occur, pointing to the need for plans to cope with such events. Information systems are critical in most organizations and when disabled can threaten a business’s profitability and viability.

Identity theft is an outcome of privacy management and often included with the information privacy issue. Some, such as ITAC, believe it should be treated separately, because of the unique legal risks it poses for organizations when employees’ identities are stolen. With such theft an organization could find itself in court defending its control and privacy procedures. Identity theft involves gathering someone’s private information through devious means, such as phishing, then using that information for financial gain.

Phishing is when an e-mail falsely claiming to be a legitimate enterprise is sent in an attempt to scam the receiver into disclosing private information. The e-mail asks for credit card numbers, bank account information, social insurance numbers and passwords that can be used for identity theft. For example, e-mail claiming to be messages from at least two chartered banks have been circulating asking for personal information so “financial accounts can be kept active.” Similar messages have been sent out regarding e-Bay accounts.

IT outsourcing has been extensively used by businesses to help control costs, but there are significant management issues involved. Outsourcing IT means certain processes, such as programming and selected automated processes, are passed to others; however, responsibility for those processes and their outcomes cannot be similarly passed along. Management must therefore adopt measures to ensure their responsibilities continue to be discharged. In addition, compliance with SOX requirements that management attest to internal control systems can be difficult to establish when some or all of these systems are outsourced.

ITAC has issued a white paper on its website addressing this issue, and released a booklet, 20 Questions Directors Should Ask About Information Technology Outsourcing, also available on the website.

Voice over Internet protocol (VoIP), a technology that allows voice to be transmitted over the Internet, is on the verge of going mainstream as major telephone pro- viders, including Bell Canada, are in the process of adopting it. There are some security and integrity concerns with VoIP, because of the technologies for converting and transmitting the digital data. These issues need to be defined and addressed.

Radio frequency identification (RFID) usage is growing dramatically. It began as a means of tagging inventories of parts and other goods to have greater control over stock movements and prevent stock-outs. It has significant systems implications, as movements tracked by RFID can form the basis of entries in information systems for manufacturing and retailing. More recently, use of RFID has become more pervasive; for example, it is used to monitor numerous parts installed in the new Airbus A380 superjumbo to speed up the maintenance process.

XBRL SOX, mentioned above, contains requirements that the SEC review all filings it receives over a three-year period. This will represent a substantial increase in its review work, which will significantly strain its resources. The SEC is, therefore, searching for new technologies to help automate the filings. In October 2004, the SEC proposed Rule 33-8496, which would allow registrants to voluntarily file certain reports, including forms 10-K, 10-Q and 8-K, in eXtensible Business Reporting Language (XBRL) format. This proposal — which has since moved ahead —increases the importance of XBRL. Canadian regulators have not yet acted on this matter, but they are monitoring the US program. In any event, some Canadian companies are likely to follow the program. XBRL is a prominent example of the tagging methodology used by the SEC and other regulators. It provides the capacity to tag, retrieve and report individual or grouped data points such as sales, market share and other key performance indicators. The SEC initiative for voluntary use of XBRL for SEC filings will likely result in an increased adoption of XBRL this year. An emerging issue related to XBRL is if and how assurance at the data level can be provided.

Other issues
Several other issues were considered for inclusion in the top-10 list, some raised by ITAC members, others by people the committee consulted.

  • Service-oriented architecture (SOA) is an architectural style to achieve loose coupling among interacting software agents through small interfaces and simple messages. A service is a set of tasks bundled into a package carried out on the Web or on a network. Generally, such services link to data through extensible markup language, the basis for XBRL. SOA is used to link enterprise and other systems in organizations, forming a virtual architecture based on linked services. However, the quality of SOA-based services can vary. 
  • Business intelligence is a major aspect of e-business for many organizations. It is the process of enterprise-wide gathering and management of information to gain strategic advantage or maintain strategic position. BI is an ongoing challenge. Although it was on last year’s list, this year it has not been rated very high.
  • Network intrusion detection and coordinated enterprise-wide approaches to this issue have been heightened by both the growing reliance on the networks of many organizations and by the persistent efforts of hackers to gain unauthorized access to information systems. A solution does not lie solely in technology but, as with problems of wireless networks, in the adoption of security policies and procedures to detect unauthorized intrusions and to deal with them in a timely manner.
  • IT integration In the collaborative world of e-business, the key role of IT lies in its ability to integrate operating systems, applications and databases to align with bus-iness opportunities and challenges quickly and flexibly. The focus of much strategic planning concerning IT has been on how to integrate supply chains. Technology tools have been developed to assist with this and much effort has been expended on related business process integration. IT integration continues to be a concern but again, not a top concern.
  • User authentication methods, because of security concerns with IT systems, continue to be important and are increasing in complexity with use of more sophisticated technologies, such as biological scans. The use of authentication techniques has expanded since the advent of e-business. Various encryption techniques are common and the use of biometrics is growing. For example, the new IBM T42 laptop uses a fingerprint scanner to authorize access. It is likely such an approach will spread, perhaps even to debit cards and bank machines.
  • Secure e-business infrastructure involves a comprehensive view of the technologies, processes and structures required to enable e-business to function in a secure environment. The meaning of e-business infrastructure and what it takes to make it secure has not yet been clearly defined. An ITAC project to develop a definition is near completion. It is widely accepted that security must be planned and organized on an enterprise-wide basis because supply chain activities have been integrated using information systems and the Internet on an enterprise basis.

Some of the participants in a session at April’s CICA IT Conference in Toronto mentioned that board and executive awareness and implementation of policies and procedures regarding IT is also an important issue. It may be closely related to the overall issue of IT governance and control systems; however, participants felt there was a need to focus more clearly on this aspect. It may reflect a concern over the extent to which the board and management are truly aware of IT issues, and perhaps indicates that remedial steps, such as training or the release of awareness documents on particular issues, should be taken. For this reason, ITAC began releasing its series of publications and white papers.

Another issue suggested in our surveys is the use of smart cards for transactions, including payments. The use of smart cards has been less prevalent in North America than in Europe and Asia, but it is expected to spread in the next year or two. A high level of security is crucial for them to be safe to use, particularly for making payments.

Process and conclusions
ITAC follows a process to decide which issues to include in the list. This process has evolved year to year, but there are fundamental elements.

The committee looks for new or unique concerns that need to be resolved. The risk and control implications of a technology play a significant role. The speed with which a technology is introduced, the damage that could result from failure of the technology and the requirements of new legislation/regulations also enter into the decision-making process.

ITAC consulted with a wide range of members of the profession. It prepared a preliminary list of issues, derived from last year’s list, an ongoing list of potential projects and published materials of other groups. ITAC sought feedback from the CICA’s IT Alliance (whose members number about 400) and others from across Canada. Feedback was also obtained from many attendees at the CICA IT Audit, Governance and Security Conference.

Those surveyed were provided with the preliminary list and were asked to rank the items. They were also asked to add any issues they thought were important and to make comments. Approximately 50 replies were received.

The Information Technology Advisory Com- mittee appreciates the profession’s input and responses to circulated forms. The feedback was very helpful. The committee hopes other members find this listing helpful in their work and ITAC is interested in further commentary that readers might like to provide. Comments may be sent to research.studies@cica.ca.

Gerald Trites, FA, CA•CISA, is professor of accounting and information systems at St. Francis Xavier University in Antigonish, NS. He is a member of and technical consultant for ITAC. Andrée Lavigne, CA, is a principal in the CICA’s Research Studies department