Top Tech issues

By Gerald Trites & Andrée Lavigne
Illustration: John Ueland

Every year ITAC consults with CAs regarding technology concerns. And, as always, here is its list of priorities facing the profession

Information technology security and controls issues permeated the news last year. And identity theft and phishing e-mail were a growing threat. Phishing is when an e-mail falsely claiming to be a legitimate enterprise is sent in an attempt to scam the receiver into disclosing private information. It tries to draw Internet users into a phony website, replicating one the user deals with and trusts, for example, a bank or store, and then asks for his or her personal information. For example, last December, Wal-Mart customers received an e-mail message claiming their logon account had been compromised. When clicking the link within the e-mail, clients were directed to a website hosted in the US. The fraudulent site first requested the user’s logon ID for www.walmart.com and then requested credit card information and other personal specifics. The information was then used for nefarious purposes. A recent survey by the Anti-Phishing Working Group showed such activity to be on the rise and reaching alarming rates.

Again this year, the CICA’s Information Technology Advisory Committee (ITAC) consulted with the profession about their top technology issues in order to report on the results in CAmagazine to draw attention to those issues of importance to members of the profession.

Changes made each year result from significant events that have occurred during the year. This year, the list starts with two issues that arose out of the Sarbanes-Oxley Act and the investor confidence rules, showing the considerable impact they continue to have on the profession even though they were put into place over the period since 2002. The issues (please see below) appear in the order of importance they were assigned as a result of the consultative process.
SOX has been called the most significant piece of securities legislation since the Securities Act of 1934 that established the US Securities and Exchange Commission. Certainly, it has transformed corporate governance in the US and its effects have rippled around the world.

Many Canadian companies trade on the US exchanges and as such must comply with SOX. In addition, in 2004, the Canadian Securities Administrators (CSA) released investor confidence rules, which parallel the SOX requirements, for Canadian companies. The requirements of both are stiff and include the need for CEOs and CFOs of companies to sign off on internal controls, which include IT controls.

Moreover, new auditing standards effective this year require the auditor to obtain an understanding of the information system, including the related business processes relevant to financial reporting, of control activities to assess the risks of material misstatement at the assertion level and of the entity’s response to risks arising from IT.

To comply with the new standards and regulatory requirements, companies are stretched to gain an understanding of their control systems and have had to find ways to evaluate them. This has strained the resources of many companies. Moreover, the accounting profession is faced with a major change; as controls have not played such a significant a role in auditing for many years, the number of professionals versed in the use of controls is not sufficient to meet the new demand. The number of professionals versed in the intricacies of IT controls is and has been even lower.

This situation has led to our first two technology issues for 2006.

The need for improved IT systems controls expertise in the profession and the need for tools to help with compliance with the investor confidence rules and SOX. The second issue arises because the new rules and legislation refer to the use of appropriate frameworks in assessing control systems. Generally, the major source of reference is the US Committee of Sponsoring Organizations of the Treadway Commission, which has issued a report on control systems setting out a useful framework. However, the COSO report doesn’t deal with the issue of IT controls. To fill the gap, reference is being made to the CoBIT framework of the Information Systems and Control Association and to the CICA publication “Information Technology Control Guidelines.” There is a need for good automated tools that facilitate the use of these frameworks in analyzing systems and thus enable compliance with the new rules and legislation.

Management of e-mail is the third major issue facing the profession. People use e-mail for business transactions and, in the event of legal action, the ability to locate and re-trieve messages could be crucial to an effective defence. Many organizations simply have not implemented adequate retention, management and control policies for e-mail messages and attachments, leaving e-mail management to the preferences and needs of individual employees. Such informal approaches to e-mail management are not adequate, especially with the growing volume of spam. The use of spyware and anti-virus measures are closely related to this issue. Spyware is software designed to identify cookies and small tracking tools placed by websites on a user’s computer for the purpose of gathering information about Internet usage.

User authentication methods, because of continuing security concerns about IT systems, continue to be important and have been increasing in complexity with the use of sophisticated technologies such as biological scans. Since the advent of e-business, the use of authentication techniques has expanded to include encryption techniques to produce digital signatures and certificates. This includes use of public key infrastructures because public/private key pairs used for encryption are often stored and managed within such structures.

IT outsourcing has become common in business, and international outsourcing of IT services gives the perception that jobs are being lost to other countries. There are significant management issues connected with outsourcing — both IT and non-IT. IT outsourcing means certain processes, such as programming and selected automated processes, can be passed on to others; however,responsibility for those processes and their outcomes can’t be passed along. Management must adopt measures to ensure their responsibilities continue to be discharged. In addition, compliance with SOX requirements that management attest to internal control systems can be difficult to establish when part of or all the systems are outsourced.

Information privacy/identity theft has been of foremost concern for many people and organizations since the federal Personal Information Protection and Electronic Documents Act and similar provincial legislation came into effect. Part of the issue has been compliance with the legislation. The incidence of identity theft, however, has been growing rapidly and, with this growth, concern. The Anti-Phishing Working Group’s report for December 2005 showed 15,244 reports of phishing in that month alone. It also reported the existence of 7,197 phishing sites.

Secure e-business infrastructure involves a comprehensive view of the technologies, processes and structures required to enable e-business to function in a secure environment. Security must be planned and organized on an enterprise-wide basis. E-business has meant that businesses have integrated their supply-chain activities using enterprise technologies and the Internet. Most businesses are facing these challenges and must implement their security in a way that the business integration necessary to compete in an e-business world is supported and not compromised by security procedures.

Disaster recovery planning has been an important issue since computers were first usedin business, and because information systems have assumed a critical importance in many organizations, it won’t go away. The devastation that can erupt when systems go down can threaten the profitability and even the viability of the business. Recent terrorist attacks and extreme weather events, such as hurricanes, have also reminded businesses of how important it is to undertake appropriate disaster recovery planning as well as to implement and monitor related business recovery procedures.

Wireless systems security and control has grown in importance as an issue because of the increase in the use of handheld wireless devices such as BlackBerries. Wireless includes cellphones, wireless local area networks and an assortment of special purpose devices. WLANs, particularly those using the 802.11b protocol known as WiFi, are frequently used in business. There are security issues around these other devices as well.

Network intrusion detection and coordinated enterprise-wide approaches to this issue have been increased by the growing reliance on networks by organizations and by the persistent efforts of hackers to gain unauthorized access to information systems. The answer to these problems does not lie solely in technology, but, as it does with problems of wireless networks, in the adoption of security policies and procedures that make it possible to detect unauthorized intrusions and deal with them in a timely manner. Some organizations engage professionals to break into their systems — known as ethical hacking or penetration testing engagements — in order to identify weaknesses in the organizations’ systems.

Other issues

In addition to these 10 issues, during discussion others were also identified and warrant a mention. They include:

Patch management has been a growing issue as many vendors now make available updates to their software by way of Internet downloads, and these updates or patches can be downloaded and installed by many in the organization. This can cause confusion and result in unstable systems where proper control over the installation of patches is not maintained.

Voice over Internet Protocol, the technology that allows voice to be transmitted over the Internet, presents security concerns that must be addressed by the organizations that are adopting it. One such concern is that of spam over Internet telephony. SPIT could undermine the very viability of VoIP-based telephone systems if it is not addressed. Many are aware of the problems caused by having, for example, 25 spam messages in their e-mail. Imagine having 25 SPIT messages in your voice mail. It would take a lot longer to go through them. Although current versions of VoIP can result in telephone calls not up to the standard consumers are used to, the technology will likely improve quickly. Adoption of VoIP by major telephone providers, such as Bell Canada, means it will be used more and its potential to reduce the cost of calls will further encourage its use.

The need for systems and data integration, which includes the need to use integrative applications (such as enterprise systems) and integrative technologies (such as XML and XBRL). A good example of the tagging methodology being adopted by the SEC and other regulators is eXtensible business reporting language, which provides the capacity to tag, retrieve and report individual or grouped data items.

Business intelligence is a major aspect of e-business for many organizations. It is the process of enterprise-wide gathering and management of information to achieve strategic advantage or maintain strategic position. BI is an ongoing challenge for many organizations. Various BI solutions are offered in the marketplace, and many enterprises have installed such software in recent years. However, effective BI involves extensive planning to identify information needed, the sources of that information, channels for its delivery and its timely analysis and presentation for decision-making purposes. The issues with BI that cause the most difficulty are, as in many large-scale technology installations, with how people adapt to change in order to maximize the benefits of the new technologies. This is currently the central BI issue for most organizations.

Radio frequency identification (RFID) usage is growing dramatically. It began as a way to tag inventories of parts and other goods to give greater control over stock movements and prevent stockouts. It has expanded into a more pervasive technology that is used to monitor parts within various products. Researchers have found it is possible to place a computer virus onto a RFID tag, which could have significant implications. For example, international airports may soon use RFID tags attached to lug-gage to speed up the baggage handling process. If an infected RFID tag were attached to a piece of luggage, it could turn the entire system into chaos. Adequate controls and security procedures are therefore a signif-icant issue when implementing systems using RFID technology.

Digital rights management is a set of procedures that comprise an organized approach to the protection of intellectual digital prop-erty. It can include copyright protection, patent protection and control over any unau-thorized use of digital property. The growth in technology and the intellectual property that accompanies it can be a strategic advantage for a company, therefore better management of digital rights is an important element of corporate strategy.

Process and conclusions ITAC follows a process to help it decide which issues to include in the list. Although this process has evolved from year to year, there are some fundamental elements. The committee looks for new or unique issues that still need to be resolved. The risk and control implications of a technology play a significant role. Factors such as the speed with which a technology is introduced, the damage that could result from failure of the technology and the requirements of significant new legis-lation or regulations also enter into the decision-making process.

ITAC consulted with members of the profession. It prepared a preliminary list of issues derived from last year’s list, its own ongoing list of potential projects and from published materials of other groups. The committee then sought feedback from the CICA’s IT Alliance and others from across Canada. Feedback was obtained from several of the attendees at the CICA IT Audit, Governance and Security Conference held last spring in Toronto. All those surveyed were provided with a preliminary list and were asked to rank the items on it. They were also asked to add issues they thought important and to provide additional comments.

ITAC appreciates the profession’s input and responses to circulated forms. The feedback was very helpful. The committee hopes other members of the profession find this listing helpful in their work and ITAC is interested in further commentary that readers would like to provide. Comments may be sent to www.research.studies@cica.ca.

Gerald Trites, FCA, CA•CISA/IT, is professor of accounting and information systems at St. Francis Xavier University in Antigonish, NS. He is a member of and technical consultant for ITAC. Andrée Lavigne, CA, is a principal in the CICA’s research studies department