Print Edition
      September 2008
Email    Print    Feedback

Top 10 tech issues

By Gerald Trites & Andrée Lavigne
Illustration: Lasse Skarbövik

Every year CAs are consulted about their greatest technology concerns. Here’s a roundup of priorities facing the profession in 2008

The Information Technology Advisory Committee of the Canadian Institute of Chartered Accountants conducts an annual survey of the most important IT issues facing the profession. While some topics such as privacy come up every year, and this year is no exception, the relative importance of several issues changes from survey to survey. This year IT skills is one such point. Companies across Canada are increasingly desperate for young people with IT skills, such as IT audit, data and security architecture and network skills, but they just cannot find them. Many questionnaire respondents this year noted this as a serious problem, the most serious of those listed in the survey. Accordingly, it has been ranked Canada’s No. 1 IT issue.

Top issues for 2008

  1. Availability of IT skills
  2. Privacy
  3. Outsourcing
  4. IT governance
  5. Information overload
  6. IT value
  7. IT controls awareness
  8. Social networking
  9. Green computing
  10. Data controls and assurance

Availability of IT skills
The late 20th century saw an unprecedented growth in the IT industry, particularly in Web-based companies. The industry produced many billionaires, lots of press and new jobs. In the early 2000s, however, the bubble burst and many of the upstart dot-com companies disappeared. So did many of the jobs in the industry.

Students watched this happening and stopped enrolling in IT programs in universities and community colleges. Enrolment declined dramatically and has not yet recovered.

In the meantime, after a short slump following the bubble,the need for IT talent began to rise. In 2007, for example, Computer World reported that demand for IT skills in Canada had risen by 17% in just one year.

Such trends combined with the retirement of boomers in the industry are the perfect ingredients for a storm: converging elements that produce exponential results.

The issue could have serious consequences, such as increased offshoring. If companies cannot find the talent in Canada, they will get it elsewhere. Shortage of skilled workers could also affect the ability of Canada to be innovative in the future, which is perhaps even more serious.

Respondents had several comments about the implications of this shortage and how companies should cope with it. Many pointed to the need for better IT training, within both institutions and companies. Some specialists in the IT controls field indicated that the CA syllabus needs to be further improved if we are to meet the market’s continued need in this area of practice for CAs. Retention of skilled staff is also an issue.

Others pointed out that because of the shortage of skilled IT people, those who have jobs in fields such as IT risk management must cover a much wider range of issues than they would if there were more IT people, perhaps at the expense of their core purpose. There is also the question of whether a single person can possibly cover such a wide range of duties competently. Of course, this also raises concerns of segregation of duties, which is a fundamental requirement of a well-controlled IT environment.

Respondents also mentioned that the shortage of IT workers will have a significant impact on the overall capability of all types of organizations to deliver IT services.

Privacy
Anxiety about privacy has dominated our survey almost since it began five years ago. Privacy is one of the most significant legislative requirements facing organizations. Moreover, identity theft continues to be a major problem and is closely related to privacy.

This year, however, the Personal Information Protection and Electronic Documents Act (PIPEDA), revised on March 3, 2006, was raised because the revisions introduced other issues people dealt with in 2007. For example, the act now identifies sanctions for reckless handling of data but does not define what this means.

Privacy issues have a large impact on managing IT. There is the need to safeguard the information from a legislative point of view (PIPEDA or the various privacy acts) as well as international implications (including foreign privacy laws) should data be stored outside the country. Privacy issues can be critical, for example, when the information deals with personal payment information.

Privacy is an ongoing major IT management issue and must be managed in conjunction with controls over confidentiality and security and policies about the release of information outside the organization.

Outsourcing
Outsourcing grew in the past year, and as indicated earlier, is likely to maintain this growth as the search for IT talent continues. It raises a number of points related to integrating IT operations from points around the globe, including standardization of processes, quality maintenance and cultural and legal differences.

It also involves the potential risk of loss of corporate data, making it necessary to ensure a high level of internal controls.

In some cases it is difficult for management and others to gain assurance about the existence and effectiveness of those controls. Also, there has been some confusion in the application of audit standards around the provision of services by third parties. Service organizations and assurance — CAS 402, Audit Considerations Relating to an Entity Using a Third Party Service Organization, and ISAE 3402, Assurance Reports on a Service Organization’s Controls, are new exposure drafts that hopefully will stabilize the area after replacing the current Canadian standard CICA 5970, Auditor’s Report on Controls at a Service Organization.

Perhaps as a reaction against the spread of their IT systems, some organizations are consolidating their systems by centralizing management. Consolidation allows for better controls at the data centre (such as UPS and temperature and humidity controls), reduces costs and improves security. Other organizations are moving to virtualization, which is a way of centralizing management and security and controls regardless of the physical architecture of the system. Accordingly, the process of outsourcing and the resultant spread of IT networks are leading to new management techniques.

Outsourcing involves offshoring, and some offshore teams have quality and staff turnover issues. System development projects in multicultural environments sometimes include communications, quality and testing issues. Moreover, ensuring compliance with local legislative requirements (such as PIPEDA) by offshoring service providers can be a challenge.

IT governance
Governance of IT systems was raised by several respondents as a major issue. Since IT has become a significant strategic element of most organizations, its management should be structured to recognize this importance. In many organizations there should be an IT vice-president and IT should be given appropriate consideration and time on the agendas of the board of directors and audit committees.

Several respondents suggested the need for an IT committee of the board to monitor the deployment of IT, the strategic implications, the costs and risks involved and particularly the alignment of IT strategy with corporate strategy.

Information overload
A major contributing factor to information overload mentioned by a number of respondents is the growth in usage and power of mobile devices such as BlackBerries and smart cellphones. Use of such devices means employees are bombarded with information, sometimes several times a day. It also means they are subjected to constant voice messages, e-mails and instant messages that they do not need but need to manage. More and more information is pushed to users of these devices expecting they will answer instantly, increasing their stress and preventing them from taking a break from work. This issue goes to the heart of an organization’s culture and is something that should be addressed.

IT value
What is the value of IT to an organization? While it is an important question, it is a difficult one to answer. Answering enables an organization to determine whether it is getting the expected value out of its systems or at least if it is receiving as much value as the cost involved. IT value is therefore closely related to governance. Determining IT value requires setting performance indicators, measuring results and evaluating performance. The necessary measures vary by organization and industry.

A focus on IT value is a way for an organization to stop the management of the IT department from being treated as a cost and services centre, which is the case in most companies. However, the cost-centre approach does not give recognition to IT as the major strategic force it is. The value comes from the extent to which IT enables an organization to meet its strategic goals or enhances the manner in which it does so.

IT controls awareness
Controls awareness attracted a lot of commentary from survey respondents. They noted the paramount importance of controls to the profession and the need for strong standards to support IT controls work. They indicated that strong IT controls awareness across the organization is necessary to achieve effective implementation of controls and make them work. As one respondent put it, it is people not computers that make the controls work.

While the number of regulatory reporting requirements has intensified over the past few years, it has taken a toll on finance, IT and systems professionals. Their awareness is higher than it has ever been, but this awareness has not always spread to other parts of the organization.

Many organizations are very concerned about the quality of their data and have spent a great deal of money to achieve good quality. However, good controls are fundamental to data quality, and this needs to be recognized. In short, there needs to be a recognition that IT controls are important to the business and are not just for the benefit of the IT department.

Social networking
This is the first year that social networking — use of tools such as Facebook, MySpace or LinkedIn — has made the list. There is a variety of sites available. Facebook and MySpace have grown primarily as places for teenagers and twentysomethings to chat, although they are used in varying degrees by most age groups. The younger generations, however, are rapidly bringing such tools into mainstream business. They go to such sites for jobs and potential employers increasingly search prospective employees’ Facebook sites for help when hiring. LinkedIn, on the other hand, is more geared to business and serves as a place to maintain contacts and business relationships. As it attracts a more sedate clientele, it is viewed as safer than many other sites.

It is not a surprise that social networking has made the list in view of the tremendous growth in the area and the publicity it has received. IT managers need to start preparing to deal with Web 2.0 technologies, such as wikis, blogs and social networking sites, because they are increasingly becoming part of peoples’ social lives, and people will expect to use them in the workplace.

There have been several situations during the past year where companies or personnel have been embarrassed by the release of information through social networking sites and organizations need to implement policies to deal with the use of social networking. While some workplaces, such as Ontario’s provincial agencies, have banned it, this may not be a sustainable solution in the long term. Social networking is here to stay. The issues that need to be dealt with are privacy, confidentiality and information policy. Policies need to be developed and employees need to be trained on using social networking in a business context.

For certain organizations (government, health and military for example) there is a need to have clear policies on the types of information that can be disclosed. In addition, there is a need for policies on the potential liability from participation in social networking sites.

Social networking is part of the larger issue of acceptable use of technology. The line between work and personal life is blurring as people work from home or other locations. The technology is cheaper and the distinction between personal and professional networking is gradually disappearing. This is an issue of considerable long-term strategic importance.

Green computing
There are few areas that have not been affected by the green revolution. IT is no exception. The green computing movement includes adopting policies on such areas as power consumption, disposal of equipment, radiation control and printing controls.

The amount of power consumed by most networks is a small part of the total power used by the corporation, but it is a place to start and it is good from a security perspective to turn computers off when not in use. Disposal of old equipment has been a big concern for years. But as personal computers become cheaper, the issue keeps growing. On the positive side, laser printer cartridges are recycled and have been for years. CRT monitors are a focus of interest as are the large number of old televisions hitting the local dumps. Hard drives are shredded for security reasons, which is a good way of getting rid of them. Radiation has been a subject of thought for years, but the effects of the radiation from computer equipment on people is uncertain and controversial, therefore little has happened in this area.

Overall, green computing is a new phenomenon and with the attention currently given to anything green, it is a sure bet that IT managers will devote more attention to it in the immediate future.

Data controls and assurance
Because of the growth of powerful handhelds and wireless systems, a key feature of modern IT systems is that data is on the move. This makes for a major change in the way controls need to be considered. There is a clear distinction between data in motion and data at rest. The latter is easier to control and can be handled by traditional controls over data centres and established traditional networks.

However, the portability of data means that security and controls must follow the data. Controls need to be devised in light of the travels of the data. If it is moving from a network to a BlackBerry, then the controls must ensure that the data is transferred securely. If the data remains in the BlackBerry, controls need to include policies about retaining data on mobile handhelds and other units. USB drives are another major source of concern, as they can be lost easily and might contain sensitive data.

One respondent put it this way: “As organizations try to keep control over their data assets, they will need to place and enforce greater controls over access to their data [be it on their infrastructure or another organization’s].” There are various methods of “slurping” data from organizations, including iPods, USB drives and sky drives (e.g., Microsoft currently offers five gigabytes of free online storage). Large amounts of data can be copied using these means, and the controls need to cover all the possibilities — at least those that pose a serious risk.

This issue essentially becomes one of infrastructure management. The constant changes in infrastructure has long been a problem, but recently, the growth of new ways to copy and store data on new units has greatly exacerbated the problem.

Methodology and conclusions
For the second year, ITAC established a framework for conducting its survey. The committee identified 10 major IT areas of interest and asked respondents to indicate, for each, the most significant issue they think should be included in the list for 2008. For each IT area of interest, a number of issues were already identified. People were asked to pick one and indicate why it is a significant issue, or if not listed indicate a description of the issue they believe is most significant and the reason why.

Numerous responses were received from highly experienced people in the IT area, thanks to the help of associates of ITAC members, the CICA IT alliance and members of the Toronto chapter of ISACA. The result is a list of top issues that points to the way in which so many of the top issues are interrelated and therefore require coordinated approaches to their resolution.

Gerald Trites, FCA, CA•CISA/IT, is an information systems consultant, writer and researcher. He is a member of and technical consultant for ITAC. Andrée Lavigne, CA, is a principal in the CICA’s research studies department