PERSONAL FINANCE
+ Return to investing
+ US real estate
+ Post-work worries
+ More...
SMEs
+ Use your assets
+ Surviving in tough times
+ How CAs can add value
+ Entering foreign markets
+ Valuing small firms
+ Expanding the biz
+ More...
IFRS AND ISA
+ IFRS and Canadian GAAP
+ New auditing standards
+ Gauging ISA adoption
+ IFRS and audit firms
+ More...
TECHNOLOGY
+ ERP and PSA survey
+ BI/CPM survey
+ CRM survey
+ More...
WORKPLACE
+ Diversity in the profession
+ CSR is worth it
+ Health and productivity
+ Preventing fraud
+ Chronological resumes
+ Expense fraud on rise
+ Gen X, Gen Y
+ Meeting time-savers
+ Bonuses still top reward
+ More...
CA STUDENTS
+ Articling in industry
+ Destination: CA
EXPERTISE
+ Global transfer pricing
+ More...
The top 10 tech issues
ITAC annually consults with the profession to learn what its greatest concerns are. Here’s a roundup of priorities facing CAs this year
By Robert Parker
Photography: Ryan Snook
This year’s Top 10 Technologies Survey provides a contrast between old and new technologies and their impact on business. Of the 21 questions posed to respondents, 10 dealt with old technologies or issues — those well within everyone’s comfort zone. The other 11 dealt with newer, more technologically complex issues. While ultimately these newer technologies may be equally challenging to business, their lower ranking could be the result of respondents’ limited adoption or unfamiliarity with the risks, requirements and responsibilities associated with them. In performing an analysis of the top 10 technology issues, newer technologies and their impact on business were considered and were addressed within the context of the more established issues. Where percentages are provided, they refer to the responses within a particular category. This year, the top ranked issue was compliance requirements.
1. Dealing with compliance requirements
During the past 10 years, businesses have been confronted with increasing legislative and regulatory controls and reporting requirements. Added to these are the ever-changing standards — from technology requirements and business standards to financial reporting. One only has to consider the new payment card industry requirements, privacy and health privacy legislation, Basel II requirements for financial institutions and the coming international financial reporting standards to understand the scope and impact of these changes.
Changes in legislation, regulations or business practices usually mean changes in application software and related databases. These standards require new policies and procedures, new ways of doing business and training for employees. They also require changes to processes and technologies to ensure effective compliance. Such changes must be analyzed, planned, staffed, scheduled, completed, tested and implemented within strict time frames. IT departments, stretched with operational issues and frequently with shrinking budgets, must deal with the plethora of changes.
As a result, organizations might come up with solutions that trade off the long-term efficiency and effectiveness of structure, formality and control with simplified or ad hoc processes that are quicker and cheaper to implement. For example, some Canadian companies that had to become Sarbanes-Oxley compliant resorted to spreadsheets and other ad hoc solutions to document controls and compliance because modifying existing systems or developing new ones to monitor such compliance was too onerous and too time-consuming to meet the reporting deadlines. However, it is generally agreed that spreadsheets lack the rigour and discipline of professionally developed applications; lack quality processes for maintenance; and lack adequate controls for use and security. Their sustainability and control over time become increasingly difficult. Therefore, reliance on spreadsheets and ad hoc processes may not consistently meet the requirements of certain regulatory bodies. Further, their use may increase the risk of reporting inaccurate or misleading compliance information.
Businesses operating in multiple jurisdictions have been extremely hard hit as they must comply with multiple, sometimes conflicting, legislative and regulatory requirements. One example is privacy legislation where one jurisdiction may adopt legislation that establishes a “high watermark” that may create public expectations that similar practices are enforced in all jurisdictions. For example, the transparency requirements for privacy breach notification initially adopted by California in 2003 are now seen as a privacy best practice. Such practices may result in additional costs for business.
To meet the terms of the changes within the established deadlines, businesses must address legislative and regulatory compliance in an efficient and effective manner. Techniques such as treating compliance as a portfolio and establishing baselines based on common security, control or reporting requirements and then addressing the unique aspects of specific legislation and regulations separately are gaining acceptance. So too are practices to monitor changes in legislation, regulations and court cases to ensure the organizations’ practices reflect current requirements or public expectations.
2. Impact of the recession
The recession, which the global economy is starting to emerge from, meant that many businesses had to restructure and resize to reduce costs in the face of declining revenues. This resulted in reorganization and combining roles and responsibilities, making it challenging to ensure effective separation of duties and responsibilities. (The ability to maintain effective controls was reported as an issue by 60.9% of respondents in this category.)
Clearly, businesses are suffering due to the recession. However, cutting corners and reducing expenditures on security and control may increase an organization’s risk to both internal and cyber threats.
Businesses have been looking at new technologies, such as virtualization, service-oriented architectures and cloud computing in its many forms — storage, processing and infrastructure — to achieve efficiencies and control costs.
The recession also led to employee buy-outs and early retirements. While such moves reduced staffing costs they also reduced or eliminated corporate history, particularly in IT departments where knowledge of the business, related business processes and the systems, applications, data and technologies to support them are essential to ensuring effective use and continued availability of information technology.
The recession has had other unpleasant side effects — an increased risk of fraud, external and internal, and increased malicious activity. A 2009 survey by Ernst & Young LLP indicated that 75% of companies surveyed were afraid of reprisals from disgruntled ex-employees and were focusing on data loss prevention, in some cases even ranking it more important than regulatory compliance.
According to a Panda Security survey published in USA Today, many US businesses lacked basic cyber security with 52% lacking web filtering, 39% lacking threat training, 29% lacking anti-spam, 22% lacking anti-spyware and 16% lacking a firewall.
The recession has had far-ranging impacts on businesses, particularly in the downsizing and cost-cutting initiatives that impacted IT departments. While needed to survive, businesses must ensure their actions do not weaken the IT control structure and expose the organization to further risk.
3. Information management
Information management involves the collection and management of information from one or more sources and the distribution of that information to one or more audiences. It is about the information lifecycle and involves collection, processing, use, storage, retention, retrieval, sharing and destruction. Information management impacts those who have a stake in, or a right to, that information. It includes the organization of and control over the structure, processing and delivery of information.
Many organizations are struggling with the basic fundamentals of information management, including identifying ownership, responsibility, accountability and uses of information, all necessary components in ensuring the quality and integrity of information.
Reorganizations and downsizing resulted in many businesses struggling to rationalize business processes and systems, including integrating disparate systems while ensuring continued adequacy of security and control. In this category, 60.9% of respondents expressed concerns over ensuring adequate controls when integrating systems and 56.5% expressed concerns over data loss prevention initiatives. These were followed by concerns over maintaining data integrity, dealing with data overload and the need for increased protection such as encryption of data.
One aspect of information management gaining prominence is data quality, which includes completeness, accuracy, timeliness, relevance, appropriateness, availability, maintainability and security. Increased use of data for business intelligence, increased information sharing and accuracy requirements has upped the importance of data quality.
Increasingly the value of information is driving the need to protect information. Business intelligence, the harvesting of information, is considered an essential element of understanding the business and its customers. Accordingly, businesses must ensure that information is effectively managed, protected and maintained and available when required. The introduction of an information management program is the first step that businesses should consider in managing the organization’s intellectual capital.
4. Public trust
There is a growing unease of the systems and applications of organizations. Customers and stakeholders are concerned that the use of technology lacks robust security and controls and may expose them to such risks as data theft, identity theft, credit card fraud, privacy breaches and other compromises.
Identity theft — which involves impersonating any person, living or dead, with the intent to gain an advantage, to obtain property or an interest in property, or cause disadvantage to the impersonated individual or another individual — is increasing annually. People expect their personal information will be protected while entrusted to a business and will not be compromised. This trust requires that businesses take measures to meet the public’s expectations. Privacy legislation is designed to protect personal information and requires that organizations take steps to ensure an appropriate level of protection.
Increasingly, businesses that share information with partners are required to have protocols in place to ensure the security and integrity of shared information, particularly personal information, and ensure the rights of organizations to share that information.
Thanks to US transparency requirements, the public is aware of security breaches involving personal information, some of it on Canadian residents. While Canada has no such sweeping transparency requirements, there is public concern. Such concerns are exacerbated by fears of viruses, Trojan horses, key loggers, phishing and pharming attacks all designed to compromise systems, their users and the information they process.
In a study by McAfee Avert Labs, 135,000 new pieces of malware were identified in 2007; by the end of 2008, 1.5 million pieces of malware were identified, or 3,500 pieces of malware each day. This trend continued in 2009, resulting in business paying increased attention and incurring costs to protect computer systems and networks.
Technology affords businesses many advantages but also creates risks and obligations. Businesses must address the public’s concern by ensuring the integrity and protection of information, the quality of the processes and controls surrounding that information and they must effectively manage their information resources.
5. Emerging technologies
New technologies create opportunities and risks. An enterprise risk management program that monitors each initiative, including the technology required to support the initiatives, should be in place to ensure that, prior to implementation, the risks of introducing technologies is well understood and accepted.
One technology identified as a concern was cloud computing. It is the use of the Internet and virtualization concepts to create an environment in which the infrastructure, applications, data and security are provided by resources residing on the Internet. Depending on the nature of the cloud, users can’t identify and/or predefine the transmission paths, processing sites and storage locations. Data placed in the cloud may or may not be encrypted, depending on the user.
The concerns include data availability, data recovery, legislative concerns over offshoring of personal information, particularly personal health, and ownership to name a few. Cloud users are worried about where data is located, the robustness of controls over data in that location and the availability of that data, particularly when needed for continuity of operations.
Social networks such as Facebook, Twitter and LinkedIn as well as the more focused Classmates.com and MyLife are increasingly used in business environments; to a limited extent by the business and to a greater extent by employees for personal reasons. Staff time and posting business information are key concerns.
A 2010 UK study revealed that 61% of IT decision-makers see the security threat of social media use by staff as their biggest concern. Further, 55% of employees surveyed admitted to downloading software from the Internet to a corporate computer. Almost half, 48%, of those downloads were not work related. And 58% of staff admitted to posting company information on social media. While these are UK statistics, there’s no reason to doubt that similar situations exist in Canadian businesses.
Many organizations lack effective policies, procedures and tools to deal with the use of these technologies or to effectively monitor their use. In the survey, 73% of respondents said they have strict policies around the use of social media and 89% have policies over Internet downloads, however the study showed that one in three were unsure these were being adhered to.
Another area of concern is bring your own technology (BYOT). Employees are using personal technology such as home computers, BlackBerrys, iPhones, etc., for business activities such as checking and sending e-mail, scheduling meetings, responding to questions, conducting business-related searches or accessing proprietary business information. Current environments may lack security and controls software to prevent the use of BYOT and provide a conduit for protecting against unauthorized access to and use of business information and resources.
Also, 45.5% of respondents expressed concern over the use of computer on a stick systems and USB memory.
Organizations should establish procedures to monitor new technologies and assess the opportunities and risks. An IT risk management program, integrated with the entity level enterprise risk management program, would provide an ongoing assessment of such impacts and provide management with valu-able information for use in an IT governance program.
6. Collaborative — extended enterprises
Businesses are increasingly providing other organizations with portals and gateways to information to increase interoperability and enhance efficiency. In some cases, end users may not know that by accessing a business website they can be directed to a different business or offshore site where information may be stored or transactions processed.
Such interoperability requires changes in the systems development, particularly where diverse environments are involved. It also involves issues of the management of intellectual property as well as creating and maintaining a legally compliant environment; particularly where personal information is involved.
There is also concern over the lack of hands-on knowledge of the complete environment and the need to rely on third-party reports on the design and operational effectiveness of security and control in environments operated by business partners.
The issues with collaborative and extended enterprises illustrate the need for organizations to articulate their IT strategy and define their security, control, service level, reporting and business continuity expectations to suppliers, vendors and business partners. There is also a need for effective monitoring and escalation procedures in order to avoid delays in addressing problems.
7. Infrastructure
This is not just computers, networks, application and system software, utility programs and devices that reside in an organization’s data centre. It includes devices that can be attached physically or electronically to an organization’s technology infrastructure.
Portability of data was identified as a concern by 70% of the respondents. More sophisticated devices are coming on the market almost daily. They can store gigabytes of data in seconds and fit into a pocket. These devices are a concern because of version control, location of data and information integrity and management as well as legal and regulatory issues, particularly where personal information is concerned.
While some newer USB memory devices offer increased protection through the use of encryption and passwords, many organizations have yet to adopt them. Other USB connected devices offer increased storage, up to a terabyte, thereby having the ability to store considerable business information. Additional risks are posed when the devices are attached to PCs that are on an organization’s network and employees have access to business resources and information.
MP3 players, digital cameras and phones can be attached to networks through PCs and provide another source of memory to download and record information from business networks.
The CICA’s Information Technology Advisory Committee (ITAC) issued a white paper on data centric security that addresses the issues around forming a security policy that focuses on the data itself, whether at rest or in motion, and emphasizes the use of data encryption to provide additional security.
In this category, 55% of the respondents identified wireless communications as a concern, because of the possibility of adding devices and users through a single authorized user without the knowledge and consent of the organization.
A similar percentage identified software currency as an infrastructure concern. Organizations are exposed to new software and new versions of existing software. While early adoption may not be the best strategy, those who use existing software long after new products have been introduced run the risk of diminished or no vendor support, leaving the organization to seek a source other than the vendor. This may not always be possible.
8. IT governance
Governance is about alignment and value — alignment of the IT department’s goals and activities with those of the enterprise; and value investing in the right projects, using the right technology and having the appropriate skills. Value is about achieving the most by using appropriate but not excessive resources.
IT governance consists of the leadership and organizational structures and processes that ensure the organization’s IT sustains and extends its strategy and objectives. As such, it involves boards of directors and audit committees, supported by senior and line management.
In addition to the lack of effective IT governance activities, the lack of awareness of IT governance issues at the board and audit committee level was an issue (47.1% cited poor alignment of IT initiatives with the organization’s strategy).
IT governance activities can improve the entity’s use of IT in support of the organization’s goals and objectives. It can change the use of IT from a supporting role to that of an enabler of new strategies and services, such as online auctions, travel services or merchandise sale.
9. IT resources and skills
In 2008, availability of IT skills ranked No. 1. In 2009, it had dropped to No. 10. This may be because of the recession and the effect on cancelled or delayed IT projects and the downsizing undertaken by many organizations. Its slightly improved ranking this year could be attributed to the improving economy. As the economy improves and IT projects are restarted, businesses will likely continue to see the skills and staff shortage trends so prevalent prior to the recession rise in importance.
This concern illustrates a number of interrelated issues. First, the availability of qualified resources. The recession, preceded by the rush to outsourcing in the late 1990s and early years of this decade, left many believing there were few jobs in IT. Those who pursued an IT education focused on Internet-based service, LAN support and help-desk services, leaving few to undertake the more rigorous tasks of business analysis, large system development and support and maintaining large, complex systems.
While many organizations migrated processing to smaller platforms, there still is a need for skilled IT staff to address business issues, offer business solutions, design and support user-defined requirements and design and develop required software.
Many organizations have implemented packaged software, some very sophisticated such as enterprise resource planning systems. However, these usually require significant customization through software options and/or user exits to effectively support the business processes.
The need exists for IT professionals who understand technology and business issues and can communicate technology issues with the business to ensure that needs are adequately supported. Perhaps businesses, similar to the approach used by public accounting firms, will have to create in-house training programs to teach graduates the requirements of their industry and the technology and software used.
10. Knowledge management
Closely related to No. 9 is the area of knowledge management. Respondents indicated that as workers retire, organizations need a program to capture the corporate history and that of the key systems, applications and business process to enable continuity of operations and support. Also, 64.7% expressed concern that the loss of skilled workers will require hiring and training programs to transfer the knowledge and skill the organization loses when employees retire. Further, 58.8% expressed concern over the concentration of knowledge, whether in key employees or supplier organizations, that must be managed in order not to expose the organization to loss of the ability to maintain operations and support systems and applications that enable business processes. Organizations must be careful that when they outsource business processes that they not outsource business knowledge and experience.
Respondents also recognized the value of such business information as budgets, forecasts, product procurements, technology advances and adaptations, which could alert a competitor to future plans. Copyright, patent and ownership of intellectual property were also of concern, especially when outsourcing operations or information processing.
Methodology and conclusions
ITAC established a framework for conducting the survey. It identified areas of IT interest and asked respondents to select and rank their top 10. Within the selected items, respondents were asked to rank a number of issues they thought significant.
A wide variety of responses were received, reflecting the diversity of organizations, IT environments and their level of maturity in addressing emerging technologies. ITAC would like to thank its members, the CICA IT alliance and members of the Toronto chapter of the ISACA for their support.
The top 10 technologies indicate the interrelation of the categories and their impact on businesses in Canada. Where organizations do not have a technology solution they will have to increase reliance on individual staff performance. Accordingly, attention will have to be paid to training and increased monitoring of employees’ actions, which require policies and procedures to address the 21st-century environment.
In creating an open and ever-expanding technology environment, we have inadvertently opened the door and increased risks to business. Enterprise risk management, proactive risk assessment and effective risk management solutions are needed to ensure the benefits of new technologies are not lost through compromises to technology and information.
Robert Parker, MBA, FCA, CA•CISA, CMC, is a retired Deloitte & Touche partner, past international president of ISACA, currently on its frameworks committee, and is the primary architect of its IT assurance framework. He also serves on CICA ITAC
