September 2007 — PRINT EDITION    
 
Table of Contents
   
 

Top ten tech issues

By Gerald Trites & Andrée Lavigne
Illustration: Lasse Skarbövike

Every year ITAC consults with the profession to find out what it is most concerned about, this year is no different. Here’s a roundup of the priorities facing CAs

What’s a slimeball? Everyone has his or her own definition, and that includes those in the world of technology. Sometimes called “typosquatting,” slimeball involves the purchase of a URL with a name similar to that of a well-known company or organization. The intention is that people will mistype a popular domain name and enter the site, which then captures advertising revenue from the visit. It’s a form of cybersquatting. And incidents of slimeballing are on the rise. According to the World Intellectual Property Organization in 2006 cybersquatting disputes increased by 25% compared with 2005.

This is the latest of many scams plaguing the world of e-business and technology in general.

The Information Technology Advisory Committee of the Canadian Institute of Chartered Accountants conducts an annual survey of the most important issues facing the profession in this area. Each year, new issues such as slimeball crop up. And every year, themes related to identity theft and privacy have been at or near the top of the list. This year is no exception.

There were several incidents related to identity theft thanks to the loss of private data about individuals. In January, TJX Co. of the US announced that credit-card data of millions of Canadians who had shopped at Winners and HomeSense stores had been stolen. Within days, there were reports of identity theft in Massachusetts directly related to the TJX data. At the same time, the CIBC admitted that the personal data of 470,000 Talvest Mutual Fund customers had been lost. And in March, Toronto’s Hospital for Sick Children had a laptop stolen. It contained private data on 2,900 patients, spurring calls for more safeguards by Ontario’s privacy commissioner. There have been numerous other incidents, which were widely reported in the press.

Identity theft is a very serious matter, causing the victims considerable anxiety and, often, financial loss. But there are other important issues as well.

The top 10 IT issues for 2007

  1. Wireless connectivity
  2. Attestation of IT controls
  3. Privacy
  4. IT resources/skills
  5. Offshoring
  6. Effective IT leadership
  7. Data ownership and integrity
  8. Public trust
  9. Service organization assurance
  10. Legislative fatigue

Wireless connectivity
Wireless networks and wireless devices such as the BlackBerry, Smart phones and even regular cellphones have grown in usage and in data capability during the past year. Wireless mobile devices have also enabled organizations to communicate voice, text, file and image information instantaneously, which has advantages but expands the types of data conveyed and greatly complicates data integrity issues. The use of such devices has effectively expanded corporate networks, leading to what some have called undefined networks.

The security over wireless technology is a critical issue as companies and their personnel continue to deploy such infrastructure. One reason for the problem is that the new wireless devices are often not owned by the company, making the management of security difficult. The concern is loss of data, loss of data integrity and data theft. The lines of accountability are gray in this environment. Organizations have difficulty determining where the responsibility for data integrity and security starts and where it stops.

Attestation of IT controls
Controls reporting has taken a heavy toll on management in many organizations. The view was expressed by respondents that current assurance standards do not adequately address the needs of business to attest to the existence and effectiveness of relevant IT controls. Just as investors and business owners require audited financial statements, there is a need for audited information processing controls.

Some of the new technologies and management techniques are making the control of IT processes more difficult. Service-oriented architecture (SOA) is a good example of a management technique in that category because of the extent to which companies are adopting it as part of their infrastructure. The concern is that companies may implement SOA projects without fully understanding the control impact and associated business risks.

An example of a technology that has huge undefined control risks is Voice over Internet Protocol (VoIP). This popular technology is being implemented extensively and given that the risks of hacking extend to communications, we will likely see incidents in 2007 involving VoIP that have not been dealt with in risk and control considerations.

Finally, controls over processes outsourced or offshore are an important issue. In the words of one respondent, “There are many risks associated with outsourcing, the accountability of which rests with the organization, not the service provider. There is not sufficient professional or business direction available to enable business management to design and operate effective controls to exercise accountability and manage all the aspects of outsourcing.”

These factors not only make it difficult to attest to controls, they even make it difficult to identify the risks on which controls must be based.

Privacy
Closely related to the issues around security and controls is that of privacy. Information cannot be kept private if there are no proper controls to prevent unauthorized access to that information. Privacy standards require collecting only information needed for a specified purpose and then maintaining its integrity, to keep it out of the hands of identity thieves and fraudsters.

Compliance with privacy legislation is a growing issue. Particularly since companies are expanding globally and are subjected to the privacy legislation of many jurisdictions around the world. Legislation varies tremendously, and it is often a major challenge to understand the requirements, develop the systems to ensure compliance and to keep up to date with the changes in the requirements.

IT resources/skills
Changes in the workforce are exacerbating the difficulty of obtaining skilled employees to manage and administer IT systems. Those who are retiring are difficult to replace as there is a shortage of young people with the required skills. There appears to be a skills shortage in many areas. As one respondent said, “It is difficult to do succession planning due to the shortage of seasoned professionals in the finance systems area [in particular in financial/regulatory reporting in the banking industry].” Another respondent pointed out that CIO skills (strategy, planning, business relationships, technical solutions to business needs) are extremely hard to find.

Retirements cause other types of problems. Every organization has employees who are the “go to” people because of their experience. They are the repository of the organization’s corporate history and knowledge, and when they leave, they leave a gap in institutional memory.

The skills shortage has led directly to more outsourcing of systems functions, which leads to its own difficulties. Companies can outsource functions but not responsibilities. They often find it hard to maintain and monitor quality of service in outsourced situations, particularly when the outsourcing is done offshore.

The requirements of Sarbanes-Oxley and the Canadian Investor Confidence rules are adding to the pressure. This pressure will intensify if the requirements are expanded to include the evaluation of the effectiveness of internal control over financial reporting.
The solutions appear to lie in better succession planning, hiring retirees as consultants for transition periods and better education at the university level about technologies needed in business and about information systems generally.

Offshoring
The continuing trend to outsource offshore presents several challenges. A respondent described one issue as follows: “Data stored in other countries is becoming more important as next generation applications are moving toward open standards, so as to facilitate the collaboration of data amongst applications. Also, corporations are moving more and more toward outsourced solutions [i.e., hosting, or ‘software as a service’], and/or toward single global instance applications.” The idea of data access is critical and in global organizations this can only be solved through the use of open standards. This is one of the areas where eXtensible Business Reporting Language has been known to excel.

Effective IT management
Some respondents mentioned the need for effective IT leadership. There are several aspects to this issue: leadership to motivate and direct the choice of IT options, to align business and IT strategies, to implement and operate effective IT controls. The effective IT leader will be able to adjudicate risk-based business priorities, a competence that is rare.

One component of this issue relates to the role of project management, which is considered significant. It was felt that while the project management discipline is supported by a large and growing body of knowledge, its applicability to IT projects is often minimized. In addition, there is not an adequate body of knowledge and methodology to effectively evaluate the existence and operating effectiveness of project management controls.

Enterprise resource planning (ERP) systems is another aspect of IT management that is causing difficulties. As one person stated, “I believe the value of an integrated, properly managed ERP will come to light in 2008 when companies leverage off application controls and the reduced requirements associated with effectiveness testing in place of extensive substantive testing.”

It was felt that with regard to ERP, adoption of processes is no longer the main challenge. Customizing them and ensuring they are suitable to the organization is more important. This means that IT continues to be challenged to operate outside its traditional technical area of competence. Probably this points to a need for broader education and training of IT personnel.

“Retrieving data has been one of those topics that often straddle technical and functional expertise. Enabling end users to retrieve data when and how they want it is one of the key concepts of business intelligence; gone are the days of technical assistance being associated with data retrieval — we should be focused on bridging that gap, so as to allow faster, more informed decision-making and IT focused on more value-added activities,” said one respondent.

Another interesting comment was about the corrective action required as a result of MD&A disclosure weaknesses, which will require collaborative efforts of management and IT when IT issues are involved. It was suggested that a board-level group would be needed to specifically deal with these matters.

Data ownership and integrity
There is a renewed focus on data in the IT world. Data created in different parts of an organization is moved around more easily and frequently and is more accessible to users. Moreover, with the skyrocketing growth of end-user computing, controls over data have been deteriorating. This has an adverse impact on data integrity. Information processing is all about data and without trust in the integrity of data, other IT controls become ineffective. These trends create issues related to data ownership and data integrity. It is causing IT managers to revisit the question of data ownership and establish contemporary standards in this area.

The CICA Information Technology Advisory Committee (ITAC) has commissioned a research project that will aim at identifying controls that can be used to achieve information integrity so as to provide practical guidance to managers and auditors.

Public trust
Almost part of data integrity, but not quite, is the issue of an erosion of public trust in data. No doubt some of this erosion relates to the publicity surrounding the events where there was loss of data and violations of personal privacy.

This issue is best addressed through the application of good security measures and strong controls. It warrants being a separate issue, however, because there is a need to focus on trust, not only by the IT people, but perhaps more importantly by senior managements and governance bodies. Proper solutions to the problem can only be achieved with adequate funding, resources and management policies.

Service organization assurance
In an environment where there is increasing reliance on third-party service providers for the delivery of IT services, considerable changes have been taking place over the past few years in assurance related to service organizations. Changes were made to the CICA Handbook–Assurance in July 2005, replacing Section 5900, “Opinions on control procedures at a service organization” by Section 5970, “Auditor’s report on controls at a service organization.” The new standard has caused considerable confusion among those providing these services, because it did not cover some of the audit services provided to service organizations and the distribution of the resultant reports. Accordingly, the new recommendations were found to limit the usefulness of the service to clients, and ITAC has spent considerable time discussing these issues and raising them with standards-setters.

Currently, the International Auditing and Assurance Standards Board is considering a new exposure draft, which, if ultimately approved as a standard, will likely be adopted in Canada and will change the audit standards related to service organizations again.

Assurance for entities using service organizations is a very important practice area for several firms and they are following these developments closely. It is hoped that the standards in this area will be clarified soon.

Legislative fatigue
Legislation and other legal requirements have caused something of a crisis of management in the IT world. This issue extends far beyond the well-known complications caused by the Sarbanes- Oxley Act in the US and the similar Investor Confidence Rules issued by the Canadian Securities Administrators. It also extends beyond the globalization of companies and their need to identify and comply with legislative requirements in many different countries.

Software contract compliance is also an area that vendors have been increasingly focusing on. Organizations need to devote their energies to properly identifying the entitlements of software licensing and managing them, which ties in to proper asset and configuration management.

This whole area has escalated greatly in the past few years.

Methodology and conclusions
This year, ITAC established a framework for conducting its survey. The committee identified 10 major IT areas of interest and asked respondents to indicate for each the most significant issue they think should be included in the list for 2007. For each IT area of interest, a number of issues were already identified. They were asked to pick one of those and indicate why it is a significant issue, or if not listed, indicate a description of the issue they believe is most significant and the reason why it is significant.

IT areas of interest:

  1. Legislative and regulation
  2. Contractual agreements
  3. Infrastructure
  4. IT resources/skills
  5. IT management processes
  6. Public trust (security/reliability)
  7. IT governance
  8. Collaborative/extended enterprises
  9. Information management
  10. IT controls and assurance

The process followed this year resulted in much more input from a variety of people involved with IT and IT management. Numerous responses were received, thanks to the help of associates of ITAC members, the CICA IT alliance and members of the Toronto chapter of ISACA. The result is a different list of top issues, one less focused on individual discrete issues, and one that points clearly to the manner in which so many of the top issues are interrelated and therefore require coordinated approaches to their resolution.

Gerald Trites, FCA, CA•CISA/IT, is a research consultant for the CICA and project manager for XBRL Canada. He is a member of and technical consultant for the Information Technology Advisory Committee

Andrée Lavigne, CA, is a principal in the CICA’s Research Studies department. She provides staff support to the Information Technology Advisory Committee