“The organization selects and develops general control activities over technology to support the achievement of objectives.” (COSO Principle 11 – Selects & Develops GCCs COSO Framework) is the second of the three principles relating to the Control Activities component of internal control. As organizations implemented programs to satisfy the Sarbanes-Oxley Law of 2002 (SOX), tensions developed between the compliance/finance/SOX teams and the information technology (IT) teams at many organizations. Some IT teams did not appreciate the sudden attention (and scrutiny) from these “outside” departments that frequently did not fully understand and appreciate their process, or at least didn’t speak the same “language”. Interestingly, in the years following the enactment of SOX while leading the implementation of SOX compliance programs at two different publicly-held companies I was also earning an MS in Computer Information Systems. The most striking knowledge I gained as I progressed through the MS program was how nearly identical the body of knowledge and process of auditing/compliance was to the body of knowledge and processes of IT operations and system development. These departments that were often at loggerheads shared nearly identical foundational knowledge and practices. This knowledge helped me to bridge the divide in many cases but I must admit, not often enough. Bridging this divide is occurring naturally as the auditors and compliance professionals grow into truly integrated auditors and IT professionals adjust to the environment of heightened compliance and scrutiny following SOX and the expansion of compliance demands from PCI, HIPPA and others.
COSO Principle 11 – Selects & Develops GCCs
Siemens Simatic S7-300 PLC CPU with three I/O modules attached
http://en.wikipedia.org/wiki/Stuxnet#mediaviewer/File:S7300.JPG
A major challenge relates to access to change information directly to the database underlying a critical application. While it often takes in-depth knowledge of the application to commit such a fraud because such a nefarious action frequently requires update to more than one data table, organizations nevertheless have to implement controls to protect their data from one individual having the ability to make such changes undetected. Given that every server, mainframe or other system must have an administrator (that often has such access), implementing such controls is challenging, especially for small to medium-sized entities (SME) or those that do not have large IT departments. In recent years the cloud has provided the opportunity for SMEs to achieve often better application functionality in a more secure environment that is managed by a software-as-a-service (SaaS/cloud) provider. Data security/privacy is critical to SaaS providers’ business and therefore they devote a much higher percentage of their resources to security than a typical SME. SaaS applications typically run on internal or hosted platforms for which SOC Reports are available. According to a recent CIMA Research Paper, “In spite of public perception, cloud providers can typically provide more secure services than that which most SMEs can afford.” (p. 7)
One critical developing threat vector perhaps not yet considered at many organizations are the control systems (programmable logic controllers or PLCs) that control the operation of the machinery in their facility. From factory equipment to HVAC and other systems, many use PLCs and are perhaps vulnerable to attack. The Stuxnet computer worm (see also Nova: Rise of the Hackers) reportedly destroyed nearly 1/5 of Iran’s nuclear centrifuges. What are the financial implications, and by extension financial reporting implications, of an extended factory/facility shut-down or, worse, your equipment destroying itself at one of your facilities? Unfortunately, the Stuxnet virus escaped from the Iranian nuclear facilities and is now on the public web for nefarious players to study. We no longer have the luxury of time to start the discussions (hopefully already under way) of internal control procedures to identify and protect PLCs that are critical to our enterprise with the same vigor that we protect our data centers and networks. Elevating the risk to many organizations is that these worms are not detectable in the traditional way malicious software is detected. Also, the IT professionals at most organizations have little to no knowledge of PLCs.
For many organizations, implementing effective technology general controls over financial reporting to satisfy the requirements of SOX was challenging. As the landscape has become more challenging due to PCI, HIPPA, Dodd-Frank, hacking/cybersecurity and other requirements it becomes clear that financial reporting is the tail that wags the dog. Beyond financial fraud threats, it appears some of the most significant IT threats are more likely to cause financial loss through theft, fines, and other compensation with this loss then presented in financial reports. The good news is that the level of threats have bridged the initial divide between IT and compliance professionals in many organizations and brought them together in an “all hands on deck” effort to protect the organization from threats to potentially its’ ongoing viability. This IT/compliance partnership leverages compliance to protect the entire entity.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/