Security Management : Chris Stoneley

Will Continuous Control Monitoring Always Be the Holy Grail of Compliance?

CA Community — Thu, 21 Jan 2010 20:00:00 GMT

I’ve often heard auditors waxing poetic on the fact that ‘continuous controls monitoring’ and ‘automated compliance’ always seem to be ‘the next great thing’ – but as many have pointed out to me over the last several years, these are areas where it is difficult to gain traction.

I’ve often found myself asking, “Will we ever really get there?”

There are lots of different names for this and several versions of the truth, but essentially what I am discussing is the ability for a business solution (or control) to have an associated component that feeds compliance related information (such as test passes or failures) in an appropriate form to a governance, risk & compliance (GRC) solution. The GRC solution would then package the information appropriately, and provide it in an easily digestible and customized form to a requestor, such as internal or external audit, compliance executives, or similar roles.

A real world example of this may be something like this:

A company may have a policy which dictates that personally identifiable information (PII) not be sent via e-mail. This policy may in turn have arisen from some significant requirement, such as the Health Insurance Portability and Accountability Act (HIPAA). There will probably be an associated desktop procedure, and perhaps some manual control process.

If the associated control were to ensure this did not happen, the corresponding evidence may be difficult to acquire and produce. Let’s say, for the sake of this exercise, that the company has implemented a Data Loss Prevention (DLP) solution, geared to perform (or enforce) exactly this control. While the DLP solution may well be the enforcer of the control, and by itself have reporting or a dashboard showing the number of enforcement or prevention events, it may still be a manual process for an auditor to ‘discover’ this information, review it, opine on it, and provide the appropriate evidence along with the other appropriate documentation in an audit workbook or as a component of a control test.

Automating the compliance program in this case would clearly entail integrating the two systems: (1) the GRC solution receiving a feed of the appropriate information from the DLP solution, ensuring that evidentiary support was provided, potentially with metrics tied to Key Risk Indicators (KRI) – perhaps the number of attempts to send PII via e-mail; and (2) Key Performance Indicators (KPIs) – perhaps the number of times PII was successfully blocked from an e-mail.

The integration of these systems, and the associations that could then be formed between elements which may have previously been disparate – such as the links from the significant requirement, to the policy, to the desktop procedure which contains the key control, to the KRIs & KPIs, and ultimately to the actual evidence – ensures that the information can be packaged and collated and is quickly and easily found in the event of an audit.

A control that effectively audits itself? Oh really?

Of course – this is in an ideal world – and there are other investments such as the purchase, installation and configuration of complimentary systems… but this is now a more achievable goal than ever.

CA sees this integrated compliance approach as the future; as consolidation continues in the GRC world, it would seem that more and more companies agree.

In summary – I think the goal is much closer, and even more achievable than in years (and perhaps decades) before – but let’s face it – we seem to be adding new regulatory requirements as quickly as we can add solutions – so perhaps it will always be the Holy Grail?

Sarbanes-Oxley – Unconstitutional?

CA Community — Tue, 29 Dec 2009 15:15:00 GMT

As previewed by Sumner Blount in his November 30^th blog post, the Supreme Court on December 7^th heard opening arguments challenging the constitutionality of the 2002 Sarbanes-Oxley Act, which came out of the scandalous collapses of Enron, WorldCom, Tyco and other companies early this decade. At issue in the lawsuit, filed by the Free Enterprise Fund and a Nevada accounting firm, is the Sarbanes-Oxley law's creation of an independent board to police auditors of publicly held companies.

“If you combine the ability to make laws and enforce the law, that’s what King George did – and that is the ultimate definition of tyranny,” said Lawyer Michael Carvin in an associated NPR interview. Their story and an audio recording can be found here.

In case you missed Sumner’s previous post, the crux of the matter, as reported by the Courier, is:

“The plaintiffs argue the Public Company Accounting Oversight Board violates the Constitution because it is not accountable to the president. The president lacks power to review the board's work or influence its finances, the plaintiffs said. Board members are appointed by the Securities and Exchange Commission, which cannot remove board members for anything other than willful violations, the plaintiffs have said. They also have argued the arrangement violates the constitutional guarantee of a separation of powers because Congress has at least as much control over the accounting board, if not more, than the White House. The Securities and Exchange Commission and the accounting oversight board are both subject to congressional oversight.”

Much has been made of this law since It was enacted and its subsequent consequences, with many as a result calling it the ‘new employment act for auditors’ – but now that the requirements of the act are so ingrained in so many large, publicly traded companies, is it here to stay? Certainly there are those that have protested its very existence from its initial enactment – a quick Google search brings a myriad of articles on the subsequent mass privatization of companies and the exodus of companies to stock exchanges and trading boards in countries with far less stringent reporting requirements – but is the anti-SOX wave now reaching tsunami like proportions?

Many point to recent ‘smaller wins’ such as that voted on by the house in November, working towards excepting smaller companies from some of the more onerous requirements as small victories in a much larger battle. (Garret / Adler amendment.)

Having been entrenched in a large financial institution during the more formative years of the Sarbanes-Oxley act (the so called ‘year zero’ through the publication of the PCAOB’s Audit Standard No. 5 and the Security and Exchange Commissions’ guidance), I can see the benefit of the enterprise governance, risk and compliance (GRC) programs that were largely established in the wake of SOX and in some cases further developed and tuned in response to the more prescriptive guidelines and requirements that were to follow (such as PCI for example).

While I can see portions of the act that must change over time, to re-encourage the sort of free enterprise and opportunity the United States built itself upon, I feel that many of the components of the act that promote oversight, clarity and visibility, both to executive management and to the public, must be here to stay. Yes, some relaxation of some of the rules may bring companies flooding back to ‘the greatest stock market in the world,’ but investors, forever burned by the likes of Enron, WorldCom, et al, are now always going to look for that extra insight that the publication of additional information and disclosure of significant events is going to bring. Even the companies themselves have become dependent on the value added by the extra level of documentation, testing and certification that comes with formally documented processes, controls, and the associated risk management and governance practices.

Unconstitutional? Perhaps – on a technicality, the Sarbanes-Oxley act will start to fray and unravel… but I firmly believe the tone of ensuring corporate transparency is welcome, necessary, and here to stay.

CA to Present Session on Control Rationalization at ISACA and IIA Audit Efficiency Seminar

CA GRC Blog Admin — Fri, 24 Apr 2009 09:00:00 GMT

On Monday, April 27, Chris Stoneley, one of CA's principal consultants for GRC, will be presenting a half-day session from 12:30 "" 4:30 pm PT on control rationalization with Jonathan Ladniak, a senior consultant in Deloitte & Touche LLP's Enterprise Risk Management Practice. The session is part of the joint ISACA LA chapter and IIA San Fernando Valley chapter seminar on Audit Efficiency, which takes place in Monterey Park, CA, near Los Angeles, on Monday and Tuesday next week.

As described by ISACA-LA and IIA-SFV, the seminar is a collaborative effort to provide their member communities with insightful and meaningful audit techniques and approaches that will enhance the value contribution and creditability of the audit function. This is particularly important given the current environment - in this adverse economic climate, Internal Audit will not only be required to perform their fiduciary duties with fewer resources more efficiently, but also to identify and provide tangible process improvement opportunities.

Chris and Jonathan's session on "Gaining Efficiency and Effectiveness Through Control Rationalization" will cover the following:

Designing controls to satisfy multiple compliance frameworks and "bundling" audits and compliance reviews to minimize operational impacts and reduce IA costs

Resources to find best practice or "smart" controls

Integration of IT and Business Compliance controls

Value added to compliance monitoring

The overall goal is to offer strategy around the seminar theme which is "threading the needle" with cost reductions, efficiencies gained through intelligent audit execution and superior control design, as well as system and process optimization for the overall business strategy.

Chris and Jonathan plan to kick off with an overall briefing on "˜the state of play' before highlighting a case study to demonstrate real-world examples of some of the critical controls concepts noted above. They will also discuss the value of leveraging a control framework, such as the Unified Compliance Framework and the benefits of continuous controls monitoring, key performance indicators, and key risk indicators.

To learn more about the seminar, visit either the ISACA LA chapter site or the IIA San Fernando Valley chapter site.