Getting Control of Compliance Means Using Risk Based Approach
Research reveals that despite the importance internal auditors and corporate compliance professionals put on making sure the right controls are in place for access to systems and data, 70 percent of respondents in a recent survey of auditors said it is critical to IT compliance, the majority said there are inadequacies in current practice. A majority (82 percent) said a risk-based approach would be more effective, this from the Ponemon Institute survey â€œAudit & Compliance Professionals: Survey on Identity Compliance.â€
Financial services comprised the largest group of survey respondents in the survey, followed by government, and then other industries.
â€œWhat we see in this study, which isnâ€™t startling, but there is a â€˜disconnectâ€™ between IT and the folks in the compliance area,â€ said Larry Ponemon, chairman and founder of the Ponemon Institute.
The problem of disconnect between IT and compliance areas happen in several places, over several issues, and â€œreading between the lines on the study,â€ Ponemon noted, â€œAuditors donâ€™t feel comfortable in auditing the identity management area, because it requires some technical expertise, they donâ€™t own the software tools to audit these parts so they rely on other groups within the organization to perform these audits, and it creates a sense of potential risk.â€
The survey examines the views of auditors and compliance staff on the state of compliance practices focusing on ensuring proper access to systems and data. The survey showed four main inadequacies: Reliance on manual processes â€“ Survey responses showed 58 percent manually monitor and test controls on user permissions and activities, depending almost exclusively on reports generated by others rather than on software tools.
The survey also showed a lack of centralized control. Organizations surveyed (86 percent) have not established clear ownership of compliance oversight or processes around reporting on and monitoring user access to critical systems and data, with a wide majority conducting compliance efforts in a decentralized fashion at the application or department level.
The audit and compliance staff have poor communication and collaboration with departments who share responsibility for IT compliance (61 percent). Respondents cited poor understanding of risk management and compliance among other departments as the key barrier (65 percent).
The auditors also cited an inattention to business risk. When asked if their organization focused their compliance resources or efforts based on risk, half did not think so or were unsure and the majority reported the information to quantify risk was simply not available. (58 percent).
â€œAudit and compliance professionals are clearly struggling to gain control over issues at the heart of IT compliance, know who has access to what in your institution. They must do an incredibly complex and important job the hard way, manually and creatively, and they know it,â€ Ponemon said.