Getting Control of Compliance Means Using Risk Based Approach

Research reveals that despite the importance internal auditors and corporate compliance professionals put on making sure the right controls are in place for access to systems and data, 70 percent of respondents in a recent survey of auditors said it is critical to IT compliance, the majority said there are inadequacies in current practice. A majority (82 percent) said a risk-based approach would be more effective, this from the Ponemon Institute survey “Audit & Compliance Professionals: Survey on Identity Compliance.”

Financial services comprised the largest group of survey respondents in the survey, followed by government, and then other industries.

“What we see in this study, which isn’t startling, but there is a ‘disconnect’ between IT and the folks in the compliance area,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

The problem of disconnect between IT and compliance areas happen in several places, over several issues, and “reading between the lines on the study,” Ponemon noted, “Auditors don’t feel comfortable in auditing the identity management area, because it requires some technical expertise, they don’t own the software tools to audit these parts so they rely on other groups within the organization to perform these audits, and it creates a sense of potential risk.”

The survey examines the views of auditors and compliance staff on the state of compliance practices focusing on ensuring proper access to systems and data. The survey showed four main inadequacies: Reliance on manual processes – Survey responses showed 58 percent manually monitor and test controls on user permissions and activities, depending almost exclusively on reports generated by others rather than on software tools.

The survey also showed a lack of centralized control. Organizations surveyed (86 percent) have not established clear ownership of compliance oversight or processes around reporting on and monitoring user access to critical systems and data, with a wide majority conducting compliance efforts in a decentralized fashion at the application or department level.

The audit and compliance staff have poor communication and collaboration with departments who share responsibility for IT compliance (61 percent). Respondents cited poor understanding of risk management and compliance among other departments as the key barrier (65 percent).

The auditors also cited an inattention to business risk. When asked if their organization focused their compliance resources or efforts based on risk, half did not think so or were unsure and the majority reported the information to quantify risk was simply not available. (58 percent).

“Audit and compliance professionals are clearly struggling to gain control over issues at the heart of IT compliance, know who has access to what in your institution. They must do an incredibly complex and important job the hard way, manually and creatively, and they know it,” Ponemon said.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.