Managing IT Risks and Compliance: A Growing Major Concern
Managing IT risks and compliance are major concerns for many organizations, including those in public accounting, business and industry, consulting, and government/ not-for-profit. Organizations that do not understand, or have not considered, the risks associated with information technology are generally not prepared to mitigate such risks. As a result they are ill-prepared to face the pressures that accompany increased vulnerability within the IT environment.
According to the results of the first Regulatory and Risk Management Indicator conducted by Wolters Kluwer Financial Services, financial institutions are feeling even greater regulatory and risk management pressures than ever before as issues surrounding IT risks and compliance seem to exponentially increase from year to year. The Regulatory and Risk Management Indicator highlights the concerns that financial professionals have with risk management and the obstacles they face in managing those risks effectively.
- Regulatory risk (56%)
- Fraud (33%)
- Asset and liability management (28%)
- IT risk (25%)
- Credit and liquidity risk (24%)
- Operational risk (23%)
Obstacles. In contrast, the biggest reported obstacles to managing risk effectively are:
- Regulatory pressures (35%)
- A disconnection between risk management processes and overall strategic plans (19%)
- Too many technology systems that are not integrated (17%)
- Processes that do not empower employees to own and manage risk (17%)
Although the Kluwer Indicator focuses more on banking, the issue of managing IT risks and compliance is critical and pervasive within the entire CPA community– as the recent AICPA's 2013 North America Top Technology Initiatives Surveyrevealed.
The issue of Managing IT risks and compliance ranked third in the Top Technology Initiatives Survey in the U.S. (only after managing and retaining data and securing the IT environment – which ranked first and second respectively) and fourth in Canada (only after managing and retaining data, securing the IT environment and enabling decision support and analytics - which ranked first, second and third respectively. So, why is it so important to CPAs?
A recent IBM white paper on aligning information technology with strategic business goals sheds light on why CPA firms rate it so high, “The complexities of IT and its interconnectedness to so many areas of the business leave organizations more vulnerable than ever to inherent risks.” However, the white paper also found that, “despite the widespread business impact that threats can have, most organizations do not consider aligning their IT risk management plan with their strategic business initiatives.”
The latter is certainly a concern, but one that can be addressed by having a sound risk management policy. Here are three things that your company can do to better align your IT risk management plan with your strategic business initiatives:
- Conduct a risk assessment. Conduct a risk assessment, looking at vulnerabilities and threats including those related to emerging technologies like cloud computing, mobile technologies and social media.
- Design policies and internal controls. Policies and internal controls should be designed to reduce IT-related risks to an acceptable level and then monitor the effectiveness of those controls.
- Monitor override abuse. CPAs should develop policies to detect management override abuse within IT-dependent systems.
Want more information? Check out the complete results of the AICPA's 2013 North America Top Technology Initiatives Survey, conducted jointly with the Chartered Professional Accountants of Canada. The AICPA Information Management and Technology Assurance Section has developed a toolkit to accompany the survey, which provides IMTA Section members and CITP credential holders with the tools to assist them in interpreting the survey results and educating other IT professionals.
Jocelyn M. Woodard, Manager IMTA, American Institute of CPAs. Jocelyn is a technology risk and assurance manager assisting AICPA committee and task force members with the planning and implementation of initiatives that will better aid CPAs in understanding and utilizing information management and technology assurance tools and concepts.
Managing risk image via Shutterstock