How to Integrate IT Security Assurance GroupsAligning, Integrating Assurance Pros Still in Its Infancy
However, while separation is often essential, there are disadvantages as well as advantages to maintaining separate assurance functions. Careful coordination is needed: Are we duplicating services? Worse, are there risks that fall between the cracks, into the gray areas on the borders of our separate assurance functions?
During my career in internal auditing, I have seen the approach to information technology audit and information security audit evolve: from when we had no IT/IS auditors, to having IT/IS auditors on staff, but located in a separate building from the rest of the audit team, to a time when IT/IS audit moved into the same building with the other auditors - but they were still housed on a separate floor of the building. Today, information technology audit and information security audit fully integrate into the internal audit department; they are not isolated on a separate floor or even in a separate building.
I believe the job of aligning and integrating assurance professionals effectively is still in its infancy.
Other groups of assurance professionals have also come a long way towards working together effectively; but I believe the job of aligning and integrating assurance professionals effectively is still in its infancy.
Our challenge is to find a way to integrate the organization's assurance providers into a cohesive risk management team that protects the entire organization while remaining cost-effective and flexible. It is not enough merely to coordinate a few specialties such as information technology audit and financial audit. Every organization needs strategies designed to optimize and coordinate its assurance services. Many of our specialties can and should remain separate functions, but I believe we can no longer afford to have separate uncoordinated strategies in place for each assurance function.
Close coordination is particularly important in areas such as information technology and information security that touch on all aspects of the organization. For example, several different assurance groups might use automated tools for data analysis, continuous auditing or monitoring. Data mining technologies are powerful enablers as they help business functions to analyze large volumes of information rather than samples. These tools enable us to retrieve data quickly and are commonly used by information security specialists, internal auditors, compliance officers and fraud examiners to examine 100 percent of a data population in real-time.
But professionals cannot mine the data effectively, efficiently and in its entirety unless they have an IT strategy and execute that strategy. Sharing automated tools can help hold down expenses, but coordination can be enhanced further:
- Different assurance groups might share the scripts that are used to review and analyze information.
- One group might train another on specific techniques, holding down training costs and increasing expertise.
- Various groups might perform similar monitoring tasks throughout the year, and resources can be freed up if the monitoring is coordinated so that duplicative work is avoided.
To fully take advantage of our opportunities to coordinate resources and increase efficiency, it's important that different assurance groups stay in constant communication.
Communication is key, but to get to the final destination it is also important to decide where you want to be and have an effective IT strategy that supports your plan. Obviously, data mining and continuous auditing tools are not the only areas that can benefit by enhanced coordination and a well-thought-out strategy shared by all of the organization's assurance providers.
It's also important to align each assurance group's IT strategy with the organization's overall technology objectives. Alignment helps all groups to understand how to assess the IT controls deployed throughout the organization and recommend solutions that tie to business strategies and IT goals. When it comes to technology, it is important first to understand the organization's IT strategy from a business perspective by determining how technology will play a part in the business plan. We can then look at the goals set for individual departments and the role technology will play. We need to look at the desirable outcomes or services we need to deliver based on the organization's overall strategy. This, in turn, allows us to identify technology opportunities and ways to integrate them into our operations.
Today's environment challenges us all to do more with less. Budget pressures and staff reductions over the last few years forced many organizations to reengineer existing business processes, which often included using new technologies. Most organizations are finding that it's difficult to do more with less without effective IT strategies and assurance strategies that are coordinated across departmental lines. To set the right strategies, we need to work with senior leadership to understand the organization's goals and objectives and its overarching technology plans.
Once we understand where the organization is going, we need to develop coordinated strategies for each individual assurance function that will help the organization achieve its business goals.
Sally Dix is vice president of Standards and Guidance at The Institute of Internal Auditors, the guiding body for the internal audit profession worldwide. She oversees the development of technical guidance and global standards for the internal audit profession in 165 countries.