Concentrating on compliance, rather than the reason it is required, can lead to an organisation implementing or redesigning its operational processes so that they adhere to the industry standard or regulatory controls. Although the goal of achieving compliance is valid, the danger is that this determines the business processes, rather than supporting them to operate with adequate control.
For example, introducing a wide-ranging control framework to which all business applications must adhere regardless of how critical they are to operations may achieve a tick in the audit box, but offer little in the way of overall advantage to the business. An application’s functionality may not be relevant to a number of the control objectives and therefore, in some cases, the result may be unnecessary overheads in the form of checking against various irrelevant compliance controls that take budget and time to define, implement, test and review.
Avoiding ‘compliance for compliance sake’
Equally, the ‘compliance first’ approach may appease the auditors, but it can lead to the culture of the organisation becoming over-focused on a checklist of process-orientated controls without understanding the reasons that they are required. An interesting indicator is to monitor process approval rejections. If none occur, it may raise the question of whether the approval is performing a useful function from a business risk perspective or simply demonstrating a compliant process.
Putting the right people in place
Having taken the first step of making sure they are not undertaking ‘compliance for compliance sake’, organisations would also be wise to address how they demonstrate adequate approval of requests. The key consideration should be the person responsible for signing off each approval. Although it is easy to demonstrate process compliance by having the approval evidenced, it is far more difficult to substantiate that the approver was fully aware of the impacts of their decision.
The management of application code for example, is a critical activity. However, many people responsible for approving application changes may not fully understand the nature of the revisions they are signing off. Rather, they are often more focussed on the scheduling of changes across the operational landscape. If the approver is not a content expert with sufficient background knowledge to perform effective governance, relying on the provided documented evidence could weaken the control. Both control and content must be checked if the approval procedure is to address the potential business risk to the organisation, rather than merely checking the process.
The same can be said for review-based controls. Take, for example, an emergency access process whereby the primary control is usually detective in nature. If the reviewer only compares actual transaction usage with planned usage, and is unable to comment on the impact of the activities performed, the control is inherently weak, despite passing a completeness check from an audit perspective. Likewise, performing a reconciliation may confirm that the activities performed matched what was requested, but will not flag up if the actual request was inappropriate in the first place. The key to the effectiveness of both approval and review-based controls is having the right people acting as control operators to provide effective governance.
The business rules set
Developing the business rules set in order that it is objective yet specific to the organisation requires the involvement of the business. At the same time the risks need to be accurately and objectively defined so that the end result is an effective rulebook rather than a mechanism to make the business figures look good. Once the rules set is released for operational use, knowing and understanding what constitutes business risk for the organisation, risk appetite and risk profile is key to understanding where to draw the line of acceptance of the residual risk.
Making risk management the driving force
Compliance and authorisation conflict reporting is also a key audit area. It is easy to be blinded by the numbers of Segregation of Duties (SoD) conflicts with an aim to manage them down to zero. However, although removing all levels of sensitive access and SoD can make it appear that the risk profile for the business is reducing, it is very rarely possible to have a fully SoD remediated application. Further analysis may show that the result is simply transference into a different area such as increased use of the emergency access process.
There is no doubt that controls and remediation activities perform a vital role in safeguarding the enterprise, as well as achieving regulatory compliance. However, it is essential to view them in the overall context of the organisation so that only controls that truly protect the business from risk are implemented.
Simon Persin is lead for GRC Access Controls at Turnkey Consulting, a specialist IT security company focused on combining business consulting with technical implementation to deliver information security solutions for SAP systems