Making IT Management and Assessment More Reliable via Automation

I am a technology enthusiast and hence, I am more inclined toward newer and developmental methods when it comes to auditing approach. I have worked on both sides of internal audit assignments—the auditor side and the process consultant side. In my experience under both these functions and despite various auditing standards and expected objectivity of the auditor, there are instances of unfair assessment.

The reason for such misrepresentation can range across multiple factors, right from lack of expertise to lack of objectivity in audit execution. Risk of incompetency cannot be completely eliminated; however, in order to eliminate the risk of bad judgement and thus unfair assessment, we can employ utilities provided by the system itself to generate customized reports with more insight into the system. While use of auditing tools is discretionary for auditors, and these tools come with more functionality than just report generation, IT systems could be designed to generate anomaly reports to reduce risk of inadequate sampling. Similarly, reports can be generated from systems to reflect the impact of failed IT controls. When this much analysis is available with the system itself, risk of misjudgment gets eliminated from the execution, thus reducing the auditor’s burden to a greater extent.

Similarly, IT management can benefit from automation. More often, risk of inadequate policy execution is neglected or accepted without much analysis. This happens because policies put in place are manually assessed. While there is automation for the functions that could be easily automated such as access management, there is very little automation in implementing policy adherence on whole. For example, I have come across various IT changes that were implemented in production without approval and IT policy allowed accepting the post-dated approval for such changes.

From a compliance point of view, this would be considered an acceptable practice by internal assessment teams. This assurance from the internal audit team is not very diligent as the code is already in production without being properly authorized and it is not known if any damage has already taken place. As we can see, this problem stemmed out of a basic flaw in the system—the flaw that did not bar the change to take place in production environment without approval. This happens because the system was not designed to meet the policy. Perhaps, one more layer of security can be added here. A simple solution that checks for an approval signature along with the proper user authorization can provide a much better level of governance than a post-dated approval can. Mostly, IT systems are implemented with minimalistic levels of customization, and human factor is responsible for execution of process control. With the evolving industry, there are advents of automated solutions for particular IT functions. While each of these solutions performs assessments neatly for such functions, they do not address the risk of lacuna between policy-on-paper and the actual IT infrastructure.

Thus, we need to automate more in this aspect of IT management. We currently rely mostly on human judgement, which at times could be erroneous. At times, IT executives do not have knowledge of the whole system in place and they end up configuring it wrong and missing the important functionalities. Because of this, IT solutions do not operate to the expected level or even worse, end up failing on the whole. Such mistakes can be avoided by solutions that learn the functionality of the system and on the basis of risk recommendations on how the system should be configured to reduce risk of inadequate operation. Also, as I mentioned earlier, using additional level of utilities, systems could be designed exactly as per policies and with minimum reliance on human factor for proper execution of controls. In the industry, there is overall progress in this regard; however, it is still at a slow pace. To make IT more reliable and assessments more transparent, we need to reduce reliance on human judgement and put more emphasis on automation and analytics of the systems.

Ketan Kulkarni, CISA
Independent consultant

[ISACA]