Assessing IT RiskBy
Most companies use technology to collect, process, store, access, and communicate information that aids strategic decision making. Keeping that information secure is critical, as demonstrated by the widespread reporting of cybersecurity incidents at Uber, Equifax, Target, the Democratic National Convention, JPMorgan Chase, and many other large companies. Yet cybersecurity is only one of several components of information technology (IT) risks. Other significant IT risks can stem from missing opportunities to use technology for competitive advantage, technical inadequacies, lack of internal controls, and employee negligence.
IT risks can come from various internal and external sources in different functional areas. Only a small proportion of total IT risks are due to technical failures. Most information system vulnerabilities come from ignorance of or negligence in very controllable activities carried out throughout the company, such as the failure to prevent unauthorized access to areas that should be secure or an employee connecting a personal smartphone to the company’s Wi-Fi network. An internal control failure like the fraudulent accounts created by employees at Wells Fargo is an example of IT use increasing both business and IT risks, while Delta Airlines canceling more than 1,800 flights because a fire in Atlanta caused a system failure is an example of how failures in other functional areas can increase IT risks.
With the proper focus, company management can proactively measure IT risk and take steps to lower it while realizing the numerous benefits IT provides.
Two predominant frameworks for assessing risk that many companies currently use are the Internal Control—Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Control Objectives for Information and related Technologies (COBIT) framework, developed by ISACA (see “Risk Frameworks” below). While both frameworks support our suggestion that companies should proactively assess their IT risk, they fail to provide a practical approach.
We propose that management accountants have the necessary skills to implement and monitor existing or newly developed IT risk measures throughout the company and thus play a major role in aiding IT risk management. This approach takes advantage of management accountants’ expertise using performance measures while bypassing any need for specific knowledge in the variety of IT platforms that companies might use. Consistent with the COSO Framework’s suggestion that entity risk management of company operations can be achieved by managing risks in subdivided areas of the value chain, we provide a basic list of IT risk measures associated with primary and support activities of the value chain.
Primary value-chain activities include inbound logistics, operations, outbound logistics, marketing and sales, and services. Table 1 contains the objective of performance measures for these areas and suggested metrics that management accountants can implement to help assess IT risk in these areas.
Inbound logistics include all the activities related to receiving, storing, and distributing inputs for operations. A key success factor in this activity is the company’s relationship with its suppliers. The use of IT in areas such as vendor-managed inventory systems and/or electronic data interchange (EDI) to communicate with suppliers necessitates the assessment of IT risks in inbound logistics. Management may want to monitor IT effectiveness in managing supplier relationships and understanding the risks associated with the presence or absence of IT use for inbound logistics.
Operations includes the activities that transform inputs into outputs. IT is a significant enabler of standardizing and automating processes, resulting in cost reductions and efficiency gains. Management can benefit from measuring how IT spending helps achieve enterprise and operational goals. Further, management seeking Sarbanes-Oxley compliance may assess whether there are any material internal control weaknesses and the impact of control weaknesses on management decisions. Therefore, management accountants should understand the importance of internal controls and provide performance measures to monitor access to and use of applications related to production planning, budgeting, and forecasting.
Outbound logistics include activities such as processing orders and storing, transporting, and distributing products or services to the customer. In outbound logistics, management generally is focused on reducing the costs of storage and transportation. Two major general risks associated with outbound logistics are poor performance and unauthorized disclosure of sensitive data. In order to address these two risks, management accountants should have a thorough understanding of what, when, where, and how data is captured and stored. This will provide the appropriate knowledge for querying the database to get the necessary information for decision-making needs and to secure sensitive data.
Marketing and sales are associated with the processes for persuading customers to purchase the products or services for sale and to collect cash from the customer. Companies face the challenge of using emerging technologies such as social media, Big Data, mobile marketing, and others to attract potential and existing customers. Consequently, management would like to minimize the impact on and the likelihood of potential threats to the company’s information system while using emerging technologies to attract new and existing customers. Management accountants can implement the suggested performance measures to inform management about the state of IT in marketing and sales.
Services are activities related to maintaining the value of the products and services to customers after the sale. Services involve activities such as providing customer support, warranty service, responding to customer inquiries, and training. The objective of these activities is to enhance the customer experience, thus increasing future sales, customer satisfaction, and referrals. The ability to offer excellent customer support depends on the quality of services offered to the customers. Many companies are introducing online account management, chat services, and mobile apps with access to customer accounts to enhance customer satisfaction. Even though these services may positively affect customer experience, customers connecting through unknown networks, installing unknown other mobile applications, and setting a low security level on devices create vulnerabilities to the company’s network, operating systems, and databases.
Support activities of the value chain include company infrastructure, technology, procurement, and human resources. Table 2 includes the objective of performance measures and suggested metrics for these areas.
Company infrastructure includes all support functions, such as accounting, legal (e.g., compliance), administration, and general management. These same functions are identified as the IT enabler “organizational structure” in COBIT, and they represent the key decision-making entities of a company. Companies can gain a competitive advantage when managers within these support functions actively consider how IT can add value to the company. But the extent to which support-function managers individually consider IT adoption and IT risk—and communicate with other managers—can impact the company’s IT risk when managers can’t consider all risk factors effectively. Strong communication channels among support-function areas and a commitment to provide strong oversight by company management or the board of directors should increase the risk awareness of key decision makers, result in more effective IT policies and procedures, and ultimately reduce IT risk. In the event of a problem, strong communication should also improve the company’s ability to recover quickly and modify policies to avoid future problems.
Technology development relates to managing IT investments and increasing efficiency by using technology effectively. Management may inquire about the status of current projects to identify whether the company is aligning IT with its business strategy. One important factor that affects the success of a project is the ability of IT managers to effectively communicate IT objectives to business unit managers in order to meet business requirements. The suggested performance measures can be used to find the current status of IT projects, identify projects in distress, and see whether the company is achieving business and IT alignment.
Procurement comprises the processes companies use to obtain the resources needed to operate. Monitoring third-party IT supplier performance is a major activity involved in procurement. Because of increased dependence on third parties, companies can’t ignore supplier-related risk to their primary activities. Therefore, senior management would be interested in understanding major IT supplier-related risks and the impact of those risks on enterprise goals.
Human resources activities involve recruiting, training, motivating, rewarding, and retaining employees. Management will be concerned about the adequacy of IT expertise in the company, awareness of IT risks among employees, and the necessity of training on IT risk issues. Increased dependence on technology and the rising threats to information systems impose a heavy burden as companies protect their information assets. The complexity and the constant changes in technology not only require specific technical knowledge, but also the ability to keep up with these changes. Even after implementing the latest security technology, the human component makes information systems vulnerable to security breaches through phishing attacks, spam emails, spoofing, viruses, and more. Employees should be educated about computer abuse techniques so they can be aware of how their behavior can lead to successful security breach attempts.
A COMPANY-WIDE CONCERN
With the increased dependence on IT and the related impact on daily operations, the responsibility of IT risk management has become an issue for the whole company rather than the sole responsibility of those in IT. Management accountants should use their expertise in designing, implementing, and monitoring performance measures to monitor and report on IT risks. The suggested measures we provide should be familiar to management accountants and can be readily used to evaluate and monitor IT risks throughout a company.
We want to emphasize that this isn’t an exhaustive list. As COBIT suggests, we took a holistic view by identifying IT risk concerns in the value-chain activities and suggesting some performance measures, but the measures may vary based on a company’s level of IT use and management’s risk tolerance and risk appetite. Given that a management accountant may not be initially comfortable with measuring IT risk, the list is intended to be a starting point for thinking about how familiar performance measures can be extended and modified to capture information on various aspects of technology performance, thereby promptly identifying and addressing IT risk areas.