IT Controls for SMEs
No business is too small to be immune to the risks arising from IT.
Part one of this article looked at the general IT controls (GITCs) examples related with access management, change control management and data centre and network operations that are typically employed within an SME environment. We also discussed that organisations that integrate GITCs to their operations are better positioned to monitor and ensure confidentiality, integrity and availability of their data. Nonetheless, the benefits and value to the organisation resulting from GITCs is largely dependent on whether these controls are implemented and operating effectively.
Deficiencies around IT controls, such as IT controls that are not designed appropriately, provide management with a false sense of security and if left unattended, the likelihood that related risks materialise is higher. A history of IT control deficiencies or IT controls that are not being monitored may also put the organisation at risk. Consequently, periodic independent assessments to review the effectiveness of IT controls is of fundamental importance. Advances in technology is bringing in new risks and opportunities, and nowadays, a good practice is shifting towards automated preventive controls and away from manual detective controls. Control data analytics through automated controls provide more frequent insights than a traditional review [1].
Another important consideration related with IT controls is documentation. As the adage goes, if a control is not documented, it is not done! IT control documentation, besides providing the necessary control implementation evidence, provides the necessary information about consistency, transparency and the rigorous thinking in terms of how the control addresses the risk. Knowing that those responsible for a control are doing a really good job and being able to demonstrate that, is more valuable than believing that nothing has gone wrong so far [1].
Increasingly, companies are expected to address and manage IT controls to meet evolving regulatory and customer expectations. However, generally speaking, many SMEs face considerable resource limitations and genuinely ask what will be the minimum set of controls that will satisfy these expectations. If “minimum controls” means “de-prioritised”, “ad hoc” or “not evidenced” then that’s not good enough. If “minimum” means “enough to prevent or detect errors” then that would be adequate. Minimum is a subjective term, the answer lies in defining and communicating what is right for the particular business needs [1].
ISACA (Information Systems Audit and Control Association), one of the leading organisations that sets standards for auditing and grants certification to auditors, conducted a study in 2006 to ordain the top IT controls which SMEs should have for security of information assets [2]. The ISACA study involved a panel of experts who were given a list of 30 control objectives derived from COBIT (Control Objectives for Information Technologies). These experts were asked to prioritise and reduce the list to the must have controls, using the Delphi method to achieve consensus [3]. The ‘recommended’ COBIT controls, as identified in this study, are displayed in the infographic, along with the respective tactical solutions that satisfy these controls.
Although these essential IT controls were devised some time ago, the respective objectives are still topical and valid within today’s context. On the other hand, it is understood that these essential IT controls cannot be considered as comprehensive and a thoughtful IT risk assessment is of utmost importance. SMEs typically would have not performed a thorough risk assessment, or when this is performed, it is often too high level, and is frequently a part of a wider business risk assessment. There truly is no ‘one size fits all’ approach and although it is widely accepted that there are a number of good practices that can be applied across many organisations, distinct organisations require to have different IT control programs. An organisation operating a small supermarket is more likely to have a regime of general IT controls focused on access control management that safeguard against instances of internal misuse (accidental or deliberate) of the point of sale system. In contrast, an organisation with a small office set-up to support the manufacturing of aluminium apertures is more likely to have general IT controls that focus on the acceptable use of computer resources such as the internet.
The risks arising from IT are real and a growing body of evidence suggests that no business is too small to be immune to these risks. Valuable company information being lost following a virus downloaded through an email, fines imposed due to an inadequate General Data Protection Regulation (GDPR) management, website defacements and internal fraud are just some consequences of an ineffective or an absent IT control framework. Management of organisations, whether these are big, medium or small, need to understand the critical role that IT controls play in creating stability and laying the foundation for their companies and customers. A business underpinned by an effective IT control environment is more likely to respond effectively to threats, remain flexible, and ascertain that the confidentiality, integrity and availability of information is preserved at all times.
Sandro Psaila is a Senior Manager within Deloitte’s Audit & Assurance Business. For more information, please visit www.deloitte.com/mt/audit