IT Controls for SMEs
No business is too small to be immune to the risks arising from IT.
Would you imagine buying or using a car that is not equipped with brakes? Of course the answer is no. Although without brakes a car can still be driven, the brakes help to ensure that we arrive safely to our final destination. In analogy, Information Technology (IT) controls are the brakes within an organisation that help in ensuring that business objectives are met. Similar to brakes, in the short term, IT controls may slow down the execution of activities; but in the long term, effective IT controls allow organisations to reach their final destination faster. In contrast, whereas in cars everybody expects to find adequate brakes; having adequate IT controls in organisations is not always as obvious. Multiple organisations, especially those that are considered as small, choose to roam in their respective markets without basic IT controls.
In reality, no business is too small to be immune to the risks arising from IT, and IT controls that prevent or detect the related risks are of critical importance. The significance of IT controls is accentuated in the current times where due to the COVID19 pandemic, a significant proportion of the workforce is accessing company assets from home or away from the typical office environment. Since the outbreak of the pandemic, different organisations reported an increase in the number of information security incidents; ranging from unauthorised access to loss of valuable information.
An effective IT control framework aims to provide management a reasonable degree of assurance that the
IT used by an organisation operates as intended and undesired events are prevented, detected and corrected. For an IT controls program to be considered as comprehensive and complete, it must adequately address the confidentiality, integrity, and availability (CIA) aspects. Organisations that integrate General IT Controls (GITCs) within their operations are better positioned to monitor and ensure confidentiality, integrity and availability of their data. Broadly speaking, GITCs are the policies and procedures that support the effective functioning and availability of applications, the integrity of reports generated from these applications and the confidentiality of data that is stored within the applications. GITCs are typically organised into the following domains:
Access management – GITCs related to access security include logical access controls to prevent or detect unauthorised use of and changes to, data, systems, or programs.
• IT systems are becoming more integrated with business processes and there is a risk that users have access privileges beyond those necessary to perform their assigned duties, which may create inadequate segregation of duties. An IT control to mitigate this risk is that the use of privileged access (the so-called “super user” or “administrator”) is to be limited and restricted. In particular, users that are involved in the day-to-day business functions should not be granted privileged access. In an SME environment, maintaining adequate segregation of duties could be challenging due to the limited resources and small size of the company. Consequently, in the event that business users are required to be granted privileged access, it is important to ascertain that all the user activities, especially those that could have an impact on the company’s operations (including but not limited to financial data) are logged and such logs are monitored and reviewed periodically.
Change control management – GITCs to provide assurance that changes to the network, application systems and database management systems are implemented in a controlled manner.
• Although SMEs are typically not involved in the design and development of the information systems that are used to support their operations; basic change management controls to support the continued operation of the programs are still relevant decisions. Let’s consider a scenario whereby an SME decides to replace their accounting software and commissions a third party to install and configure the new accounting software. Is management involved in approving the results of the migrated data (e.g., balancing and reconciliation activities)? What tests need to be performed on the new environment to ensure that certain automated reports are returning the expected information?
Data centre and network operations – GITCs to safeguard the confidentiality, integrity and availability of information as it is processed, stored, or communicated by the relevant aspects of the IT infrastructure.
• Increasingly many SMEs are making use of software that is provided by external service providers (also known as Software as a Service –
SAAS). In these scenarios, controls that are typically associated with the IT infrastructure would be under the responsibility of the service provider. Notwithstanding, it is in the interest of the SME management to ascertain that the service provider is able to demonstrate that they have adequate controls to protect the data belonging to the SME. Going back to the example of the new accounting software, if this application is deployed on the cloud, how is the SME management ensuring that their financial data is secure? This kind of assurance is typically obtained through service organisation control (SOC) reports. These reports have become prevalent as the most effective method that is used to enhance trust and confidence in the service delivery processes and the controls that are employed by the SAAS provider. For each control domain indicated above, there are multiple examples of IT controls; these controls can either be manual, automated or a hybrid. Manual controls are controls that are manually performed by individuals, for instance an access approval processes with manual signatures. Automated controls are control that are inbuilt into a system to prevent, detect and report on exceptions identified during processing of data. A simple example of an automated control is an access approval process which approval that is granted through a specifically designed user screen.
Now that we understand more about general IT control, in part two of this article to be published next week, we will be discussing a number of considerations to be taken when implementing an IT control framework within an SMEs environment.
Sandro Psaila is a Senior Manager within Deloitte’s Audit & assurance Business. For more information, please visit www.deloitte.com/mt/audit