What’s all the fuss about IT controls?
The ever-increasing complexity and importance of technology has increased financial institutions’ focus on IT controls – the keys to managing technology risk effectively. Only with a well-designed IT control framework can firms reliably offer secure services to customers. That’s why regulators have been issuing more guidance and making more interventions in recent years.
For leaders, this raises questions around how to embed an effective IT control framework that protects operations while meeting regulatory expectations.
Why do I need to embed an effective IT control framework?
The IT control framework is the foundation for effective and efficient operations, and for complying with a wide range of regulations. And, with the growing trend towards automation in financial services, the IT control framework helps teams actively consider the impact of changes to ensure controls continue to address risks.
What should I consider in an IT control framework?
The diagram below summarises some of the key components to include in an IT control framework. The degree of attention required in each area will vary depending on your starting position and the overall risk profile of current and future activities. But there needs to be a direct link between the components as siloed activities rarely result in a holistic IT control framework.
Firms often focus directly on compliance without thinking about building the key components of an IT control framework. The absence of clear links between polices, standards, controls and risk frameworks, and clear accountability and ownership, can lead to inefficiencies that strain the whole organisation.
Without agreed key controls, there’s a risk of the business investing time and effort monitoring controls that don’t address the most important risks. Without clear roles and responsibilities, monitoring and reporting compliance can fall through the cracks and there will be little direction in driving control improvements.And without policies to help people understand what controls apply to them and their teams, they won’t be able to consistently apply controls across the firm.
How do I embed the IT control framework, rather than just document it?
Guidance and supporting documents are key to promoting consistent frameworks and processes. But giving teams all the relevant documentation won’t embed the IT control framework into the DNA of your organisation. Cultural change is key.
We’ve seen several organisations fail to fully embed robust frameworks because they’ve focused on the paperwork. Embedding change will require working through real life examples and developing the skills to support teams on the journey. Organisations that successfully make the cultural change share four characteristics:
1. They take teams on the journey
Teams are more likely to buy into the IT control framework when they’ve had a role in shaping it. Making them part of the change by actively engaging and listening to their views can help embed it. And building elements of control ownership into role definitions and objectives will reinforce the message that the IT control framework is more than just admin.
2. They make tooling an enabler rather than a blocker
Most firms will employ some sort of tooling to support the IT control framework. This can range from intranet sites loaded with guidance through to dedicated control toolsets. Regardless of the sophistication of the tooling, making sure it gives effective support to users is key to ensuring teams actively use it.
Poor configuration and slow or clumsy tooling will prevent people from using it. And that can lead to teams finding workarounds that are inefficient and undermine the IT controls.
3. They make the framework user focused
Embedding key controls into business-as-usual activities ensures people see compliance as an essential activity, not just a headache that comes around whenever there’s an audit. The tooling and processes need to be easy to navigate and actively promoted across all end users. The value and importance of using the framework needs to be clear across the organisation.
4. They build the right governance system
We see few firms give governance the focus it needs. Without well-defined governance and senior management support, frameworks don’t offer leaders the insight they need.
Ineffective governance has a direct impact on the resilience of IT control frameworks, can prevent people from raising issues quickly and allows people to make changes without the appropriate scrutiny and review.
Governance is one of the key mechanisms promoting the culture change across all levels.
How can I build effective IT control governance?
The key to effective governance is to take a wide view of forums to ensure they support the end-to-end IT control framework. To achieve this, focus on four elements:
1. Roles and responsibilities
Are the roles and responsibilities for key forums clear and do they reflect the skills of the attendees? We often see people attending many different forums, or the number of people attending a forum balloon to become unmanageable. Forums should have the right people to make decisions and bring a wider portfolio view.
Are the escalation framework, terms of reference and action taking processes clear? Terms of references should outline the relationship between governance forums. Forums should also have consistent approaches to minuting, acting, escalation and delegation.
How do we continue to confirm that forums are effective? It’s common to find full of people with similar backgrounds and insufficient breadth of expertise, leading to insufficient skills to deal with emerging issues. Effective forums periodically produce a skills matrix to identify any potential deficiencies.
Does the reporting support the forum’s objectives? We often see lengthy reports with inconsistencies in management information (MI) between forums and unclear decisions.
How can I implement the tools to minimise the effort of consistently applying effective IT controls?
There are several vendors that provide active policy management, compliance dashboard reporting and control automation.
Control automation in IT change, IT security and user administration has become a key tool for firms as it takes the pressure off teams. It’s also become easier to implement as there are now a wealth of APIs and more tooling interoperability, which lets data move between systems to support real-time MI for governance and decision making.
This growing use of advanced tools, however, can lead to firms having several repositories, such as SharePoint, which support various components of the IT control framework. Streamlining the tooling environment can help consolidate, standardise and embed risk culture across the business and support a single source of the truth for IT controls.
When considering what tooling will work best for your firm, consider:
- Single source of the truth – Standardised controls operated across the group consistently
- Control classification – Standardised mapping between controls and business areas without duplication
- Automated control effectiveness testing – A common automated approach to controls testing allows a real-time view of compliance
- Workflow and ownership – Control owners and designated teams can receive automated notifications and reminders
- Active ownership – Promote active ownership of controls and accountability
- Enhanced reporting – Support real time reporting for all key users by removing the need for local spreadsheets and enabling prioritisation
- Total visibility – Makeall controls, associated performance and effectiveness available to all stakeholders
The importance of IT Controls to key stakeholders — investors, regulators, audit committees and management — continues to increase. Embedding an effective IT control environment has many challenges but is critical to ensuring your IT control framework continues to drive compliance, decision making and efficient operations.