The top ten IT issues
This article is reproduced with the permission of CAmagazine, published by the Canadian Institute of Chartered Accountants, Toronto.
By Gerald Trites
A lot has changed over the past year. When the CICA Information Technology Advisory Committee (ITAC) did its last survey of top IT issues, the economy was thriving, the stock market was high and boomers were busy planning their retirement. Now, one year later, the economy is suffering the greatest slump since the Great Depression, the stock market has lost a third of its value and some boomers have postponed their retirement — that is, if they haven’t been forced into it.
While the issues that topped last year’s list — a shortage of IT skills, privacy and outsourcing — are still of concern, privacy and outsourcing didn’t even make the top 10 this year. They were edged out by such items as the impact of the recession, new regulatory requirements and the role of Web 2.0 applications in organizational systems. This year the recession was the top item on the list.
1. Maintaining adequate controls during the recession
Maintaining an adequate and effective control framework in times of economic constraint is a challenge for companies when they are downsizing. They have fewer employees to execute controls properly and support an adequate segregation of duties.
As one respondent put it: “I believe that firms, in making their downsizing decisions, are not adequately considering the impact their staffing decisions are having on their corporate governance. Layoffs not only cause a segregation of duties issue but remaining employees sometimes do not understand the importance, or detail, of controls associated with the new business functions coming under their responsibility.”
Companies are also reducing spending and postponing investment in infrastructure, including IT projects. This adds the risk of a lack of funds for previously approved projects, projects in progress, or new projects identified as priorities for maintaining an adequate and effective control framework. The higher risk creates a new challenge — it becomes even more important for companies to perform appropriate risk assessments to determine how to allocate their limited funds to mitigate risks and achieve their business objectives.
2. Maintaining security over moving data
The number of small portable devices such as laptops, smart- phones and BlackBerrys continues to grow within organizations, making it difficult to maintain proper security over data on the move. In addition there are USB memory sticks or integrated wireless device media cards that are not encrypted or even password protected. Now, USB sticks can contain executable programs, becoming essentially a computer on a stick.
These devices lead to an easy movability of data that quickly passes through various control environments. Also, it raises the risks associated with the same data residing in several locations, perhaps even inappropriate ones. Some organizations, for example, hold private personal data, with multiple copies kept in various parts of the system, complicating compliance with privacy laws. The press is rife with reports of lost laptops and BlackBerrys containing private customer data.
Economic constraints mean that some companies do not have the internal resources to integrate their systems or properly protect the data. Secure storage techniques and encryption of data for mobile devices are often not being implemented, which adds risk in the organization. At a minimum, employees need to be educated on the need for passwords on portable devices.
Respondents reiterated their belief that there is a need for encryption to protect against the loss or theft of data, whether it is moving or not. However, there was some concern that existing encryption systems may not be trustworthy or stable enough to be relied on. There have been instances of companies encrypting their data and then not being able to decrypt it for later use.
ITAC has recently issued a white paper on Data Centric Security, which addresses the issues around forming a security policy that focuses on the data itself, whether at rest or in motion, and emphasizes the encryption of data.
Several respondents expressed concern about loss of unprotected data. One put it this way: “I believe the theft of data will have a major impact on whether the public will have the trust to do business with organizations. This will result in a greater number of requests for assurance reports for businesses doing business with other organizations and individuals questioning what data is collected by their retailers and how it is being stored and used.”
3. Lack of effective IT governance
IT governance was issue number four last year. The concerns stated this year include:
- lack of effective IT governance activities;
- poor alignment of IT with organizational strategy; and
- limited awareness of IT issues at the board level.
All these concerns indicate a need for an IT committee of the board of directors, which some companies have but most do not. Boards are aware of the importance of IT to business. They know an IT failure can seriously damage the business, its reputation and even earnings. But, according to respondents, they are not aware of the IT issues that need to be addressed, including those that bear on the organization’s ability to meet its overall governance responsibilities.
The profile of IT issues needs to be increased at the board level so organizations can focus on deriving value from IT, as opposed to simply controlling it as a support function. There needs to be greater awareness that IT drives value, that it is of strategic importance and that IT strategy needs to be lined up with organizational strategy.
There has been one exception to this lack of strategic alignment. “During these economic times it has certainly been a main priority for companies to improve on IT efficiencies and ensure that IT aligns with the overall cost reduction initiatives of the organization,” says one respondent.
4. Coping with information overload
The various means of communication — e-mail, BlackBerry, smartphones — were mentioned by several respondents as creating information overload. Numerous comments were made about this “condition of modern life,” which is “killing people’s personal lives.” The issue was characterized as “significant” and “important.”
The point was made that sorting and filtering all this information takes time and reduces employee productivity. In addition, much of the information coming through these channels is not needed to run the business.
Information overload results in distractions that prevent people from focusing on the tasks at hand. Time is wasted as people are forced to refocus their concentration after being distracted by another piece of information. In some cases, it results in people becoming selective about the sources they pay attention to, simply ignoring others.
Numerous respondents spoke strongly about the issue of information overload, complaining about constant e-mails, office communications, BlackBerry Messenger and social media such as Facebook and LinkedIn, even TV and newspapers, all overloading information paths.
One respondent, however, took issue with these concerns. In his words, information overload is “a bogus issue. Yes it is true, but since a strategy to systematically coordinate various platforms into one via the Internet-enabled wireless devices has generally not been taken, everyone will ‘cope’ with overload as opposed to better using social networking Internet protocols and tools within the corporate structure. (For example, why do we still use e-mail today?) Look at the Internet generation — it uses Facebook for every manner of data management and communication (supplemented of course by texting) and it is truly, amazingly efficient. And yet boomers still ‘cope’ with information overload because they are using five different tools/systems to communicate, rather than one — like a secure Facebook.”
The comment has a lot of merit. We do have too many channels of communication open all the time. We are constantly bombarded with information, much of which is irrelevant. We do need to find ways to integrate our communication flows. Looking for ideas to the generation that grew up with all this seems a logical approach to consider.
5. Impact of IFRS on information systems
In one sense it should be no surprise that international financial reporting standards (IFRS) convergence would make the top 10 this year. After all, the deadline is less than two years away. On the other hand, it may be a surprise to some, because IFRS convergence is often not thought of as an IT issue. However it is because IFRS requires companies to obtain and track information that has not been in their accounts before. This would include, for example, information on market values for property, plant and equipment; sufficient information to track asset revaluations under IFRS; information to track discount rates; information to support different methods of income recognition, etc. The IT implications include capturing and processing the additional information, changes in business processes to implement and execute the new information requirements and consequent changes in the control environment for the data and business processes. ITAC has provided some guidance on this crucial issue in the form of podcasts, which can be downloaded from its website at www.cica.ca/itac.
Some companies have already dealt with IFRS. Others are starting to think about it. Some will implement new systems that incorporate the new functionality. Others will, unfortunately, make use of spreadsheets, in effect keeping two sets of books, and because of the spreadsheets, one set will lack adequate controls and pose a higher risk of error.
Concern was expressed that IFRS is being severely under-estimated and treated as a simple accounting change by some. For most respondents, it is a high-priority matter. For one, however, the comment was, “Who cares? It affects mainly large public companies.”
True. And it’s something people often forget. Most companies in Canada are non-publicly accountable and will have the option of adopting a simpler form of GAAP as recently set forth by the Accounting Standards Board.
6. Green computing
“Green is hot!” says one respondent. Awareness of green computing issues is very high on the priority list for many respondents and their companies.
Green computing encompasses not only basic awareness of green IT, but more specifically energy consumption, disposal of equipment and printing policies. “Companies are keen to catch up with the green trend,” says one respondent, “especially as new recruits (and the next generations) have green thinking as a core value, and will consider that when evaluating a company.” That means companies must work green values into their daily activities, including IT purchases and disposals, printing policies and power usage.
A significant problem with green computing is that while many companies are aware of the issues, many do not know what to do about them. Practitioners who responded say many clients are asking for advice about addressing the issues.
Power management remains a perplexing issue. It would be good if all systems could be shut down when usage is at a minimum, such as overnight. But normally this is not feasible, because people use their systems remotely at all hours. Also, many corporations operate in several time zones and can’t find a common time to shut down systems. On the other hand, a detailed analysis of system usage could result in identification of specific subsystems that could be shut down at times. This is a process that many companies have not yet taken up.
The point was made that green computing will be more heavily regulated by governments in the future. Some provinces already have regulations on computer equipment disposal. But companies need to gain an understanding of these regulations and have them incorporated into their business processes. Change in this area is needed — real change. As one respondent put it, “This is an increasing risk area, however organizations are not changing their risk profiles and scenarios. Historical trends are not going to be good models for the future due to changes in climate and aging power systems.”
7. Security requirements of the Payment Card Industry (PCI)
A new issue arose this year when PCI mandated increased security requirements for merchants, card issuers and card acquirers requiring self-assessments for handling credit and deb-it cards. There are significant compliance costs involved with these rules and not all merchants have the budget to comply.
Moreover, the implications of the PCI requirements are not well understood by organizations. Their willingness to accept credit cards is driven by business needs and they normally do not perform a comprehensive risk and control analysis.
Several practitioners mentioned they have been working with clients on these matters, and that clients are having difficulty addressing the PCI requirements.
8. Malicious activity by laid-off employees
An issue as old as time but one bound to pop up in a recession is that of increased malicious activity by disgruntled or recently laid-off employees.
At least managements have experience in dealing with this issue. The long-established approach is to lay off employees at the end of the day, disconnect their system access privileges when they are in their exit interview and then escort them from the building. It is a somewhat humiliating approach for the employees, but one that many companies have discovered from experience to be necessary, especially in higher risk situations involving personnel with powerful system privileges and intricate system knowledge.
Practitioners who responded claim to have seen malicious activity “occur at many client sites.”
9. The role of Web 2.0 applications in organizational information systems
Web 2.0 focuses on the Internet as a means of human interaction. It includes social networking, wikis, blogs, etc. Social networking, in particular, has raised a set of perplexing issues. Some companies see the benefits of social networking for improving communications within the company, and essentially forming communities to deal with particular business areas, needs and projects. The issue is whether and how social networking fits into an organization’s information systems and culture.
The emerging need is clear. As one respondent put it, “Web 2.0 applications are common in the social/personal/cultural aspects of people’s lives. However, there seems to be a disconnect with the technology available in the work environment, as companies are slower to adopt these technologies. Companies slower to adopt new technology and integrate it into their culture may be at a disadvantage when recruiting employees or eliciting new ideas from current employees, and may also lose out on ways to effectively leverage or share ideas from employees.”
The view was put forward that social networking in companies has the potential to “utterly transform organizations today,” enabling collaboration, reducing or eliminating silos and streamlining communications. While revolutionary for many companies, some respondents feel that social networking is an approach that would be a natural for the Internet generation, perhaps an expectation.
Some respondents are concerned about content management in social networking systems. They feel content could be ad-hoc material representing the individual’s views and not those of the company. This may be a sign of what one respondent referred to as an intergenerational clash between boomers who are the experienced decision-makers and young people starting out who are finely attuned to the use of Internet-based communications, with some boomers hanging on to the old world of closed, corporate-controlled communications and the younger folk being used to wide-open tell-it-like-it-is interaction. This respondent feels the two generations have much to offer each other — experience from the older one and new and better means of communication and ways of working from the younger one. He hopes corporate directions can be worked out collaboratively so as to make best use of the contributions of both groups.
10. The shortage of IT skills
The recession has exacerbated the IT skills shortage that has been an issue for the past few years. Some boomers have re-tired (forced or voluntary) or have been laid off, and some respondents mention watching important IT skills go out the door with them. Although the generation coming in has significant Internet skills, it generally does not have an appreciation of IT issues in an organizational and managerial context. As a result, companies are losing IT skills and having difficulty replacing them. Respondents also mentioned that many organizations are laying off the most expensive staff, the employees with the highest skill level.
The importance of this issue will grow over the next decade as more retirements take place. Even an economic rebound will not necessarily be the salvation, because then there is a risk that companies will lose their most talented professionals on the upswing of the economy.
The training of our new CAs is not helping with this issue. As one respondent put it, “IT is not the forte of new CAs.” And another said, “Many CAs don’t know that much about technology, increasing the risk of misunderstanding technological risks.” And another respondent put it more bluntly: “We only use experienced CAs.”
This seems to indicate that our educational policies with regard to technology are cutting our new CAs out of an important part of their potential market.