IT Controls for SMEs

Would you imagine buying or using a car that is not equipped with brakes? Of course the answer is no. Although without brakes a car can still be driven, the brakes help to ensure that we arrive safely to our final destination. In analogy, Information Technology (IT) controls are the brakes within an organisation that help in ensuring that business objectives are met. Similar to brakes, in the short term, IT controls may slow down the execution of activities; but in the long term, effective IT controls allow organisations to reach their final destination faster. In contrast, whereas in cars everybody expects to find adequate brakes; having adequate IT controls in organisations is not always as obvious. Multiple organisations, especially those that are considered as small, choose to roam in their respective markets without basic IT controls.

In reality, no business is too small to be immune to the risks arising from IT, and IT controls that prevent or detect the related risks are of critical importance. The significance of IT controls is accentuated in the current times where due to the COVID-19 pandemic, a significant proportion of the workforce is accessing company assets from home or away from the typical office environment. Since the outbreak of the pandemic, different organisations reported an increase in the number of information security incidents; ranging from unauthorised access to loss of valuable information.

An effective IT control framework aims to provide management a reasonable degree of assurance that the IT used by an organisation operates as intended and undesired events are prevented, detected and corrected. For an IT controls program to be considered as comprehensive and complete, it must adequately address the confidentiality, integrity, and availability (CIA) aspects. Organisations that integrate General IT Controls (GITCs) within their operations are better positioned to monitor and ensure confidentiality, integrity and availability of their data. Broadly speaking, GITCs are the policies and procedures that support the effective functioning and availability of applications, the integrity of reports generated from these applications and the confidentiality of data that is stored within the applications. GITCs are typically organised into the following domains:

1. Access management – GITCs related to access security include logical access controls to prevent or detect unauthorised use of and changes to, data, systems, or programs.

IT systems are becoming more integrated with business processes and there is a risk that users have access privileges beyond those necessary to perform their assigned duties, which may create inadequate segregation of duties. An IT control to mitigate this risk is that the use of privileged access (the so-called “super user” or “administrator”) is to be limited and restricted. In particular, users that are involved in the day-to-day business functions should not be granted privileged access. In an SME environment, maintaining adequate segregation of duties could be challenging due to the limited resources and small size of the company. Consequently, in the event that business users are required to be granted privileged access, it is important to ascertain that all the user activities, especially those that could have an impact on the company’s operations (including but not limited to financial data) are logged and such logs are monitored and reviewed periodically.

2. Change control management – GITCs to provide assurance that changes to the network, application systems and database management systems are implemented in a controlled manner.

Although SMEs are typically not involved in the design and development of the information systems that are used to support their operations; basic change management controls to support the continued operation of the programs are still relevant decisions. Let’s consider a scenario whereby an SME decides to replace their accounting software and commissions a third party to install and configure the new accounting software. Is management involved in approving the results of the migrated data (e.g., balancing and reconciliation activities)? What tests need to be performed on the new environment to ensure that certain automated reports are returning the expected information?

3. Data centre and network operations – GITCs to safeguard the confidentiality, integrity and availability of information as it is processed, stored, or communicated by the relevant aspects of the IT infrastructure.

Increasingly many SMEs are making use of software that is provided by external service providers (also known as Software as a Service - SAAS). In these scenarios, controls that are typically associated with the IT infrastructure would be under the responsibility of the service provider. Notwithstanding, it is in the interest of the SME management to ascertain that the service provider is able to demonstrate that they have adequate controls to protect the data belonging to the SME. Going back to the example of the new accounting software, if this application is deployed on the cloud, how is the SME management ensuring that their financial data is secure? This kind of assurance is typically obtained through service organisation control (SOC) reports. These reports have become prevalent as the most effective method that is used to enhance trust and confidence in the service delivery processes and the controls that are employed by the SAAS provider.

For each control domain indicated above, there are multiple examples of IT controls; these controls can either be manual, automated or a hybrid. Manual controls are controls that are manually performed by individuals, for instance an access approval processes with manual signatures. Automated controls are control that are inbuilt into a system to prevent, detect and report on exceptions identified during processing of data. A simple example of an automated control is an access approval process which approval that is granted through a specifically designed user screen. Deficiencies around IT controls, such as IT controls that are not designed appropriately, provide management with a false sense of security and if left unattended, the likelihood that related risks materialise is higher. A history of IT control deficiencies or IT controls that are not being monitored may also put the organisation at risk. Consequently, periodic independent assessments to review the effectiveness of IT controls is of fundamental importance. Advances in technology is bringing in new risks and opportunities, and nowadays, a good practice is shifting towards automated preventive controls and away from manual detective controls. Control data analytics through automated controls provide more frequent insights than a traditional review [1].

Another important consideration related with IT controls is documentation. As the adage goes, if a control is not documented, it is not done! IT control documentation, besides providing the necessary control implementation evidence, provides the necessary information about consistency, transparency and the rigorous thinking in terms of how the control addresses the risk. Knowing that those responsible for a control are doing a really good job and being able to demonstrate that, is more valuable than believing that nothing has gone wrong so far [1].

Increasingly, companies are expected to address and manage IT controls to meet evolving regulatory and customer expectations. However, generally speaking, many SMEs face considerable resource limitations and genuinely ask what will be the minimum set of controls that will satisfy these expectations. If “minimum controls” means “de-prioritised”, “ad hoc” or “not evidenced” then that’s not good enough. If “minimum” means “enough to prevent or detect errors” then that would be adequate. Minimum is a subjective term, the answer lies in defining and communicating what is right for the particular business needs [1].

ISACA (Information Systems Audit and Control Association), one of the leading organisations that sets standards for auditing and grants certification to auditors, conducted a study in 2006 to ordain the top IT controls which SMEs should have for security of information assets [2]. The ISACA study involved a panel of experts who were given a list of 30 control objectives derived from COBIT (Control Objectives for Information Technologies). These experts were asked to prioritise and reduce the list to the must have controls, using the Delphi method to achieve consensus [3]. The ‘recommended’ COBIT controls, as identified in this study, follow in the diagram below, along with a list of tactical solutions that satisfy those controls.

Essential IT controls by ISACA delphi group

Although these essential IT controls were devised some time ago, the respective objectives are still topical and valid within today’s context. On the other hand, it is understood that these essential IT controls cannot be considered as comprehensive and a thoughtful IT risk assessment is of utmost importance. SMEs typically would have not performed a thorough risk assessment, or when this is performed, it is often too high level, and is frequently a part of a wider business risk assessment. There truly is no ‘one size fits all’ approach and although it is widely accepted that there are a number of good practices that can be applied across many organisations, distinct organisations require to have different IT control programs. An organisation operating a small supermarket is more likely to have a regime of general IT controls focused on access control management that safeguard against instances of internal misuse (accidental or deliberate) of the point of sale system. In contrast, an organisation with a small office set-up to support the manufacturing of aluminium apertures is more likely to have general IT controls that focus on the acceptable use of computer resources such as the internet.

The risks arising from IT are real and a growing body of evidence suggests that no business is too small to be immune to these risks. Valuable company information being lost following a virus downloaded through an email, fines imposed due to an inadequate General Data Protection Regulation (GDPR) management, website defacements and internal fraud are just some consequences of an ineffective or an absent IT control framework. Management of organisations, whether these are big, medium or small, need to understand the critical role that IT controls play in creating stability and laying the foundation for their companies and customers. A business underpinned by an effective IT control environment is more likely to respond effectively to threats, remain flexible, and ascertain that the confidentiality, integrity and availability of information is preserved at all times.  

About the author

Sandro Psaila holds the position of IT Audit Senior Manager within the Audit & Assurance service line at Deloitte Malta. He has more than fifteen years’ practical knowledge and experience in the IT/Telecomms industry, most of which is in a role specialising in the fields of Internal IT Audit and Revenue Assurance.

References

[1] Deloitte UK “Minimum controls: how much is enough?” July 2019
https://www2.deloitte.com/uk/en/blog/auditandassurance/2019/minimum-controls-how-much-is-enough.html

[2] Utkarshni Sharma “Sox Compliance: Eleven Essential Controls for SME” August 2016
http://www.iosrjournals.org/iosr-jce/papers/Vol18-issue4/Version-5/U180405140142.pdf

[3] Ross Armstrong “SOX Compliance: Eleven Essential Controls for the SME” http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=2106