Rising perils amid a plethora of platform choices has been saved
Perspectives
Rising perils amid a plethora of platform choices
The risks that should be on internal audit’s radar
With various modern software development methodologies available to meet and scale their business vision, platform companies are spoiled for choice. However, this variety of options tasks internal audit (IA) teams with the critical responsibility of rethinking the risk considerations surrounding their in-scope processes to mitigate technology-related risks.
Are choices for platform companies concerns for IA?
“Platform company” describes businesses facilitating exchanges between interdependent groups, typically consumers and producers. These are the social media, content, payment, and other exchange platforms. Platform companies frequently leverage one or a combination of modern software development methodologies (Agile, DevOps, Continuous Integration/Continuous Delivery, etc.) to meet and scale their business vision rapidly.
As more open-source tooling options are made available, engineers frequently use various customizable tools to develop their in-house built platforms. This inherently creates dispersed and complex processes in a controlled environment and introduces new risks not previously considered. Due to the variety of development methodologies available to the developers of in-house built platforms, IA departments will need to reexamine their risk considerations surrounding their in-scope processes, specifically identifying proper general technology controls to mitigate technology-related risks.
Internal audit risk considerations
Types of platform risks
Segregation of duties (SOD) in a DevOps environment
Achieving SOD requires implementing preventive or detective measures throughout the DevOps process to prevent an individual software engineer from unilaterally developing and implementing a production code change. Typically, this is achieved by requiring peer review on code changes combined with build and release tooling restrictions to prevent unapproved code changes from being deployed to production.
Source code management (SCM)
Without proper configurations within the SCM tool, changes could be made to the source code without review or approval. If additional controls are not in place in downstream systems, this creates a potential SOD risk in which a single engineer could make a code change and deploy it to production without review or approval.
Testing
Failure to conduct unit testing, integration testing, or end-to-end testing could lead to many issues, like failure to identify errors in the code and a disconnect between the microservices among others. In a mature DevOps environment, financially relevant testing may also be conducted to reduce the risk that a change will likely have an intentional impact on downstream financial reporting.
Build
Build tooling can point to code sourced from an unapproved location. Such activity will likely not be easily identifiable via controls placed on downstream systems because it may appear to have been created appropriately from within the build tool. This makes the risk upstream change management controls over SCM, and testing could be circumvented without detection.
Artifact storage
Artifact storage locations are used to hold code prepared by the build tooling before being deployed to the production environment. Changes to artifacts stored within the artifact storage tool create the risk that upstream change management controls over SCM, test, and build tooling could be circumvented without detection.
Deployment
Configuration changes within the deployment tooling could allow engineers to deploy software sourced from outside company-accepted tooling, creating the risk that upstream change management controls over SCM, test, build, and artifact storage tooling could be circumvented. Proper monitoring of deployments put into production could protect these activities.
Achieving SOD requires implementing preventive or detective measures throughout the DevOps process to prevent an individual software engineer from unilaterally developing and implementing a production code change. Typically, this is achieved by requiring peer review on code changes combined with build and release tooling restrictions to prevent unapproved code changes from being deployed to production.
Source code management (SCM)
Without proper configurations within the SCM tool, changes could be made to the source code without review or approval. If additional controls are not in place in downstream systems, this creates a potential SOD risk in which a single engineer could make a code change and deploy it to production without review or approval.
Testing
Failure to conduct unit testing, integration testing, or end-to-end testing could lead to many issues, like failure to identify errors in the code and a disconnect between the microservices among others. In a mature DevOps environment, financially relevant testing may also be conducted to reduce the risk that a change will likely have an intentional impact on downstream financial reporting.
Build
Build tooling can point to code sourced from an unapproved location. Such activity will likely not be easily identifiable via controls placed on downstream systems because it may appear to have been created appropriately from within the build tool. This makes the risk upstream change management controls over SCM, and testing could be circumvented without detection.
Artifact storage
Artifact storage locations are used to hold code prepared by the build tooling before being deployed to the production environment. Changes to artifacts stored within the artifact storage tool create the risk that upstream change management controls over SCM, test, and build tooling could be circumvented without detection.
Deployment
Configuration changes within the deployment tooling could allow engineers to deploy software sourced from outside company-accepted tooling, creating the risk that upstream change management controls over SCM, test, build, and artifact storage tooling could be circumvented. Proper monitoring of deployments put into production could protect these activities.
Direct and indirect access to production
Users with direct access to production can modify the code running on the server and/or the data stored on the server. Additionally, configuration changes could be made directly to the production hosts themselves, allowing the host to receive potentially unapproved software. Further, multiple tools are typically used to deploy code to production in a DevOps environment. Users with privileged access to these tools can modify them to circumvent change management controls within the deployment process.
Users with direct access to production can modify the code running on the server and/or the data stored on the server. Additionally, configuration changes could be made directly to the production hosts themselves, allowing the host to receive potentially unapproved software. Further, multiple tools are typically used to deploy code to production in a DevOps environment. Users with privileged access to these tools can modify them to circumvent change management controls within the deployment process.
Integrations and interfaces
In platform architectures, communication between services is vital. IA needs to understand the types of integrations and how to address risks related to the completeness and accuracy of data.
Data aggregation and transformation
We often find that data flowing through platforms is aggregated, transformed, and cleansed. Tooling and/or in-house written queries are used to assist with such cumbersome tasks, especially given the data-centric world we live in today. With that said, IA needs to consider the risks associated with inappropriate transformation logic, as it can lead to inaccuracies in the data that can be difficult to reconcile or revert downstream.
In platform architectures, communication between services is vital. IA needs to understand the types of integrations and how to address risks related to the completeness and accuracy of data.
Data aggregation and transformation
We often find that data flowing through platforms is aggregated, transformed, and cleansed. Tooling and/or in-house written queries are used to assist with such cumbersome tasks, especially given the data-centric world we live in today. With that said, IA needs to consider the risks associated with inappropriate transformation logic, as it can lead to inaccuracies in the data that can be difficult to reconcile or revert downstream.
Conclusion
With the widespread adoption of modern-day software development methodologies and companies building their own different platforms to operate their businesses, IA departments will need to equip themselves with new skills to uncover the core risks that require mitigation properly. Without a strong understanding of these rapidly changing technologies, internal auditors run the risk of not being broad enough in their inquiries to uncover many avenues of potential risks in the established processes.
Authors
|
|
|
Recommendations
Internal Audit perspectives
Your one-stop shop for all things IA
Internal Audit 4.0: Megatrends reshaping the IA framework
Purpose-driven and digitally powered IA function of the future
