In-Depth

Your Stake in Data Auditing - Part 1 of 2

What CFOs and CIOs need to know

• By Murray S Mazer
• 04/06/2005

Data auditing is an essential business operation, involving individuals across the corporation, from the boardroom to the IT department. As part of a company’s risk and compliance initiatives, CEOs, CFOs, CIOs, IT managers, DBAs, finance managers, auditors, and others play essential roles in developing and implementing strategies to ensure compliance and reduce risk in the enterprise.

A new regulatory environment has evolved from corporate scandals (Sarbanes-Oxley Act) and acts of terrorism (The USA PATRIOT Act). It has also grown from concerns about protecting privacy, as in the case of electronic access to patient information (HIPAA), protecting consumer information (Gramm-Leach-Bliley), and managing clinical trial data (FDA Title 21 CFR Part 11).

It is the convergence of the regulatory environment and the widespread, instantaneous availability of data that requires corporate officials to develop stringent data auditing policies and procedures to monitor and report on data access and use. Data auditing helps mitigate the significant business and legal risks associated with the use of corporate data assets on a daily basis.

This week we'll examine the roles the CFO, CIO, auditor, and DBA play in developing and implementing a comprehensive corporate risk-management solution through data auditing.

The CFO

Today’s executives, especially the CFO, are professionally and personally liable for so much more than they can control themselves, so they must carefully establish policies that will provide fail-safe ways to insure data integrity. Fines, imprisonment, and loss of future career prospects are factors that compel CFOs to focus much of their time on compliance and risk management issues.

First, the CFO is expected to manage regulatory requirements while improving the financial performance of the corporation, so resources allocated to compliance must not offset corporate gains. A CFO may be faced with multiple technical responses when none of the suggested pieces offers a complete data-auditing solution, resulting in excessive spending on compliance solutions.

Second, a savvy CFO will be looking for additional functionality from the data auditing solution:

• improved business processes to advance the enterprise’s market share and financial performance goals
  
• verification of strategic partner activities and third-party application behavior
  
• answers to ad hoc business questions outside of normal reporting mechanisms

Third, the CFO will want the company to detect and analyze breaches in user and application behavior, whether intentional or accidental, and perform forensic analysis for detecting fraud and outsider or employee intrusion in order to minimize business risks.

Because many regulations provide only broad frameworks within which to reach compliance, the CFO must interpret the immediate and long-term implications, then set the strategy for solutions and determine how resources will be allocated among policy development, monitoring, reporting, and all of the varied activities involved in implementing a comprehensive compliance solution.

The CFO must be able to clearly communicate these needs to the IT team, so that the monitoring criteria are melded with the technology environment to create a complete solution. Partnering with the CIO to understand more of what the company’s financial systems can deliver in terms of audited records, and where the shortfalls may be, is an essential step in getting to a comprehensive auditing solution.

The CFO should require that the controls and monitoring procedures of the data auditing solution safeguard the integrity of financial data and quickly identify any events that bring into question that integrity. Working with the IT team, the CFO should insist on appropriate monitoring (either through procedures or technology) to identify potential material changes quickly enough to react to regulations that stipulate response and mitigate any breaches.

The CIO

The CIO’s responsibilities include securing an enterprise’s data by implementing security measures to keep out intruders and hackers, and prevent the misuse or theft of data by insiders. When CIOs list the pitfalls that can beset a company because of unauthorized access to corporate data –lawsuits, fraud, lost customers, severed partnerships, financial loss – they are quick to point out that these risks can be mitigated with the proper security and audit controls in place.

The advent of compliance regulations is bringing an overlooked value to the corporation and the CIO: the elevation of the role of CIO to that of a strategic partner at the executive table. For the corporation, IT involvement at the beginning of problem solving (and that involves IT response) means that the ultimate solution will be better planned and executed, delivering improved results and probably at lower cost. For an individual CIO, participation in the strategic planning process is good for career development.

Another compliance-related part of the CIO’s job is reporting to the CFO or compliance officer about the effectiveness of ongoing controls. It is important that the CIO institute an IT solution that will identify unusual behavior in the database, or provide visibility into how well controls are working. These types of controls and reporting mechanisms are built into comprehensive data auditing solutions.

At first glance, a regulation such as Sarbanes-Oxley looks like a financial or accounting issue. However, financial information runs through a company’s IT systems, and it must emerge, complete and correct, with an audit trail that proves its accuracy. CIOs must understand issues that go beyond their traditional technical expertise. A few years ago, there were very few CIOs who knew about Control Objectives for Information and Related Technology (CoBiT), the IT-specific internal controls developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Now, the CIO of every public company should know these and other regulatory details; this understanding is integral to meet the requirements of the Sarbanes-Oxley Act.

The challenge facing the CIO is similar to that confronting the CFO: how do you ensure appropriate IT controls and procedures are in place when faced with non-prescriptive audit requirements, changing requirements, and newly enacted regulations? Here, the CIO must develop a technology solution that meets the directives established by the enterprise, one that is usable as requirements evolve and are interpreted more fully. Implementing a solution to only meet today’s compliance requirements is of little use; it is certain that there will be different (and additional), requirements in six months. No CIO or corporation can afford to start over with each new requirement.

The CIO must seek the most appropriate IT solutions to address the corporation’s potential risks. Without a clear vision and specific technical solutions, the CIO leaves the company, and him/herself, vulnerable to a host of risks that threaten the survival of both.

First and foremost, the CIO should insist on being a strategic participant in corporate initiatives from the outset, so that it is possible to closely align technology approaches with the goals of the organization. In the case of compliance issues, the CIO can only put in place appropriate controls and safeguards when IT is involved from the beginning of the process.

These controls start with installation of data auditing capabilities that capture activity at the database level and can be interpreted for a multitude of regulations and business processes.

To meet several important criteria, the data-audit solution should be:

• scalable to accommodate business growth, the addition of new data resources, and deal with changing audit requirements. An important requirement is keeping operational overhead low, so that extending the use of the data auditing solution to additional platforms or databases is cost effective.

• flexible to accommodate changing audit requirements. A flexible audit framework will enable rapid response to changes. Because of changing regulations, a previously used type of auditing, application modification, becomes exceedingly cumbersome and consumes IT staff time as each new regulation must be built into every corporate database and updated regularly.

• centralized for management ease, with operational procedures controlled from a single point and analytics applied to the whole data audit record. Larger corporations will need to have this centralized access for fast response not just for compliance needs, but in the event of unauthorized data access that can create potential business risks.

• multi-platform, so the enterprise can audit multiple databases on multiple physical servers. No enterprise can afford to devote additional IT staff to data auditing, so any solution must be comprehensive and applied across all platforms. This eliminates the need to train staff for multiple databases and allows the CIO to focus limited operational resources on what the IT team does best – keeping IT systems up and running, rather than trying to build controls in which there is little staff expertise.

• comprehensive, covering all application and communications data, including email and instant message logs, transaction log files, and all information shared within, and outside, the organization.

CIOs who have relied on internally developed auditing mechanisms should be prepared for the day when the organization’s auditors declare the auditing systems as deficient; having a remediation plan in place at such time is recommended. The plan should include a review of externally available options and an estimate of what resources and time it would take to implement a new solution. When evaluating other options, the CIO should look at how it's going to fit with the other systems already in place.

Next week: What auditors and database administrators need to know about data auditing