| DR M REVATHY SRIRAM
CONSULTANT, COMPUTER ASSURANCE AND RISK
MANAGEMENT
The integration of Information Technology
(IT) into business systems calls for drastic
changes in Internal Controls of an Organisation.
The importance of Security and Controls
in IT environment in Organisations which
are globally connected not being globally
connected is an exception.
In a competitive world, being connected
and implementing latest appropriate technology
is pre-requisite for progress
In our country, none of the successful Organisations
are lagging behind in implementation of
latest technology -
|
Wireless
Connection |
|
RFID - Radio Frequency
Identification |
|
Digital Rights Management |
|
VOIP-Voice Over Internet
Protocol |
|
Computer Forensics |
|
Open Source Software |
|
Web Services |
|
Knowledge Management |
|
Contract Management
and many other concepts. |
Implementing technology is one part of
global leadership. India can do it. The
other equally, if not more important part
is ensuring that appropriate controls are
in place and there is a machinery either
within the Organisation or outsourced to
professionals contracted to perform the
monitoring activities.
Companies abroad have enactments like Sarbanes
Oxley Act which make it mandatory for all
registered Companies to comply with the
requirements. Companies abroad which have
business connections in India need to necessarily
incorporate the Profit or Loss arising thereof
in the Financial Statement of the Companies
abroad.
There are requirements like SAS 70 Certification.
This is requirement for the registered Companies
abroad wherein there needs to be evaluation
of controls of the business operations in
India and a Certificate provided by an individual
who is a Certified Public Accountant of
U.S.A. to the effect that such an exercise
has been carried out in the set up outside
U.S.A. and the financial statements can
be relied upon and included in the consolidated
statement.
When global connectivity is established,
it becomes all the more important that global
standards are maintained in all areas including
security and controls in IT environment.
In our country, as of now, it has not yet
become mandatory to obtain a third party
professional opinion on the adequacy security
and controls in an IT environment.
However, there are quite a large number
of companies who have never waited for either
corporate governance or audit of IT environment
being made mandatory. They have in their
own opinion found it necessary and have
introduced it and in some cases, even for
more than a decade.
However, it needs to be noted that many
Organizations which have introduced complex
Information Technology to meet their business
needs and competition have not found it
necessary to invest in creating security
awareness or obtaining an independent opinion
on the adequacy of controls. In view of
Clause 49 having been introduced in the
Listing Agreement, Organizations are to
certain extent having introspection on the
adequacy of internal controls. Even in such
cases, enough attention is not being paid
to security concerns and controls specific
to implementation of Information Technology.
Those of the Organizations who are providing
IT services or BPO operations have felt
the need to obtain security certification
and also have either internal or external
specialists to render computer assurance
services so as to provide the management
the comfort level. This is being done as
the Organisations outsourcing their requirements
to these companies expect it as a pre-requisite
before the services are outsourced to them.
Also for marketing their services, Companies
are realising a formal Certification regarding
Security is a value addition, if not a pre-requisite.
The Department of Banking Solution of the
Reserve Bank of India insists on certification
being obtained as a pre-requisite before
Internet Banking can be introduced to facilitate
transactions being effected. Reserve Bank
of India also has provided guidelines regarding
ensuring controls in an IT environment.
The Institute of Chartered Accountants of
India have taken the initiative to get the
Government approval for the Memorandum of
Understanding it proposed to sign with the
Information Systems Audit Control Association
(ISACA) of USA. Soon after the Government
gives the approval for the MOU, the guidelines
issued by ISACA, USA would be applicable
to our Country. This would ensure that,
such guidelines as have been issued by ISACA,
USA may be applicable to all of the statutory
auditors practicing in India. This in turn
would ensure that best practices regarding
security and control in an IT environment
would be automatically followed and certified
by competent professionals.
Information Technology is for business processes.
Information is a valuable asset. Maintaining
confidentiality, integrity and availability
of the information when business processes
are using Information Technology assumes
great importance. In our own country we
have competent, qualified and experienced
auditors, though not many, who can perform
this function effectively and efficiently.
The country’s economy relies heavily
on networked computer information systems
for commerce, communications, energy distribution
and many other critical activities.
The current momentum is clear. The dependence
on Information Technology based information
systems will only increase. When services
are interrupted and/or data stolen or misused
the minimum risk is reduction of user and
consumer confidence, which in turn will
slow down acceptance of E-commerce. Total
rupee amount of financial loss resulting
from security breaches are on the increase
though not reported due o fear of adverse
publicity.
As a result, Computer Security as a critical
activity that protects the systems has moved
to a position of prominence. India and its
Professionals are gearing towards the same.
ISACA (USA) has Chapters all over India,
the first Chapter having been started in
Chennai almost a decade ago. There is significant
increase in individuals competing to qualify
and Organisations which recognise the need
to employ them or have them as Consultants.
However, there is need for significant increase
in awareness?
|
