Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

News

The Trusted Professional | NYSSCPA

 
 

What management needs to know before investing in new technologies

By:
JOEL LANZ, CPA/CITP, CFF, CISA, CISM, CISSP, CFE
Published Date:
May 2, 2014

Q: My firm recognizes that, in order to remain competitive and satisfy increasing customer expectations, we need to enhance our ability to leverage new technologies. What factors should we consider before we introduce a new tech initiative?
A: The challenges of introducing new technologies at companies are well chronicled. I recommend that anyone in a position to do so read Frederick Brooks Jr.’s classic, The Mythical Man-Month: Essays on Software Engineering. The book, which was written more than 30 years ago, explores the human resources challenges and management problems that can come with developing and implementing large, complex tech projects, and is still very much relevant today.

My experience has been that, frequently, organizations fail to consider and include all of the realistic threats associated with launching new projects or initiatives, particularly threats that may come from staff. In fact, as noted by Brooks, the human factor or “people-related threats” to tech ventures are frequently understated. For example, fearing change and the impact of new technology on their daily lives and livelihood—i.e., increasing workloads, time pressures and needing to adjust to or learn new technologies—employees may unwittingly sabotage technology investments by being so resistant to adaptation that the transition process is more difficult and time consuming than planned, or may underuse or misuse the technology.

The human element applies to the C-Suite as well. Under pressure to meet implementation dates in order to obtain bonuses, some executives may push an implementation through, even though the organization is not ready; there my be critical technology-related risks that have yet to be mitigated. Another common “executive failing” is to continue a bad project when the organization may be best served by terminating the initiative and preventing additional losses.

To increase the probability of a successful implementation, take the following steps:

  • Generate excitement and buy-in from users in order to facilitate adaption. Fully explain to employees the benefits that a new technology will bring—for instance, how it will help them to become more efficient or perform certain aspects of their jobs with greater ease. Be sure to set the tone from the top down, and ensure that high-level managers are supportive and enthusiastic about the technology.
  • Appreciate the nuances of your organization.  Implement technology that your organization can reasonably adapt and profit from, rather than just buy the latest gadgets.
  • Don’t over customize.  Off-the-shelf solutions, especially those offered in a “vertical” or industry market, tend to mimic best practices of the industry.  Challenge your management to adapt the vendor’s process, rather than invest in expensive customization, to the greatest extent possible.
  • Ensure that all new technologies comply with existing architectures and related strategies and policies, including adequate security and data protection.
  • Perform a project risk assessment to identify organization-specific threats and get “buy-in” on mitigation strategies.  This should occur at the beginning of the project and should progress as implementing mitigation strategies are monitored.
  • Conduct periodic reviews of planned activities vs. actual.  Encourage accurate reporting.
  • Ensure that expectations, including those from outside vendors, are defined, formalized and adhered to.

Q: Our practice, which is limited to smaller private companies, just completed its year-end audit cycle. Though we don’t usually focus on IT controls, we’re interested in those that would enable us to quickly identify potential IT control weaknesses.  Any recommendations?
A: You’ll notice in Generally Accepted Auditing Standards that IT controls are usually classified as either “general” or “application.”  General or pervasive controls apply to all applications within the enterprise, while application controls apply to a specific function (e.g., accounts payable).  My suggestions are divided along those lines. I’m also going to assume that, like many companies, your “small” client is using Microsoft.

General controls: Determine to what extent your client is running free security tools such as Baseline Security Analyzer or the security configuration management tool.  This will help you to assess how well the client adheres to Microsoft-recommended logical security practices. You’ll also want to establish how often the client periodically performs automated vulnerability scanning, a critical logical security control that is typically used by more sophisticated and control-conscious clients. Assess the overall logging strategy used by the client to monitor system activity.  Logs are similar to audit trails, as they are used to record system events.  The issue, however, is that logging everything can significantly reduce system performance.  The client should have a well-thought-out process for balancing the challenge between recording too little and too much.

Application controls: Ask the client for an automatically generated security privilege listing from the application. Then, identify the security administrator and take note of the codes next to his or her name; typically, this would represent the highest level of security. Also, note which other users have the same code, since this would identify those whom the application would recognize as security administrators. I would then compare these names to organizational charts and job descriptions in order to determine whether the latter should have these significant privileges.

Be sure to obtain the customer-defined parameters from the application that you are auditing, and see if they can be reconciled with your understanding of the client’s business. They should also reflect current policies and financial statement disclosures. For example, is a 90-day write-off on an unpaid receivable defined in the system, if that is the accounting policy and if that is the information disclosed in the footnotes?

Finally, determine if the application system used has a reporting feature. Use the feature to develop a query that would determine the top 10 customers and vendors and assess for reasonableness.

Joel Lanz, CPA/CITP, CFF, CISA, CISM, CISSP, CFE, is the sole proprietor of Joel Lanz, CPA P.C., and an adjunct professor at SUNY–College at Old Westbury. He is a member of the NYSSCPA’s Technology Assurance and Banking committees, and The CPA Journal Editorial Board. He is a past chair of the Technology Assurance Committee. 

Click here to see more of the latest news from the NYSSCPA.

Trending Articles