Which is more important: the information that people use or the controls governing said information – from an assurance-perspective?
This is the question posed by several decades-into-it internal IT auditors and IT assurance managers recently. There’s plenty of solid argument for each position.
And the answer is: it depends on your role and focus.
The arguments for testing and auditing the information served-up for business procedures and decision-making is that it is the information people use — not the controls — to run and operate a business or an organization that are most important.
The argument for testing and auditing the controls is that the underlying information and communications technology (ICT) are so complex that prioritized business risks dictate the need to provide some assurance about the integrity of the underlying ICT systems serving-up the information to people.
Both positions are correct, and it turns out both are tested according to most of the people participating in the discussion. However, I think the discussion needs to dig a little deeper into the relationship between the information served-up from the use of ICT and assurance statements that can be made about information being used to run the business.
Information is ephemeral
Information is an ephemeral thing that exists from the interaction of algorithms, data, business procedures and decision-making. Information does not exist by itself in computer systems and networks. It’s the creation of some raw data that may have existed upon start-up, but more often is fed into a chain of events acted on by algorithms (the old word for applications, or today’s mobile Apps).
While these activities can be linear or wholly contained in one application, system or network, more often than not the processes are heuristic in nature, pipelined across multiple networks, devices and even business relationships – and bear no relationship to simplistic input-output concepts.
Testing the manipulation of information is done today, but on a rudimentary basis, with many of the assurance tests focused on simple procedures and results. Depending on the applications and risks involved, the testing may be zero, or may approach 95 percent of “expected” failure cases.
Few organizations, other than software vendors, proceed beyond two-sigma failure limits when testing software. And why bother, when most of the errors and problems are no longer due to complied code, but are from random inputs and events being operated on by interpreters.
Integrity, availability and confidentiality
The basis of information validity and testing remains the old triad of integrity, availability and confidentiality. The information produced by Apps, applications, scripts, interpreters, data input, and pipe-lined procedures — whether to position the swipe of a finger across a mobile phone or to run reports covering quarterly financial results — depends on controls in both business and ICT procedures. It is the controls – that if established – can provide a reasonable guarantee the information produced has integrity, is available when needed, and is available to the appropriate ICT systems and people.
Without controls introduced into both business and ICT systems, it’s impossible to know what your datum points are, how bad the errors and problems are, and whether you can cordon-off some but not all of the infections. Testing the end-product of the myriad interactions producing information misses the ability to detect problems, avoid further rot, and minimize impact on an organization.
Back to role and focus
No amount of ICT controls testing could have done anything about the Gulf disaster of 2010 or the alleged Gupta-Rajaratnam fraud. This would require controls focused on what people do with information.
On the other hand, ICT testing could have aided in stemming the Madoff disaster (even though regulators were warned), and could have been used by regulators and central banks to reign-in the reckless debt-party of the late 2000s.
The reason we (should) test both the effectiveness of the information and the underlying ICT controls is that one is primarily focused on what people do with the information served-up, while the other focuses on making sure the information served-up possesses integrity, is available and for the appropriate people.
Whether you are a customer, a regulated business, a regulator, an investor, a board member, an executive or an employee, information that is reliable, has integrity and is available when required is the foundation upon which competitive markets rely. When it comes to whether it’s the information or controls that is more important: maybe it’s a bit of both.