MARCH 9, 2020
In this episode we explore why restricting access to data is less efficient and less effective than we intend it to be.
That is, such “controls” create risk.
Welcome to the assurance show. This podcast is for internal auditors and performance auditors. We discuss risk and data focused ideas that are relevant to assurance professionals. Your hosts are Conor McGarrity and Yusuf Moolla.
So discussion today is about why we need to think differently about the way in which we control access to data and think about security.
Differently from what?
Controlling access to an ERP system. This is controlling access to a data warehouse or a data store.
Internal auditors are in a very privileged position in that they've got access to pretty much all the data within an organisation. But today we're focusing on how that team should share their or open the data between themselves.
Yes, probably a couple of things. Maybe a little bit broader than just Internal Audit, but definitely focused on internal audit and performance audit. You know, a few years ago when we decided that there needed to be better control off access to systems - that was largely based on things like Sarbanes Oxley and a few other pieces of regulation that had come out at that time. Generally, the way in which access to systems was controlled was reasonably poor. Now because the ability to make changes to transactions directly within an ERP creates risk. There was a very strong focus on the way in which access is controlled. Secondary to that, there's a focus on controlling access to ensure confidentiality. So a large part of what we've been thinking about or how we've been thinking about controlling access to data has been around confidentiality and integrity. But having said that, it's largely been that the controls have been designed to control access to systems and ensure that systems that hold transactional records and that allow for transactional processing - the integrity can be maintained.
Just to clarify that when we're talking Sarbanes Oxley and controls around access to systems, primarily at the minute we're talking about internal audit as opposed to performance audit, which is a slightly different regime.
This would apply regardless, so we will talk about what that looks like for data warehouses. We'll talk about what it looks like for internal audit, we'll talk about what that looks like for performance auditors. There will be some differences. Sure. In some cases, more stringent than others and surprisingly, for audit it should possibly be less stringent and we'll explain why.
So we had this raft off rules and regulations and tightening of access come in. Is that a bad thing?
It's not a bad thing. No. But it can't be used as a blanket determination as to what access needs to look like. So we've been thinking about granting access on a needs only basis for many, many years, and that's been almost the default. And that's then been applied to both systems off recording transactions, so ERP Systems. So your SAP systems, your Oracle systems, any sort of accounting system where you are actually recording transactions of the business. That makes sense. Those controls are tried. They're tested, and they actually were quite well nowadays, right? So that wasn't the case 20 years ago. What then happens is that if those exact same controls are applied to a data warehouse, we're applying controls that relate to systems of recording two systems of intelligence. And so the reason for having a data warehouse and separating a datar warehouse is that you don't then impact on the transactional system. So integrity of data is a very different concept within the data warehouse than it is within the ERP system and people are starting to recognise that there are differences. If we think about creating risk and control matrices. If we think about the way in which we determine what the right level of control needs to be when we're doing an audit, there's been a large focus on a particular type of control and the way in which we think about that control and those RCMs, the objectives that we set out, the hypotheses that we set out aren't always differentiated. So there's a lot of teams that are doing this well. And as auditors, we need to be educating first line and second line that there's a better way to do this and a better way to think about it.
The thinking that's applied to the data warehouse that auditors may rely on to extract that data from. We need to educate the custodians of that warehouse. Is that what you're saying?
As auditors, we are in a position to provide those individuals with the courage to apply the appropriate controls.
I'm just wondering. Having discussed all this is one of the byproducts off having those overly stringent controls - sounds as if they're in place, potentially for the wrong reasons.
So the background to the way in which the controls were designed is different to the way in which the systems have been set up and what the systems are now designed for. In your ERP systems, you still want to apply those really strict access controls to make sure that you have only the right people with access to the things that they need to have access to, and also that you then have the situation where segregation of duties is is well maintained, etc. Those controls really makes sense in an ERP setting, and we've done well with them. We've matured them over the years. As auditors, we know exactly how to test . In many cases, we've got automated testing routines in place for those to make sure that they either from a third line or second line, are well controlled, and we'll talk about three things, right? We'll talk about data warehouses. We'll talk about the data that internal audit gets and we'll talk about the data that performance auditors get. That data is not used for transaction processing, and particularly where you have, you know, good reconciliation and privileges in place. You in a situation now where we should be thinking about not how to control access to that data, but we should be thinking about how to give as many people access to that data as possible. So it's almost the, you know, the thinking is almost a reverse of the thinking around ERP. In the ERP world it's deny access unless you need it. So on a needs only basis. In the data warehouse world, in the data that we get within audit world, that needs to switch. And it needs to be grant access as far as possible and restrict access on a need to restrict basis.
So it's a shop window effectively. You can buy whatever, take whatever you want, but you can't change the product that you take.
So yes, that's exactly right. There's a few things that we need to think about, obviously. So you know with the data warehouse we don't want to give people write access to the source data files. You know, in a data warehouse what that looks like is: you've got, a typically in a traditional data warehouse set up, and alot of that's changing, but typically you've got a staging area and then you've got a few different layers built on top of that before you get to the reporting layer. So you open the reporting layer up to as many people as possible to be able to read. In some cases you need to give them access to create their own tables because they need to join data up etc. But the source data that's been obtained from the transactional system - because you want to maintain the integrity of that for everybody to use - you lock that down. So you just you know you don't need to actually get there. And the same applies within the audit world. We we regularly get data for audit purposes, So why don't we make sure that the initial source of data that we get, and the results that you produce from an audit are locked away. You can't make changes to that. But then all of that source data and all of those results are then also made available in a read only form to everybody else that needs to use it within the audit team.
What are some of the challenges you think that, um, having overly prescriptive controls on, say, a data warehouse as opposed to a transactional database creates for auditors? I'm thinking here there must be some inefficiencies.
That's right. We regularly are being called on by management, by the board, and we hold ourselves to this - to reduce the level of duplication of effort on management. So we don't want management to expend more effort than they need to. Internal auditors, external auditors, other reviewers work together, second line and third line work together quite closely. So if we're not sharing data amongst the audit team, we then have to go and ask for that data each time.
If I reflect on that or we reflect on that from, say, the public sector auditing world and performance audits, efficiency is the catch cry of many governments around the world. So when auditors general or comptrollers general, are performing their performance audits. They need to be as efficient as possible. So if we're tying that back into the use of data, then the same principle applies. In that if all the data is going to a singular place, then it should be freely available and used. And how it's used and the outcomes from its use should be made available to other performance auditors.
We all sign up to very strict confidentiality agreements. So there are some other exceptions that come up and we'll talk about those in a future episode. There's no need for us to be reinventing those wheels. There's no need to get the data again. There's no need to try to understand that data. There's no need to retest the same things for different purposes.
So at the risk of sounding like a broken record here, as we've probably canvassed on a couple of podcasts now, I think performance. The performance audit world has a little bit to go to catch up with the internal audit world in terms of its maturity around data sharing, particularly data that has been obtained and analysed and reported on as part of a performance audit. I'm not sure if that's a consequence of the relative newness of a performance audit function. Or whether that's an overly prescriptive approach to security and prudence because of the audience and because of the particular community data that's sometimes analysed.
Both within internal audit and performance audit. There's this common objection that often comes up, common pair of objections. And those two are, firstly that there's a need to maintain confidentiality. And we explained why that's something we can get around so, you know, open up as much as possible. They may be certain very specific instances where we need to restrict because of just very high level of sensitivity. The second objection that comes up is that the data when we collect data we collect it for a particular purpose, and so we shouldn't be using it for any other purpose. And so the question is, when you collect data, do you collected for a particular audit , or do you collect that data in order to discharge your obligations as either an internal auditor or performance auditor ? Discharge your obligations as a head of audit or as an auditor general. And I think if we think about the former, we're thinking about it very narrowly. If we think about the latter, we're probably going to get to a better place. That's my view.
So your second point around how data is captured, the purpose for its capture and what's done with it is very topical, certainly in the performance audit sphere. Most recently, there's been a very strict approach to the gathering of data in that we only use it for a particular purpose as an Auditor General might see it, and it cannot be really relied on for other purposes. So, for example, analyse to, identify future audit topics. That's a pretty simple example, but it's real example. So there's been a very strict approach to that, and some of that's driven by, for example, what's stated in legislation or an interpretation of legislation. I'm not of the view that that strict interpretation is accurate, generally speaking. The overriding consideration for performance audit should be what's in the public interest. Surely it's in the public interest for an auditor general or a comptroller general or a supreme audit institution to work as efficiently as possible.
Yeah, and it's also about effectiveness. So there's both efficiency and effectiveness as performance audit teams - you always tell me about this - their focus is efficiency, effectiveness and economy in the audit topics that they look at. So if the audit is not being performed efficiently and effectively or if the overall performance audit plan is not being executed efficiently and effectively, then are we not doing what we're asking other people to do? So we need to be doing some of that ourselves.
So we need to take a bit of our own medicine.
We need to take a bit of our own medicine that's right. But back to your earlier point. It depends on how you define what purpose is. And if you defining purpose at the level of individual audits, then I think we're missing a very important trick here and I say trick loosely. But purpose is broader than just a specific audit. Purpose is why do you exist as a function? Purpose is why do you have the mandate that an auditor general has? Why do you have the mandate that a chief audit executive has? And what is the expectation of the individuals that have put you in charge? What is a reasonable expectation? So, in your case, that would be whoever the auditor general provides most of their feedback to and those two or three key audiences that we'll talk about in a future episode. But the three key audiences, as you mentioned before you know, as you've been telling me. The Parliament or the overall ruling legislature, the public and management of the entities. In the internal audit world, the audience, the people that we are trying to protect, really are the board, the board audit committee, management and customers. Largely.
Are we trying to protect them or inform them?
Oh, there's probably a few different things that we're trying to do. But a lot of what we're trying to do is protect value, right, so we obviously want to ensure value. But a lot of it is about protecting value, a lot of the traditional internal organ functions, and there's nothing wrong with that. It's a really important function. We've spoken to so many people in the public that are not in the audit sphere. And there's a very clear message that comes through around the importance of audit in protecting value. Those audiences, if you had to go to them and say we didn't use a particular set of data because we didn't collect that data for the purpose of that audit , we collected the data for purpose of a different audit . How would that sound? Does that make sense? Does it make sense to a member of the public? Does it make sense to the board audit committee? They don't care. They want to know that you've taken all the steps that you can take within the knowledge that you have, the access that you have, to be able to help them determine what is going on and whether there are steps that they need to take to address things that are not being done properly. And so that higher purpose is something we need to think about, not the lower purpose of what is the purpose for which this data was collected for particular audit ?
Yeah, and they don't wanna hear that you've had to duplicate or triplicate your efforts in getting the same data again for a singular project
That's right. So it's about effectiveness. It's about efficiency. I mean, we've seen situations, and I know you are strong on the efficiency. I'm probably leaning a bit more towards the effectiveness. But efficiency? Yes. We don't want to do the same thing twice. But importantly, if we can't use that data again, if we are prevented from using that data again because somebody says "You collected it for one purpose and you can't use it for another", then we're just not gonna be effective. We're just not gonna be able to discharge our obligations.
So one thing I'm not entirely clear on is at what point or is this a redundant question? At what point do you say that data was collected at a particular point in time? Let's take an example of two years ago. Can I still use that for an audit two years later? Or are we assuming when we talk about data warehouse here, we're talking about continual renewal and update of the data that goes in there?
In a data warehouse you typically have ongoing renewal, yes, Within the audit world, you would have, as use mentioned, collecting data at a particular point in time. Quite often, nowadays, internal auditors are getting access to the data warehouses to get the data themselves, so they can actually refresh the data that they have. And we have that in many situations. That's actually more the norm because it just reduces the amount of effort on management to have to get the data for them. Here's the access to the data warehouse. Knock yourself out, take whatever you want, so that's a lot easier. Having said that, having said that, though, the data itself is one thing. So you know the more up to date data is one thing. The other is the understanding of the data. And there's a lot of time that is spent understanding what the data is and what it isn't and that you can definitely reuse.
So it sounds to me based on everything you've talked about Yusuf there, in the efficiencies and greater effectiveness can be obtained from accessing, for example, data from a data warehouse from an internal auditors perspective that if we're not thinking about that as auditors, we definitely should be steering our organizations towards that.
Yes, we should be steering them towards that. We should be steering ourselves towards that as well. We wrote an article not too long ago, and we titled it "More access to data to reduce risk" because that's really what we're talking about. If we can't be efficient and if we can't be effective, are we actually putting a control in place or a set of controls in place that are resulting in us, increasing the risk that we face rather than decreasing that risk? So the control in this case, the control being you can't get access to that data or we restrict access to that data, because of the impact of that, your risk level is actually increasing because of that control, rather than decreasing.
So was that the bottom line argument that chief audit executives or heads of internal audit, or heads of performance audit should be making to their chief executive?
You can see it in a few different ways, so we increasing our risk because of effectiveness and efficiency as auditors. We're increasing our risk because of effectiveness and efficiency as management not getting access to what we need. We're not able to deliver the value that we need to be able to deliver. So restricting access to certain datasets means that it's a bit harder to actually execute on innovation priorities. And so what all this means is that as risk professionals, as audit professionals and as management, we need to be thinking more clearly about what controls we put in place, how access to data is determined. And are we happy that the level of access that we provided makes sense for our organisation?
And of course, the cost issue - it may cost us more if we have to revisit, get data every time we do particular projects, whereas if we've got ready access to it and look, let's be honest here, that's what the C-suite think about a lot. How much is this gonna cost me? What benefit will it give the organisation and - as you've just articulated - will this reduce the risk of me not achieving my strategic objectives.
Cost is important. Of course cost is important.? It is a big factor. It does come in, putting these controls in is both costly to put in, but also costly, so it's costly in costly out. So you actually have to spend time to put the control in. And it's actually reducing your efficiency on the way out so costly in costly out. So there's a double whammy. The other is that executives are responsible for revenue generation, new opportunities, new markets. And what that means is that they want to ensure that the ability to innovate, the ability to use the data that we have to better serve our customers is in place, restricting access to particular team members based on archaic, I want to say, thinking
Traditional thinking reduces our ability to do that.
And maybe you've annunciated two matters there. And maybe the third matter is. It's just not forward thinking to rely on these outmoded approaches to data security within a particular internal audit team. When, as we just talked about today, there are so many benefits that can be obtained through having less restrictive sharing approaches. The key message. The takeaway from a performance audit and internal audit perspective for me has been. The traditional mindset to securing data from other team members in internal audit doesn't really stack up in terms of evidence because there are so many benefits that can be obtained from sharing that data, for use in other projects, broadly, to benefit the organisation.
That's right. Think about efficiency. So cost. Think about effectiveness. So the ability to execute on your mandate, the ability to provide better customer service and improve revenue. And think about the way in which we want to communicate our purpose, what it is that we provide and whether the controls that we have in place are actually reducing that and creating more risk for us. And let's start to open the data up a little bit more and share a little bit more.
Share the data, Yusuf.
Share the data. That's right.
Brilliant. Great chat. Looking forward to the next one.
Yep. Thanks, man.
If you enjoyed this podcast, please share with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com - the link is in the show notes.