IT Opportinities & Risks

Technology continues to increase in strategic

importance and risk to organizations

Rapid deployment of emerging technologies
creates risk
Regulatory requirements and scrutiny is ever
increasing
Deficiencies in IT controls can have a
significant impact on the organization

IT Opportinities & Risks

Top 10 Emerging IT Risks
Social Networking Issue Use of social media

technologies is expanding into new areas.

Examples include user communities, business
collaboration, and commerce.
Regulatory requirements are catching up (e.g.
financial services organizations).
Risk
Brand protection
Unauthorized access to confidential data
Regulatory or legal violations

IT Opportinities & Risks

Current company policies may not readily apply
Historical audits are insufficient as risks are rapidly

evolving.
Need to complete an inventory of social media
usage, and existing policies, procedures and controls.
Draft and execute new audit plan based on emerging
risks and current usage within the organization may
need to include the HR, IT, and Legal departments.
Determine whether a training course should be
delivered to employees.

IT Opportinities & Risks

Mobile Devices Issue Rapid expansion of

number of devices, and functionality (e.g.,

15+ million iPads in current circulation).
mCommerce enabling technologies within
companies introduces new risks as well.
Risk
Loss / release of critical business data
Security and identity management
Application development challenges

IT Opportinities & Risks

ERP integration issues
Historical audit procedures are insufficient.
Need an inventory of all current allowable

devices and corresponding policies &

procedures.
Evaluate effectiveness of push controls.
Understand mCommerce activities and
processes/technology.
Ensure that controls are in place for lost
devices.

IT Opportinities & Risks

Malware Issue Malware continues to

increase in sophistication, and has more

avenues for execution (e.g. mobile
devices and traditional computing).
Most PCs still provide local admin access. Workat-home flexibility increases issues.
Risk
Loss or theft of critical information
Hardware impacts
Cash impact

IT Opportinities & Risks

Lost productivity
Understand organizational approach to malware

identification, isolation, and remediation.

Consider impacts beyond traditional
spamware/firewalls (e.g., remote users, mobile
devices).
Consider update schedules and monitoring
(beyond responsiveness to patch updates).
Control contractor / consultant access to the
corporate network.

IT Opportinities & Risks

End User Computing Issue End User

Computing (EUC) applications continue to

evolve given resource constraints of economic
downturn.
Increased scrutiny is being applied by auditors and
regulators, particularly to financial models.
False sense of security provided by current efforts.
Risk
Misstated financial statements
Unsupported decision making
Regulatory concerns

IT Opportinities & Risks

Loss or corruption of data
Understand current approach to managing

and controlling EUCs.

Policy-based approaches are typically
insufficient.
Evaluate use of technology and critical
technical settings.
Evaluate other program aspects including
governance, security, management processes,
and training/awareness.

IT Opportinities & Risks

Corporate Espionage Issue More specific

targeted efforts (often for gain), assisted by

increase in mobile computing technologies.
Increased access to government defense
toolkits. Specific verticals hardest hit e.g. oil
firms, gaming platform networks, defense
contractors.
Risk
Loss or release of corporate data
Denial of service
Intellectual Property loss Recommendation.

IT Opportinities & Risks

This should be a component of information

security audits. SOX monitoring controls

generally insufficient.
Need to understand specific threats, user
awareness, hardening of critical devices and
access points (via firewalls and network traffic
monitoring devices / software), vulnerability
assessments, and detection/escalation
procedures.

IT Opportinities & Risks

Project Backlog Issue Economic downturn caused

decrease in IT investment and deferral of critical

projects resulting in large project backlogs.
Recent increase in resumption of large corporate IT
projects, now being performed with reduced staff levels
and/or weak project management oversight.
Risk
Project delays or failure
Completed projects shortchanging security and
controls
Failure to achieve business objectives

IT Opportinities & Risks

Poor or inadequate vendor management
Current projects should be included in

enterprise risk assessments and IT audit

universe.
Ensure that controls are built into projects;
deferral until after project goes live creates
substantial risk and remediation can be
expensive.

IT Opportinities & Risks

IT Governance Issue Reduced enterprise IT

support / budgets and increased ease of

technology deployments has led to multiple
shadow IT organizations within enterprises.
Shadow groups tend to not follow established control
procedures.
Risk
Failure to comply with corporate IT policies and
controls
Operational impacts
Information security risks

IT Opportinities & Risks

Regulatory violations
Duplication of efforts, increased costs and

inefficiencies
Determine extent of shadow IT deployment.
Identify applications and environments
deployed outside of usual channels, and
assess compliance with corporate policies.
Evaluate and assess duplicative systems,
licensing, and support issues.

IT Opportinities & Risks

Electronic Records Management (ERM)

Issue Increased deployment of ERM

solutions, with corresponding data
conversions and process changes.
Specific verticals more highly impacted
(e.g., health care and financial services).
Risk
Loss of data in conversion process
Regulatory violations if inadequate controls
exist

IT Opportinities & Risks

Storage, retention, and forensic issues
Determine extent of ERM deployment. Identify

impacted data and processes.

Ensure data is mapped against existing data
management strategies, policies and legal
requirements. Evaluate storage controls and
monitoring.

IT Opportinities & Risks

Data Management Issue Increased

regulatory requirement for management and

security of types of data. Lack of ability to
identify types/location of enterprise data.
Lack of robust data stratification schema to
categorize sensitive data.
Exacerbated by cloud deployments, shadow IT
organizations, mobile computing, and electronic
records management.
Risk
Regulatory penalties

IT Opportinities & Risks

Brand damage
Increased cost of compliance
Evaluate current data management program.
Assess level of adequacy to current business

requirements and emerging regulations.

Identify specific data management controls
and perform focused audit procedures.

IT Opportinities & Risks

Cloud Computing Issue Proliferation of

external cloud computing solutions,

corporate- and user-based.
Different deployments available; data, applications,
services.
Risk
Administrative access
Data management
location/compliance/recovery/security
Dependent upon availability of cloud provider and
internet connection

IT Opportinities & Risks

Investigative support
Long-term viability
Identify cloud computing strategies deployed or

planned.
Determine applications and data impacted.
Perform a risk assessment for the items
impacted and determine the organizations risk
tolerance.
Identify controls that mitigate risks identified
above.

IT Opportinities & Risks

Summary
Need to understand which items may be

relevant in your business and technical

environment
Ensure that risk assessments (and internal
audits universe) address relevant items
Investigate / audit and prove that risks are
adequately addressed to comply with
regulatory requirements, company policies,
and/or best practices

Information Technology and Corporate Strategy

Technology-based competitive opportunities are

overlooked because of:

Senior management's ignorance of information
technology and its potential uses
Poor communications between the information systems
group and the rest of the business
Resistance to change, among both information systems
and business personnel,
A lack of focus on opportunities for competitive
advantage, and
A lack of instruments to measure benefits.

Opportunities arising from information technology

can be viewed from three perspectives:

That of an organizational designer trying to
improve the efficiency and effectiveness of the
current organization
That of an industry insider trying to outmaneuver other participants in a competitive
game
That of an outsider investigating whether to enter
an industry

These perspectives represent three major strategic

views: internal, competitive, and business portfolio.

Internal strategy is concerned with the development
of efficient and effective organizational structures
and processes for achieving goals and objectives.
Competitive strategy focuses on competitive moves
within the industries in which the organization does
business.
Business portfolio strategy concerns the choice of
which industries to compete in and how to position
the organization in those industries.

Information Technology and Internal Strategy

Internal Strategy and MIS
Information technology and organizational

design
The range of organizationally relevant measures of
systems can be described using two dimensions of
information technology:
Functional components of a system (storage,
processing and communications)
Performance characteristics of these components
(capacity, quality, and unit cost).

Information Technology and Competitive

Strategy
They identify three types of opportunities that
can create competitive advantage:
Improve each value adding function
Link with customers and suppliers to increase
their switching costs
Create new businesses through service or
product

Parsons uses Porter's competitive forces framework to

identify six generic categories of opportunities for

competitive advantage:
Increase customer's switching costs through value-adding
IT-based information or service
Decrease one's own switching costs against suppliers
Use IT to support product innovation for purposes of
maintaining one's position or deterring potential substitutes
Cooperate with selected rivals through shared IT resources
Substitute information technology for labor
Use information to better segment and satisfy one's
customer base.

Another Perspective: Four areas of

opportunity
From these we have distilled four areas of
opportunity for IT to support competitive strategy,
which are:
Improvement of operational efficiency and
functional effectiveness
Exploitation of interorganizational synergies
Product innovation with IT
Acquisition of bargaining advantage over one's
customers and suppliers

Operational efficiency and functional

effectiveness
Cooperative information systems
Product innovation with information technology
Creation of bargaining advantage against
customers and suppliers
Comparative efficiency
Information Technology and Business Portfolio
Strategy
Structural impacts of information technology
Exploitation of technology advantage