|
Dear IT-Section Members:
What if your organization lost $7.5 billion due to deficiencies in identity and access controls?
This very situation occurred earlier this year when an internal probe at French bank Société Générale (SG) identified lax supervision and poor access governance as the principal control weaknesses that allowed junior trader Jérome Kerviel to circumvent risk management procedures and place a series of unauthorized “bets” on European futures. The investigation’s findings have prompted the bank to implement a host of security upgrades, and have led market regulators to renew their calls for renewed vigilance on the part of financial organizations with respect to the evaluation and design of their internal controls.
While the specifics as to how Kervial was able to bypass SG’s internal controls are still coming out, he is reported to have stolen computer passwords and employed knowledge from his previous position as a back-office employee to circumvent trading limits and cover-up suspicious activities. The bank's report states that following the disclosure of the fraud, "weaknesses were identified in the supervision and control system which required immediate corrective measures."
The incident at Société Générale has triggered a flurry of activity in the corporate world, with IT and financial executives scrambling to create and implement sufficient controls to prevent similar incidents from occurring within their own organizations. The events at SG also highlights the evolving role of IT within today’s business environment, and the importance of IT policies in supporting internal control and mitigating Enterprise Risk.
IT security has become an essential component of internal control. Identity and access management allows enterprises to “automate” controls and enforce segregation of duties. IT alone, however, is not enough. IT controls are only as good as the policies upon which they are built. As the workforce becomes more tech-savvy, it is increasingly likely that employees will possess the skills necessary to circumvent weak IT systems. Organizations need to place greater emphasis on provisioning, identity management, access control, activity monitoring, and the performance of regular audits.
CPAs consulting and working in technology have a critical role to play in helping to mitigate Enterprise Risk. Because of their multi-disciplinary expertise, they can help break down the barriers of distinction between business and IT, leveraging their knowledge of IT systems and internal control to help their clients and organizations take a comprehensive and holistic approach towards managing risk.
We are committed to supporting CPAs in this endeavor. Over the next several weeks, we will release articles on two important IT topics with strong relationships to internal control and the mitigation of Enterprise Risk: Identity and Access Management, and Business Continuity Management & Disaster Recovery Planning. Each piece will feature a comprehensive overview of the topic in question, a suggested reading list allowing section members to learn more, and a special section detailing unique considerations for the CPA. We have also put together a comprehensive web seminar schedule drilling down on important IT-related risk-management topics such as Application Controls, IT Governance, IT General Controls, Vendor Management and Project Risk Services. Visit the IT Center or watch your email for more details.
Sincerely,
David Cieslak, CPA.CITP, GSEC
Chair, IT Executive Committee
P.S. Our upcoming TECH+ Conference, June 8-11 at the Bellagio Hotel in Las Vegas also includes several related topics. For more information, check out the full conference agenda of topics and speakers.
|