Baseline recently ran an interesting story based on IT Policy Compliance Group research connecting data loss to the success or failure of compliance efforts.
The summation of the research was that "companies that perform well in compliance audits also excel at protecting their data." The survey was based on data collected from 2,000 companies of varying revenue sizes, and on publicly reported data losses and thefts.
The survey found that "companies with two or fewer compliance deficiencies annually are likely to have two or fewer data losses or thefts in the same time period. Conversely, organizations that lag when it comes to compliance (10 or more deficiencies in a year) are likely to experience data loss more than a dozen times annually."
However, perhaps the most interesting conclusion drawn from the research surrounds the number of control objectives a company is attempting to audit and report against. According to Jim Hurley, managing editor of IT Policy Compliance Group and leading contributor to the research firm's The ITPCG Blog, companies with fewer control objectives, usually safeguards meant to support security and other policies, actually performed better on compliance audits and had fewer data breaches.
The example given in the article should that businesses with an average of 82 control objectives had 22 or more compliance deficiencies annually and 13 or more data losses and thefts in the same year. Companies with an average of roughly 32 control objectives had two or fewer audit deficiencies and two or fewer data losses each year.
Hurley's conclusion was"businesses with fewer controls are focusing on managing exceptions rather than spending time and labor trying to manage everything."
I certainly agree that there is probably some merit to Hurley's conclusion, but there are some unanswered questions that might have made the research more compelling.
- How many of the control objectives in either case were internal standards vs. auditor-imposed?
- Was the number of control objectives related to past audit deficiencies vs. a history of consistent ability to validate adequate controls were in place?
- How did the 82 control objectives compare to the 32? Were the 32 better defined to meet areas of greatest risk?
I think the PCAOB in releasing Audit Standard No. 5 also recognized that too many standards are actually a deterrent to meeting compliance objectives and providing meaningful infrastructure security by incorporating a more risk-based approach to Sarbanes-Oxley compliance.
It would just be interesting to get a little deeper into these findings to see whether well-placed controls, regardless of the number, is at the core of the reduction in data loss and reduced audit deficiencies.
Contributed by Mark Tordoff
Comments