Better Controls Yield Better Performance

The verdict is in: the greater the adherence to controls, the better-run the information-technology shop. In other words, careful compliance controls can be good for your company.

That was the upshot of a study of 98 information-technology organizations at a variety of companies, undertaken last October by the Information Technology Process Institute (ITPI), a small independent research firm in Eugene, Ore. The institute’s goal was to find out if increased use of controls correlated with higher performance. “Our notion is that process controls in information technology should lead to performance improvement,” says Kurt Milne, managing director of ITPI.

It’s no secret that many businesses bemoaned the reality of having to put additional controls in place to meet the requirements of Sarbanes-Oxley. But the ITPI study results suggest that there may be an unexpected payoff to having a comprehensive set of controls that leads to process improvements for information-technology groups.

“These are the most important findings for information-technology management in a long time,” says Gene Kim, chief technology officer at Tripwire, a developer of change management software. Kim contributed to the early development of the study and has met with scores of CIOs to discuss the findings. “This is really a seminal work on how controls lead to better performance, and on which controls are more effective than others,” he adds.

The study identified 21 key “foundation controls” that had the biggest impact on a set of 25 operations, security and audit performance measures. Some of these foundation controls are:

  • Monitoring systems for unauthorized changes.
  • Making sure that information-technology personnel have well-defined roles and responsibilities.
  • Having a formal process for configuration management.
  • Tracking the percentage of incidents that are fixed on the first attempt.

    Among the performance measures that correlated with these controls:

  • Higher satisfaction with information technology.
  • Less unplanned work.
  • Fewer security breaches resulting in loss.
  • Less disruption caused by audit compliance.

    “These foundation controls really give you specifics to work on to fulfill the spirit of what auditors are looking for,” Kim points out. “The foundation controls provide a shortcut, so that organizations can focus on the four controls, for instance, that give [them] the greatest benefit.”

    Interestingly enough, high-performing I.T. organizations tend to spend less time on compliance activities than their middle- or low-performing counterparts, Kim adds. “It’s because they have the right controls in place,” he says. “This says that having controls actually is good for your operations, not just for the auditors.”

    In another key finding, the ITPI survey identified a subset of controls used by the best-performing information-technology groups that were least observed by the mid-level-performing groups. The top half-dozen controls that separate the two groups are:

  • Monitoring systems for unauthorized changes.
  • Having defined consequences for intentional unauthorized changes.
  • Using a formal process for configuration management.
  • Utilizing an automated process for configuration management.
  • Tracking the change success rate.
  • Maintaining complete and accurate information about infrastructure configurations.

    Milne, for one, believes there is a sea change taking place in information technology as more professionals become aware that improved controls can yield benefits in security, operations and audit performance.

    “The well-controlled information-technology shop is more efficient with lower failure rates,” Milne points out. “CIOs should think about information-technology controls not as a burden, but as a means to drive operational improvement.” To learn more about this connection, ITPI has received a grant to expand its research in this area to include 500 companies.

    Indeed, compliance today is as much the responsibility of the CIO as it is of the CFO. “When the business regulatory environment tightened up, how you ran the underlying infrastructure tightened up,” Milne observes.

    “With SarbOx, any system that touches a business process is covered, and so are the information-technology operations. If people are passing around passwords to your ERP system, somebody can easily make a change that can affect your financials.”

    ITPI, which offers the full report for $1,695, in September will begin offering an online self-assessment tool to enable CIOs and information systems executives to see how their controls and performance stack up against those of other companies.

    For a fee of $499, users answer questions online about their use of I.T. controls as well as some basic performance measures, and in turn receive a benchmark report with a color-coded summary showing where they rank against the top- , medium- and low-performing organizations ITPI studied.