IT has become crucial to most of the business models today. Complexity of and dependence on IT are growing rapidly. Taking retail as an example we will demonstrate to what extent IT audits may contribute to the business success of your company.
Popularity of e-commerce has started a process of radical change in classic retail trade. Traditional and digital marketing and sales channels are becoming more and more intertwined. In modern English: "Omni-channel” or "bricks & clicks".
Traditional retail will only survive, if marketing, physical sale through a chain store network, website, shop and social media presence are integrated into a single "shopping event".
This means e.g. that a customer becomes aware of a product through print advertisement, can get detailed product information on the company website and thanks to positive rating in social media they order the product online. They pay per PayPal and select delivery to their local store. When picking up the order, they decide to buy also other products and pay by EC card at the register.
In the future, all business processes in such multi-channel retail will depend on IT. This entails, in particular, the following three types of risks.
Business process related IT risks
The complexity of IT-supported ordering, delivery and billing processes renders traditional controls ineffective. Just think about new customer setups, creditworthiness checks, product returns to your local store and by post, refunds to your credit card, cancellation of orders, cash refunds, accounting transactions between chain stores etc. If a company has in place only basic controls in this complex area, this can be a breeding ground for fraudulent actions.
Therefore the internal control system should be adjusted and, where needed, fully restructured. Established processes and system settings may not cause management misinformation or accounting errors.
IT-supported controls should make it possible to assess correctness – in real time, ideally.
IT system risks
Reliable IT system operation must be ensured at all times. In the worst-case scenario, any system downtime and/or irregular operation in emergency mode will make your company look incompetent at IT security. Since transactions involve submitting of sensitive information, this can cause a substantial loss of customer confidence.
Keeping IT system risks in check requires, among others, the following elements:
- effective concept of access rights with appropriate separation of functions;
- ensuring integrity and availability of databases at all times;
- standardised system hardening and maintenance process for all systems involved;
- standardised development, test and production environments with appropriate sign-off procedures;
- adequate IT security and data protection management.
IT project risks
IT projects usually affect all business management related divisions of a company – independently of project size – and this complexity is the reason why failures are rather likely to happen. From our experience we know that failures arise from:
- chaotic project organisation;
- unclear project phases;
- failure to separate the functions of a given division (such as procurement, sales, accounting) and IT department;
- lack of monitoring (quality assurance, internal revision).
To successfully embrace the coming changes in business processes, it is necessary to draw on specialist expertise. In particular IT audits carried out taking into account the risks identified above may contribute to ensuring the necessary level of security.
Rödl & Partner is active at 94 wholly-owned locations in 43 countries. The integrated firm for audit, legal, management and tax consulting owes its dynamic success to over three thousand entrepreneurial minded partners and colleagues. In close collaboration with our clients we develop information for well-founded economic, tax, legal and IT decisions that we implement together – both nationally and internationally.
By Hannes Hahn, Partner @ Rödl & Partner
(p) - this article is an advertorial