IS Audit in Practice: Resilience and Regulation—Finding Common Ground for Sustainability

My evenings are usually quiet three weeks out of the month, but at least one week is packed with community meetings and city public hearings. The pandemic may have impacted in-person gatherings, but government and community action continue online. It was one such public hearing that would affect climate resilience that made me wonder how things ever got done and who was around to keep things organized and people aware. It also made me think of the roles there are for IS auditors and risk professionals in the hotbed discussions of climate resilience and sustainability.

The hearing title was a daunting alphabet soup of acronyms and, despite the significant outcome that could result along the inner Boston Harbor (Massachusetts, USA) shoreline, less than 50 people were in attendance. It could have been the hearing title that deterred attendees, which, without the acronyms, translated to “A Determination Regarding the Designated Port Area (DPA) for East Boston, Massachusetts, Hosted by Coastal Zoning Management (CZM) as Requested by the Boston Planning and Development Agency (BPDA).” It could have been the weeknight meeting time when people are eating dinner or helping kids with homework, but, most likely, it was because there are a number of climate resilience legislative efforts underway, from the City of Boston Wetlands Ordinance, which will regulate development along Boston’s waterways to the state-level legislation for environmental justice that has been working its way through the US State of Massachusetts statehouse for years to the US federal environmental laws that overlay both the city and state-level regulations. It is difficult to sort through all the ordinances and regulations to understand what priorities will actually make a difference to people who live and work in the area. This confusion and morass of information is a perfect opportunity for IS risk and audit professionals to make a difference by following a few strategic steps to get through the chaos.

When one thinks of risk assessment, controls creation, and testing/auditing, especially in the context of popular topics such as climate resilience, there are four strategic points that illustrate how IS risk and audit professionals can contribute to a more sustainable and environmentally just outcome for our communities:

1. Clarity enables focus and effectiveness.
2. Systems reliability provides necessary accuracy for evidence of impactful issues and timely data availability for climate action.
3. Awareness promotes prioritization of sustainability.
4. Enforcement/positive recognition of compliance produces traceability and continuous improvement.

Case Study: The Boston Harbor Cleanup

The Boston Harbor Cleanup is a reality check on how things can happen over years instead of the months environmentalists hope for when it comes to environmental sustainability measures, and it lends credence to the four strategic points previously listed. Boston is often described as a gritty, working-class, transportation hub of New England, whether by land or sea. Since the US industrial revolution began in the late 1800s, Boston’s waterways have been a conduit for industry, and “gritty” became an increasingly accurate description of both Boston Harbor and the Charles River, which divides the cities of Boston and Cambridge Massachusetts. Heightened awareness of the need for environmental protection resulted in several pieces of legislation in the 1970s, including the US Federal Clean Air Act and the US Clean Water Act. Establishment of the US Environmental Protection Agency (EPA) in December 1970 and the first US Earth Day in the same year were testaments to public sentiment demanding consideration of ecology, not just economy,¹ but the city of Boston had not gotten on the environmental bandwagon. Furthermore, studies out of Massachusetts science and oceanography center Woods Hole pointed to tumors in fish that stemmed from raw sewage dumped into the harbor. Public outrage was mounting, yet Massachusetts continued to pursue a waiver for the Clean Water Act requirements, instead commissioning studies to further examine next steps.² It took three entities filing lawsuits against the Metropolitan District Commission (MDC) and others, starting with the city of Quincy, Massachusetts, USA, in 1982, before anything was done. Despite regulation, despite the lawsuits, and despite a court order blocking municipalities from tying into the sewer system that served 41 cities and towns,³ work on the cleanup did not start until 1985, and victory was not declared until 30 years later.⁴

Sustainability and Risk Management: So Much to Be Done

Much has changed since the initiation of environmental regulations in the Unites States in the 1970s and compliance tracking in the 1980s, mostly from the perspective of technology. Much has also stayed the same when it comes to the process of evaluating environmental risk and turning that risk assessment into effective regulation. The tracking technology for wastewater management has enabled critical monitoring controls and even provided other valuable data points (e.g., Boston’s COVID rates have been benchmarked using data produced from the water management systems serving the city). The enactment of laws can still take years, and controls effectiveness is still dependent upon data integrity and enforcement resources. Now more than ever, IS professionals working to promote effective technology and automated detection are critical to making environmental sustainability a reality.

Strategic Point #1: Clarity Enables Focus and Effectiveness

The natural starting point regarding the four strategic points of systems/data reliability, awareness, clarity, and enforcement/recognition have to start with establishing clarity. Without a clear scope objective, as the case study demonstrates, large amounts of information and varying opinions lead to data overload. That overload fosters a sense of complexity that encourages people to disengage or choose their own focus, grabbing onto whatever insights seem appealing or even self-serving. How often has an auditor conducted a review, after carefully scoping the work and speaking with process and operations owners, and still faced business pushback on the outcome because that is not the exact process the business expected would be examined? It is not just a result of findings that have been uncovered, but rather a lack of agreement on what the audit would cover and poorly defined expectations regarding the potential audit outcome. What is the point of performing an audit or conducting a controls assessment if the report will be put to the side instead of acted upon?

Without a clear scope objective…large amounts of information and varying opinions lead to data overload.

The topic of scope is a critical one to consider and has been noted in other columns, namely “Relinquishing Privacy to Research”⁵ and “Survival When You Are Small.”⁶ When it comes to environmental sustainability and the plethora of meanings the term “green” evokes for those involved, accurate scoping is critical to the clarity that will garner public interest, legislative interest, appeal to business stakeholders and win support from the impacted communities. There is a great deal of material the successful IS audit professional must review to produce that cornerstone of clarity, the scope. A common flashback for auditors and compliance testers occurs for audits that missed the intended target or, even worse, had to be restarted with a revamped scope because the auditor did not investigate the process under review in sufficient detail. Every audit scope needs upfront buy-in, and environmental sustainability work is no exception.

Once work is defined, the value of the audit becomes reliant on whether the data can be trusted.

Scope clarity is just as critical for established legislation and green business. Here, investigation should uncover relevant processes, related monitoring controls and detective controls, and preventive control points. Given the fast pace of environmental technology, ongoing evaluation of scope is key to ensure that what worked in the past is not mistaken for the way things should be now and in the future. Equally important, environmental sustainability audits can easily suffer from scope creep because there is so much to do and so many passionate views, but the diligent IS auditor can avoid rework with the necessary upfront research to uncover the key process and relevant dependencies, sticking to the objective at hand instead of watering down the outcome with too much “stuff.”

Strategic Point #2: Systems Reliability Allows for Data Trust

Data accuracy and timeliness are foundational to environmental sustainability. Once work is defined, the value of the audit becomes reliant on whether the data can be trusted. Think of the case study outcome where current waste treatment facilities can accurately detect levels of COVID-19. Those data are not relevant to environmental sustainability, but the system attributes that can detect such detailed particulate matter are essential. Is the system enabled to track data that are relevant and provide evidence for environmental legislation or business process modification? Does it rely on another system for data and are those data accurate and secure? Do the data flows uncover additional systems that are integrated and, therefore, should be considered within the scope for an outcome that makes operational sense?

Uncovering or validating the systems that the auditor should include identifies the processes to flow out. Evaluation of the systems’ data integrity needs to identify the information sources—that is, all upstream systems and applications—once again with business concurrence. Finally, documentation of the system and application data flows attest to accuracy and integrity that establish the credibility to act.

Strategic Point #3: Awareness Promotes Prioritization of Sustainability

Once again, the risk and audit disciplines can unlock complexity by carefully considering scope, identifying relevant and related regulation, and, especially, clarifying support systems data relevance to the regulatory controls that are proposed to take effect. It is all about turning the scope and relevant data into something digestible and actionable. How can an IS audit or risk professional boil things down to essential details that facilitate awareness? Consider these points, whether you are hired for the work or whether you are an environmental sustainability advocate:

• Understand the baseline of regulation. In the case of the City of Boston Wetland Ordinance work, as was true with the case study on the Boston Harbor cleanup, researching the key aspects of the Clean Water Act is the starting point.
• Look for related municipal and state/provincial regulation specific to the scope. In the case of the Boston Wetlands Ordinance, the Clean Water Act and earlier phases of the Wetlands Ordinance are the regulations that are most germane to new regulation under consideration for the final operational phases of the Wetlands Ordinance.
• Consider the potential automation of the proposed regulatory controls. Is there systems support that can provide accurate and timely information? If the information is accurate but is not timely, the result may be a request for controls waivers, just as occurred with the Boston Harbor cleanup, to study the situation further instead of taking action immediately, even as sludge washed up on area beaches.
• Ask if the controls and systems data provide information for metrics that will be actionable and reasonable from an operations perspective. If the controls examined from the agreed-upon scope are not system supported and the systems do not provide data that lend themselves to trackable milestones of improvement, awareness will diminish because governing bodies and the impacted communities they serve will have lost interest. If that occurs, enforcement or even recognition for compliant work will be ignored as unimportant at the best or will invoke anger at the “restrictions” imposed at worst.

Environmental resilience is something the IS audit and risk community can and should influence.

Strategic Point #4: Enforcement and Positive Recognition Can Lead to Continuous Improvement

All audit professionals know controls without a consequence do not control much. The Boston Harbor cleanup case study is an excellent example of allowable delays that increased costs and caused both health and economic issues that should have been averted. There was no doubt, with all the beach closures and evidence of tumors in fish, that the public was negatively impacted. Did the public care or was there a feeling of hopelessness that enforceable controls could have helped avoid? It was also clear in 1984 that the impact on the Commonwealth of Massachusetts development would be devastating when the court-ordered halt to sewer connections for new buildings in more than 41 communities in eastern Massachusetts, including the City of Boston, would take place unless evidence of cleanup was available. Finally, consequences aligned even further in 1988 when political futures were put on notice for inaction on what was then considered the dirtiest harbor in North America.

Today, automated auditing tools, data analytics and monitoring systems such as those now in place for waste management in Boston Harbor make enforcement a timely effort, and recognition of improvement is as easy as looking at a coastal Massachusetts restaurant menu advertising local fish on its list of specials.

What You Can Do

Environmental resilience is something the IS audit and risk community can and should influence. There is no shortage of passion on all sides of the discussion, yet there are few that come to the table with the breadth of risk and controls experience that we have as a profession. Even more critical is our perspective on making audit work practical and operational so that things get done and sustainable benefits occur. Get ready for the fight; it is not an easy one. But collecting relevant data, finalizing an agreed-upon scope and delivering results that encourage compliance maturity is not easy no matter what we are examining. We do this all the time, and environmental sustainability and justice is a worthy place to offer our skills and talents.

Endnotes

¹ US Environmental Protection Agency (EPA), EPA History: Earth Day, https://www.epa.gov/history/epa-history-earth-day
² Moore, M.; “Tumor-Free Flounder Are Just One Dividend From the Cleanup of Boston Harbor,” The Conversation, 19 January 2019, https://theconversation.com/tumor-free-flounder-are-just-1-dividend-from-the-cleanup-of-boston-harbor-109217
³ Clendinen, D.; “Judge Restricts Boston’s Sewers to Clear Harbor,” The New York Times, 30 November 1984, https://www.nytimes.com/1984/11/30/us/judge-restricts-boston-s-sewers-to-clear-harbor.html
⁴ Op cit Moore
⁵ Baxter, C.; “Relinquishing Privacy to Research,” ISACA^® Journal, vol. 2, 2021, https://www.isaca.org/archives
⁶ Baxter, C.; “Survival When You Are Small,” ISACA Journal, vol. 3, 2021, https://www.isaca.org/archives

CINDY BAXTER | CISA, ITIL FOUNDATION

Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as a chance to learn the nuts and bolts of a client’s business and help them worry less, because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.