IS Audit in Practice: Do Data Go to Waste?

I signed up for a tour that promised to be an informative talk and walk-through of the Massachusetts Water Resources Authority’s (MWRA) Deer Island Treatment Plant in Winthrop, Massachusetts, USA. I was joined by a large group of community members from the suburbs who were considering moving from individual septic systems to a wastewater treatment plant of their own and wanted to see what Deer Island was doing right. We lucked out. The standard two-hour tour went longer because we were given the opportunity to get up close and personal with one of the egg-shaped digesters that was out of service for preventative maintenance.

A previous column titled “Resilience and Regulation” references the case study of Boston Harbor, Massachusetts, USA, to discuss the value that risk and audit professionals can add to ensure that regulation is enforced for the benefit of the enterprise, customers and the public as a whole.¹

Center stage in the Boston Harbor success story is MWRA’s Deer Island facility. “You would not have seen this 30 years ago,” said David Duest, director at the Deer Island Treatment Plant, referring to a photograph of a humpback whale near the treatment facility (figure 1). The Deer Island Treatment Plant serves 43 communities with a total of 2.5 million people in eastern Massachusetts, including the city of Boston. The Deer Island plant not only cleans the wastewater before recycling it back to the environment, but also harvests the wastewater byproducts and recycles the material into class A fertilizer under the brand name Bay State Fertilizer.²

Source: Massachusetts Water Resource Authority, USA, 2022, https://www.mwra.com

Data, Data Everywhere

One would expect data tracking for water purity and air quality control, but the MWRA manages data for everything from detecting water cleanliness to COVID-19 trends. The reality is that data are everywhere in this tightly run operation. The wastewater treatment environment is the epitome of data collection and automated control points. Water process monitoring includes water volume data for capacity management; water cleanliness data to align with reporting requirements from the US Environmental Protection Agency (EPA), the Massachusetts Department of Environmental Protection (DEP), and other environmental regulatory agencies; and bacteria level details collected, not only for water cleanliness, but also to maximize the efficiency of waste digestion, since certain bacteria are used in the process to naturally “eat” the waste and purify the water. There is data tracking against the 53 ocean floor diffusers that release the cleaned water back into the sea. There is data collection on air quality throughout the purification process including, to put it politely, aroma detection data to track the environmentally friendly air freshener requirements for air that is recirculated back to the atmosphere.

Physical security data are collected to carefully control the perimeter of the plant and interior physical data collection that feeds various safety alert systems. Cybersecurity data are closely monitored and managed by automation and plant IS security personnel with the latest technology used to safeguard operations from hackers. Resilience plans are based on capacity management data and equipment tracking data across 70,000 pieces of equipment to ensure uptime across the facility because people need water whether or not there is a plant outage. US Occupational Safety and Health Administration (OSHA) data are collected without fail to verify a safe environment for the more than 250 employees who work at the plant. There is also the financial data because, after all, Deer Island is rate payer funded with audit controls in place to make sure financial transparency is available to everyone. The amount of data collected is enormous and the ability to make sense of it seems overwhelming.

Who Cares?

The Deer Island Treatment facility is just a sewage treatment plant, so who really cares about all the data? As it turns out, there is a large audience of interested stakeholders, constituents, regulators, auditors, risk managers and other interested parties who demand different data sets, based on their focus, including:

• The DEP and EPA, which provide the regulatory framework for the Deer Island operations through the US Clean Air Act and the US Clean Water Act
• Individual municipality departments of public works that buy the water/sewer services for their communities from the MWRA and need to understand specific usage information and correctly manage the cost to their rate payers
• Individual rate payers who expect the ability to extract billing and usage details for their households and/or businesses
• Environmental groups and biologists who are involved in the protection of wildlife near Boston Harbor and along the US Atlantic coast
• Various health commissions, including the Boston Public Health Commission, that use the Deer Island data to detect virus trends and hot spots in the communities serviced by the plant
• OSHA, which sets standards for safeguarding the health and well-being of plant employees

When it comes to the Deer Island data, there is something useful for almost everyone, yet combing through the available details would be daunting without technology that reliably sifts through the information to present it in a usable fashion. What makes the data usable is at the heart of the IS risk and audit profession. In an era of “fake” vs. reliable data, consistent data are often questioned. Constituents who rely on wastewater treatment facilities such as Deer Island cannot afford to doubt the integrity of the water they use or wonder if the money they pay is being spent in the most efficient and effective ways to provide high-quality water that is necessary for good health.

Systems and Applications—It All Comes Down to What the Data Say

History has proven that trust can be rebuilt, but at a tremendous cost in time, money and reputation. Data retention periods at Deer Island are a required 15 years and oversight continues in full force. Yet the plant not only has proven that it can provide clean water while maintaining a healthy environment, but also has become a laboratory for testing unrelated to its core operations, with the most visible example being the COVID-19 trend data information. There is an air of reliability around all the data produced and, just as important, the data are available on demand so that their value is the maximum possible for all the audiences that have stakes in the plant’s inputs and outputs.

One key application that provides transparency on a timely basis is the PI ProcessBook.³ The PI ProcessBook application, adapted for use by the MWRA, takes the data and, via a business portal, provides information for each audience. Relevant data availability is essential to the operations teams that know and respect the PI ProcessBook. It focuses on their process areas, excluding data clutter so that team members can benefit from information that relates to their sphere of control. The PI ProcessBook facilitates the highly automated operations by giving the team confidence that all is moving along smoothly and that corrections, if any, can be made on an exception basis. As Duest notes, the integrated application not only facilitates efficient and accurate management control, it provides much needed transparency for the data-consuming audiences. Historical trending meets regulatory requirements and goes further to allow analysis and extrapolation that help set advisory board and rate-payer expectations regarding cost management and performance. As a case in point, weather data and capacity trending provide the means to analytics that correctly forecast increases in cost of operations based on the fundamental operating model for combined sewer systems. In essence, a combined sewer system takes stormwater and sewage into the treatment plant in contrast to a segmented approach where wastewater alone comes into the facility. In rainy seasons, the plant runs at high capacity and costs of doing business increase to meet volumes associated with the higher volumes of water.

Proving Oneself Every Day

In an era when IS auditing has moved from trust, but verify to zero trust, IS audit professionals can contribute to improved expectation setting by validating data on a process-by-process basis and confirming accuracy and completeness of the data. Verification and validation build trust into the operating environment and into the end customer’s opinion regarding the services provided. Good data are critical and, once validated, can become part of a robust communications model that informs the public and regulators alike about an organization’s operations. At Deer Island, there is a pervasive need to prove oneself every day with unquestionable data accuracy, but all enterprises require solid data to maintain a level of trust. Many auditors have experienced scrutiny from management or from audit, or perhaps directly from regulators when the data they pull indicate something is out of permissible ranges or a control is not performing as expected. Questionable data mean uncertain results, and reporting requirements invariably increase as sample sizes grow. Oversight turns into additional checkpoints, status meetings increase in frequency, and action plans increase in length, with more status updates required. Data that do not prove themselves trustworthy are a time management nightmare that all operations groups look to avoid. It is no surprise that the enterprise welcomes the ability to confirm its data are meaningful and on target with what is required.

The degree of necessary structure is a reminder of how successful data management provides the tool for creating a common understanding of objectives, operational status and continuous improvement potential.

Data Everywhere Turned Into Useful Analytics

Risk management, control adherence and consideration of trend analytics apply to every aspect of operations, public and regulatory communications, and employee education at Deer Island. The degree of necessary structure is a reminder of how successful data management provides the tool for creating a common understanding of objectives, operational status and continuous improvement potential. For IS risk management and audit professionals, the opportunity to contribute to making data meaningful is ever-present, not just in the highly structured environment that Deer Island’s operations represent, but in all organizations where technology holds the key to data quality, privacy and retention requirements. Examples of where the risk management and audit professions contribute include:

• Process and control point determination—For first line of defense practitioners, working with the business and application developers helps to identify and document the key process steps. It is the critical first step in creating meaningful metrics.
• Process flows to document the control points in the operational environment—An objective walkthrough with the business captures key process steps and potential control checkpoints. Confirmation by the business that the process has been represented accurately allows documentation of workflows and work instructions that facilitate day-to-day work.
• Clear control objectives—Useful controls and the reports that can be generated from the control points bring value only when those who use them understand, agree with and value the information. Discussion regarding what is important and how often data should be available helps build a reporting capability that both encourages awareness and allows timely review of statistics that matter.
• Inspection that confirms the information is trustworthy—IS first line of defense and audit professionals must validate the data. Control objective best practices suggest the five key elements of data accuracy, data timeliness, appropriately approved data, appropriate data access and data completeness are the important considerations for data integrity validation.
• Preventative, detective and monitoring controls that attest to appropriate data gathering—IS systems and applications inspectors do considerably less hands-on testing and a great deal more evaluation by exception. Automation promises that data analytics will be timely, but only careful inspection of the exceptions and verification of the underlying code that generates the analytics can deliver trustworthy data to the consuming audience.
• Report verification that examines accuracy and appropriate approvals—After going through process flows and verifying the operational environment, it is critical to examine the reporting accuracy, completeness and, especially, relevance to users to avoid producing information that is unused by audiences because they do not see value in the results provided.

Automation promises that data analytics will be timely, but only careful inspection of the exceptions and verification of the underlying code that generates the analytics can deliver trustworthy data to the consuming audience.

Conclusion

It is no surprise that controls never get old and are frequently the basis for a trusted operation. Data management is built on accuracy and relevance, and both characteristics are the mainstay of an IS auditor’s inspection criteria. Successful operations are the sign of successful auditing. Going one step further on the process maturity curve by providing education and awareness reaps further benefits for the IS auditing community by showing the value the profession brings.

Author’s Note

The author thanks the MWRA’s Deer Island staff, especially tour guides Jon Wladkowski and Ray Snyder, and MWRA’s Deer Island Director David Duest.

Endnotes

¹ Baxter, C.; “Resilience and Regulation” ISACA^® Journal, vol. 3, 2022, https://www.isaca.org/archives
² Massachusetts Water Resources Authority, (MWRA), Bay State Fertilizer, https://www.baystatefertilizer.com/
³ Vettiankal, R.; "Why We're Retiring the PI ProcessBook," OSIsoft, 20 October 2021, https://www.osisoft.com/blog/why-were-retiring-PI-ProcessBook

CINDY BAXTER | CISA, ITIL FOUNDATION

Is director at What's the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as a chance to learn the nuts and bolts of a business and help her clients worry less, because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.