Why “Segregation of Duties” Should be Applied to ITAM-ITAD
Segregation of Duties (SODs), a.k.a. Separation of Duties, is the basic fiduciary mechanism that prevents an individual or department from having full custody of process integrity where there is an inherent conflict of interest or an opportunity for fraud. As the name denotes, to mitigate these potential problems, the duties related to those processes are divided between two or more entities, essentially imposing the needed checks and balances.
Given this critical role, SODs are among the first mechanisms third-party assurance auditors look for when verifying the integrity of financial processes. Additionally, the absence of SODs is one of the most common audit failures for organizations seeking System and Organization Controls (SOC) accreditation.
It also follows that SODs are among the first things forensic accountants and fraud investigators look for when diagnosing maleficence, their absence exposing the weak link that internal bad actors exploit.
It is no wonder, therefore, that the Association of International Certified Public Accountants (AICPA) calls SODs “a basic building block of sustainable risk management and internal controls for a business.” and that without them, “the opportunity for collusion cannot be controlled within an organization’s risk preferences or within any acceptable framework.”
The ITAM-ITAD Interface
I’d like first to point out that the SODs I’m referring to call for a separation between an organization’s internal IT asset management (ITAM) function and its internal IT asset disposal (ITAD) function. Though ITAD service providers themselves serve a distinct and valuable role in the dynamic, they are not relevant to this specific discussion below.
Secondly, SODs are not an indictment of a specific individual’s integrity, but rather about the overall stewardship imperative to identify and mitigate conflicts of interest and the potential for non-compliance or fraud in internal processes.
That being said, the fact is that most medium- and large-size organizations have one individual or department that is solely responsible for ITAM, including duties such as IT assets procurement, deployment, and tracking. IT asset managers are also usually charged with managing the intricate and complex web of software licenses.
Amid all this critical work, that same individual or department is tasked with end-of-life IT asset disposal (ITAD). Even if they rely on others to assist, ITAM is usually calling the shots.
The problem is, as logical as it may seem for ITAM to be responsible for ITAD, it is actually a potential conflict of interest since reporting unreconciled or unresolved IT assets could reflect poorly on their performance. They are, therefore, incentivized to overlook discrepancies that should be investigated, resolved, and potentially reported up the management chain.
Put another way, the ITAM is in charge of both IT asset retirement and the quality control of that process, which directly contradicts Control 5.3 of Information Security Management standard ISO/IEC 27001:2022, mandating that processes with conflicting duties and conflicting areas of responsibility are separated.
To be sure, implementing SOD anywhere necessarily adds a level of complexity, and, of course, that complexity has a cost. That said, not implementing it could be far more costly.
Consider these facts:
- Retired IT assets have tangible monetary value, the pilfering of which has been known to happen, resulting in financial, data security, and compliance complications.
- Retired IT assets contain proprietary information, the loss of which compromises intellectual property legal protections.
- Retired IT assets contain regulated personal information, the loss of which must be investigated, reported to senior management, and ultimately resolved in order to avoid escalating fines for non-compliance.
- IT asset disposition is widely recognized as having cybersecurity ramifications, which the Security and Exchange Commission (SEC) deems an investor disclosure issue.
Add to this list the SEC’s recent ruling in the Blackbaum case, stating that the absence of incident reporting to senior management is a violation of the Board’s responsibility to ensure they are informed of investor risks.
With these issues in mind, assuming that all IT asset managers will diligently report uncomplimentary or embarrassing results is both risky and unreasonable. In legal parlance, it’s negligence.
As things stand today, most ITAM and ITAD professionals understand and accept the reality of unresolved and unreconciled retired IT assets. Unfortunately, what they usually fail to appreciate are the ramifications of ignoring them.
Not long ago, Morgan Stanley actually found itself in $35 million worth of hot water with the SEC over this very issue. Some have put the final tally of the loss in the neighborhood of $200 million when all the class action settlements, penalties from other regulators, and corporate and legal fees are included. The SEC went so far as to frame the degree of the ITAD failure as “astonishing.”
Some might at first argue that segregating duties between ITAM and ITAD would bring the ubiquitous problem of unreconciled IT assets to light, thereby resulting in more Morgan Stanley type incidents. Forgetting for a moment that that argument suggests hiding known regulatory noncompliance, what those people suggest is misguided. Morgan Stanley ITAD failures would have most likely never have happened had there been a separation of the duties between ITAM and ITAD. SODs do not make the current ITAD disposal situation worse by bringing it to light, but rather they can prevent the noncompliance in the first place by heading it off at the pass.
Here Come the SEC, the Fiduciaries and the DPOs
Some small percentage of organizations already do segregate their ITAM and ITAD functions. Most don’t. Soon enough, every compliant organization will. SOD between ITAM-ITAD will be the norm.
Well, there’s the SEC’s stated intention to make cybersecurity an investor disclosure filing. Included within the Commission’s proposal is a requirement for public companies to annually disclose any known cybersecurity risks, such as unreconciled IT assets. And, with Boards of Directors being held responsible for the integrity of such disclosures, they had better be able to rely on the integrity of the underlying ITAD methodology, i.e., SOD.
As a result, auditing fiduciaries will be forced to issue findings that inadequate ITAM-ITAD SOD as a deficiency. As mentioned, inadequate SOD is one of the major SOC I & II audit failures. How long before SOC auditors start withholding accreditation when ITAM and ITAD are not effectively separated?
Then there are the Data Protection Officers (DPOs), an increasing number of outsourced professionals mandated under regulations, which, by definition have duty to both their client and regulators. No DPO worth their weight is going to be okay with the current ITAM-ITAD comingled status quo.
What does Segregated ITAM-ITAD Look Like?
Separating ITAM duties from ITAD duties is complicated. All change is. That said, it is not totally new territory. As mentioned, SOD is already a staple of SOC I & II.
The first question is whether the now separated ITAD processes will remain in-house or outsourced.
As for outsourcing, there is a reason the SEC requires outside fiduciaries to conduct financial audits of publicly traded companies. Outsourced ITAD process management (not to be confused with ITAD service providers) not only bring a level of expertise not available in-house, such contractors also have no internal allegiance that could compromise their duties, and, because their continued success is based on reputation and regulatory compliance, they are seen as being held to a higher standard.
That is not to say in-house is not an option, provided the right firewalls are in place.
In either case, the mechanics are similar. Those responsible for IT management would proactively provide the appointed disposal manager (in-house or outsourced) with its list of IT devices identified for disposal prior to aggregation/consolidation.
The physical inventorying is completed by the appointed disposal manager, tagging and recording all devices, as it reconciles what is physically present against the documented inventory that was originally provided by ITAM.
Discrepancies, would be resolved to any one of a dozen conclusions, most of which are relatively innocuous. The important thing here being that they are identified and documented.
Furthermore, the disposal manager would NOT be sharing the inventory prior to shipment to the ITAD service provider, in recognition of the fact that there could be a temptation to rubber stamp the inventory that is provided simply to avoid raising any issues.
The ITAD manager (again, whether in-house or outsourced) would then work with the ITAD service provider, using a number of techniques to assure the integrity of the transfer of custody, device reconciliation and data destruction.
As for when ITAM-ITAD SOD becomes the norm, I’m guessing sooner rather than later. The fact is that it is coming, and for good and prudent reasons. The only question is whether organizations move on it now and implement it in a sound and measured manner, or wait until they are told by the SEC, their auditing fiduciary, their SOC Auditor, or their DPO.
© 2023 Privata Vox, LLC - All Rights Reserved
Bob Johnson, CSDS, CIPP/US, is the Principal Advocate at Privata Vox, LLC. Read more about his long career in privacy and data protection policy development.
Scan OR Click QR Code below to automatically add to contacts