ICAI - WIRC · ICAI - WIRC January 21 th, 2012 Auditing the Automated Environment : An increasing...
Transcript of ICAI - WIRC · ICAI - WIRC January 21 th, 2012 Auditing the Automated Environment : An increasing...
ICAI - WIRCJanuary 21th , 2012
Auditing the Automated Environment :An increasing need for & Trends in IT Audits around
the world
Presented by :
Sandeep GuptaManaging Director
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Agenda
A look at the automated environments
1
1
Risks in automated environments2
Auditable areas in IT 3
Trends in Auditing IT4
Case on IT audit5
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
1. A look at the automated
environments
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
1.A look at the automated environments
Why do businesses go for automation……………….
• Reduce control failures and compliance burdens
• Increase audit efficiency and effectiveness
• Improve the quality of business data
• Better leverage of already acquired applications and tools.
• Sustainability, reduction in costs, and improved value to the organization
GoalsFor
automation
3
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Procure to Pay
Order to Cash
HR / Payroll
Fixed assets
Facilities / Infrastructure
Customer Care
What all processes has been impacted automated….
1.A look at the automated environments
4
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
How has automation effected business process
1.A look at the automated environments
“You can no longer separate, or in some places differentiate, between manual and automated parts of business processes.”
Procure
To
Pay
Plan
To
Produce
Process Cycles (end to end processes)
Order
to
Cash
Hire
to
Retire
Accounting
&
Compliance
5
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
• Budgets for compliance are shrinking
• Due to shrunk budgets software implementations are done in a limited sense giving lesser focus on automating controls
• End users are not adequately trained
• Due to complexity of the application and software controls to be implemented are not adequately designed
• Due to complexity of the applications, potential for risk from an audit perspective cannot be ascertained
The Reality……
Automation is good….But does it work? where do things go wrong?
1.A look at the automated environments
Automation has its fair share or risks along with the benefits it offers
6
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Voluminous Transactions and
data
Voluminous Transactions and
data
Different ways of carrying out
Transactions on business
applications
(e.g. ERP’s, CRM, Billing systems)
Different ways of carrying out
Transactions on business
applications
(e.g. ERP’s, CRM, Billing systems)
Automation of Person based
transaction authorizations
Automation of Person based
transaction authorizations
Specialized knowledge required
for operating some applications (e.g. ERP’s, CRM, Billing systems)
Specialized knowledge required
for operating some applications (e.g. ERP’s, CRM, Billing systems)
In accurate data for business decision support
Transaction errors
Configuration errors
Misuse of authorizations
Override ofApplication level controls
Unauthorized transactions
By-product of Automation Resulting risks and probable negative outcomes
Risks
In accurate Business performance information
2. Risks in automated environments
Impact of automation on business processes & risk management
8
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Transactions (CCM-T)“Did anyone __________?”
Master Data (CCM-MD)“Is the underlying data accurate?”
Access to Applications (CCM-SOD)“Can anyone __________?”
Configuration of IT Systems & Processes (CCM-AC)“Do our systems allow anyone to __________?”
Are we making unnec-essary or unapproved
discounts?
Are purchasing cardholders violating
company policy?
Am I losing money because of fraud?
Have any POs been changed after approval?
Are people making unauthorized or incorrect manual entries to the GL?
Are system configuration changes exposing me to risk?
Is anyone manually clearing blocked invoices?
Are we making duplicate payments?
Are we misclassifying assets as expenses?
Are we at risk of an audit finding for user
access?
Can users access sensitive information?
Are my POs missing based on accurate
vendor master data?
2. Risks in automated environments
How do risks crystallize in the process environment
9
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
How do IT risks effect business environments ?
Risk Impact
Confidentiality
loss
Integrity
loss
Business
sensitive data is
known to
competitors
Inability to take
Accurate
Business
decisions
Availability
loss
Inability to
transact
business in a
timely manner
efficiency
loss
Inability to
transact
business in a
cost effective
manner
effectiveness
loss
Inability to
transact
business in an
effective
manner
Loss
of
bid information
Wrong
Product
Costing/pricing
Outage of
systems used
for
trading
Excessive
Cost of
customer
service
Delayed
customer
Order
processing
e.g…
10
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
How do you look for IT risks? Risk = Anything is likely to effects business objectives
Pro
tivit
i T
ech
no
log
y R
isk m
od
el
tm Business control
objectives
Business KPI’s
IT Processes
IT infrastructure
11
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
How to assess/gauge IT risks – the risk assessment process
• Broadly the risk assessment process to be done by the management should be a part of the enterprise risk assessment process
• The process of assessment remains the same but with special considerations to the following factors which changes the methodology for assessment
Understand business
environment
Create/revisit risk
universe
• Criticality of system (applications and supporting infrastructure) to business operations
• Impact of the system on financial reporting
• Importance of the systems from a business decision making perspective
Identify risk existence
& levels
Identify control
existence & maturity
Assess residual risk &
design Mitigation plan
12
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
Sample : a risk assessment methodology for IT Security related risks
Source : NIST, USA
13
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
How are organizations managing IT Risks
OrganizationalMeasures Technology
Measures
14
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
How are organizations managing IT Risks globally…….
IT Governance Framework
Creating IT policies, processes & procedures compliant to global
standards like COBIT, ISO 27001, ISO 20000
IT Organization
• Recognizing IT as not just a business enabler but a business
driver
• Creating a formalized IT organization with a charter to guide in
governance
• Creation of specialized risk management positions such as
CISO’s.
1
IT Governance Monitoring
Creating, implementing and monitoring SLA’s and IT operational KPI
2
3
15
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
How are organizations managing IT Risks
Confidentiality
risk
Integrity
risk
Availability
risk
Network
infrastructure
Server & End user
computing
infrastructure
Effectiveness &
efficiency risk
Ne
two
rk
Ma
na
ge
me
nt
too
ls
VA
Sc
an
ne
rs
An
ti
Vir
us D
ata
Le
ak
ag
e
pre
ve
nti
on
Dis
kE
nc
ryp
tio
n
ERP
Applications
Ne
two
rk
Re
sil
ien
ce
GRC
Tools
Resilience :Hot stand by’s
Data Back ups andHot stand by’s
16
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
Case Study: Organizational measures in a India based power, construction conglomerate
17
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
Case Study: Organizational measures in a US based pharmaceutical company
18
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.19
© SAP 2007, 071203_PnT_Team_Update, CSG/19
Business Process
Business Process Platform
SAP Solutions for GRC
Cross-Industry GRC
Access Controls Global Trade Environment Process Controls
Risk Management
GRC Repository: Documentation and Monitoring
Industry-Specific GRC
Business Applications
� Delivers transparency to balanced global risk profile
� Standardizes on common GRC content and rules
� Automates and embeds GRC processes into business processes
� Integrates with existing IT assets and technology partners
� Enables easier collaboration with service and content partners
2. Risks in automated environments
Case Study: SAP GRC a tool for ERP risk management
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Do
cu
men
tT
est
Mo
nit
or
Cert
ify
role of process control module in SOX
Assessment surveys / Test plans
Content Management: Provides formalized
framework to document risk and control
environment.
Automated control testing
Workflow: Automated testing along with workflows
for manual test plans.
Base-lining / Scheduling
CCM: Automatically identify and prioritize issues,
and document resolution.
Certifications
Workflow: Indicates management acceptance of
control status, and provides accountability for the
status of controls.
2. Risks in automated environments
Case Study: SAP GRC a tool for ERP risk management
20
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.21
CxO
� Visibility to enterprise GRC status� Role-tailored analysis� Flexible ad hoc reporting
Oracle GRC Intelligence
Indicators Attestations AlertsDashboards
Business Manager
Internal Auditors
� Data repository� GRC system of record �End-to-end GRC process mgmt
Oracle GRC Manager
AuditManagement Assessment
Issues & Remediation
Event & Loss Management
Risk and Control Frameworks
Application Manager
Configuration Controls
Transaction Controls
� Continuous monitoring of access, policies & controls
� Preventive and detective controls
� Controls risk monitoring
Oracle GRC Controls
Access Controls
IT Manager
� Information security� Enterprise access provisioning � IT configuration management
Technology Controls Management
InformationSecurity
Records & Digital Rights
ConfigurationManagement
Identity Management
Fin
an
cia
l C
om
pli
an
ce
IT G
overn
an
ce
En
vir
on
men
tal
Healt
h
Ris
k M
an
ag
em
en
t
Uti
liti
es &
En
erg
y
Co
mm
un
icati
on
s
Reta
il &
C
on
su
mer
Go
od
s
Co
rpo
rate
R
esp
on
sib
ilit
y
Lif
e S
cie
nces
Fin
an
cia
l S
erv
ices
CEO, Financial CommunityStockholders
Partners provide expertise and
specific solutions for Industry &
Regulatory requirements
2. Risks in automated environments
Case Study: Oracle GRC a tool for ERP risk management
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
2. Risks in automated environments
Significance of IT Risk management measures to auditors
How an organization manages IT risk determines what is to be audited !!
With increase in automation the need for IT audit to take a larger share in the internal audit pie is more than ever !!
22
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
3. Auditable areas in IT
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
3. Auditable areas in IT
IT General Process & Controls
ERP Process
& Controls
IT Security
Process & Controls
Broad categorization of auditable areas in IT
24
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
3. Auditable areas in IT
What to audit areas should you look in IT General Process &
Controls
Protiviti IT Process & System Component View tm
25
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
3. Auditable areas in IT
What to audit areas should you look in ERP Process & Controls..
Pro
tivit
i E
RP
Co
mp
on
en
t V
iew
tm
26
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
3. Auditable areas in IT
What to audit areas should you look at IT security..
Configuration management
Patch management
Access management
System
Software
Network
ArchitectureDevices
Application
Software
27
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
4.Trends in Auditing IT
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Achieving balance with the right focus involves approaching audit planning and execution as a two-step process
• The development of an appropriate IT
audit plan takes into account the
organization’s:
- Overall risk assessment from its
use of technology
- As well as which technology
components should be addressed
to mitigate the areas of highest risk
4. Trends in Auditing IT
Deciding how much to audit in IT………
29
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
4. Trends in Auditing IT
Global trend on indicative areas of IT audit on an Industry scale
IT/ITES BFSI Manufacturing
Industry
Weig
hta
ge
for
are
a o
f au
dit
Telecom Construction
Physical security
Logical security
Legal Compliance
Network security
BCP DR
Hig
hM
ed
ium
Lo
w
HR Security
Data mgt.
Change mgt.
IT Asset mgt.
IT Vendor mgt.
Physical security
Logical security
Legal Compliance
Network security
BCP DR
HR Security
Data mgt.
Change mgt.
IT Asset mgt.
IT Vendor mgt.
Physical security
Logical security
Legal Compliance
Network security
BCP DR
HR Security
Data mgt.
Change mgt.
IT Asset mgt.
IT Vendor mgt.
Physical security
Logical security
Legal Compliance
Network security
BCP DR
HR Security
Data mgt.
Change mgt.
IT Asset mgt.
IT Vendor mgt.
Physical security
Logical security
Legal Compliance
Network security
BCP DR
HR Security
Data mgt.
Change mgt.
IT Asset mgt.
IT Vendor mgt.
30
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
4. Trends in Auditing IT
How do IA departments deal with IT Audit….
Audit
Planning
• Risk assessments/surveys are done by IAdepartments jointly for both IT and process areasto ensure a wholesome risk assessment ratherthan a silo based risk assessment.
• Audit planning is done in most cases is doneseparately for ITGC on a separate calendar
• Audit planning for ERP Audits is usually clubbed
31
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
• ITGC audits in most global entities are performed aton stretch i.e. the areas are not broken into smalleraudits for the following reasons :
• Various areas of internal audit are highlyinterlinked, mitigating controls for a risk in oneprocess may lie in an another process.
• IT looked upon as support function as a whole andan audit of ITGC at one go would give a moreclearer picture on the efficacy and maturity of thefunction.
• ERP Audits are clubbed along side process audits inorder to get a full assessment of process relatedcontrol environment i.e. both manual and automated.
4. Trends in Auditing IT
How do IA departments globally deal with IT Audit….
Audit
Execution
32
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
4. Trends in Auditing IT
How do IA departments staff IT Audits ?
IT General Process & Controls
ERP Process
& Controls
IT Security
Process & Controls
• In most companies it is done
by external consultants with
specialized knowledge.
• For multi national companies
in the BFSI and ITES space
done by internal teams
• In 70% of the companies it is
done by external consultants.
• For multi national companies
that have large ERP
implementations its done by a
core ERP team
• In BFSI , IT, ITES segments
80% of the companies have
their own ITAudit teams.
• For 40% companies having
extensive multi national
presence have a skeletal IT
Audit
33
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
ERP Auditors
ITGC Auditors
Business ProcessAuditors
• ERP Security Training
• Focused ERP Module level
Training
• End User Training
• Basic ERP security training
• ITGC Audit
• ERP End User Training
• Basic ITGC training
• ERP End User Training
Technical
& functional
operational
Level of Audit Auditor Training Overview
4. Trends in Auditing IT
Training the audit team for IT Audit :Best practice training/deployment schema for various types
34
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
4. Trends in Auditing IT
Question : But is IT Audit as complex as its is made out to be ?
Example of how an access management review for IT infrastructure entails a reviews at multiple levels
Answer : IT Audit is reasonably complex as it requires a blend of technical knowledge, auditing skill and risk management knowledge to effectively delivery an
IT audit
Application
level
Application server OS
level
Database
level
General
OS level
Multi-level review
Network Device level
35
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
5.Case Study on IT Audits
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
User Access Management review and Password Policy Management Reviews at an OS Level
Review at an OS Level involves the
detailed analysis of the various users
having access to the OS . Different servers
in an IT environment can have different
OS’s. s
AIX
Windows Server
Solaris
UNIX
User Access privilegesUser Access privileges
Password Policy ManagementPassword Policy Management
5.Case Study on IT Audits
What do we look at :
37
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
User Access Management review for AIX OS
List of Users from the OS IS
generated with their details
like Userid, Groupid.
The aim is to find out the
number of users having root
level privileges with Userid 0.
What to typically look at during an AIX Review
5.Case Study on IT Audits
38
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Password Parameters for AIX Servers
Settings which are potentially
dangerous such as minlength
parameter being set to less
than 8
What to typically look at during an AIX Review
5.Case Study on IT Audits
39
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
User Access Management review
Audit account logon Details
Audit Account Management
Audit Directory Service Access
Audit account logon Details
Audit Logon events
Audit Object Access
Audit Policy Change
Audit Privilege Use
Audit Process Tracking
Audit System Events
What constitutes a good auditing policy in Windows OS
5.Case Study on IT Audits
40
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
User Access Management review in Windows Server 2003, OS
For User access
Management in Windows
from the Sample Machine
traverse to the GP Editor
Navigate to the shown
pane/properties
5.Case Study on IT Audits
41
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
User Access Management review : Windows Server 2003 OS
Enforce password History
Maximum Password Age
Minimum Password Age
Minimum Password Length
Password Must meet complexity
Store Passwords using Reversible
Encryption
What will we look at ?
5.Case Study on IT Audits
42
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Password Setting Review Windows Server, 2003
For User access
Management in Windows
from the Sample Machine
traverse to the GP Editor
Navigate to the shown
pane/properties
5.Case Study on IT Audits
43
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
User Access Management review in ERP System ( SAP)
Table USR02 in SAP system is used to
store all the user identical and password.
This is also called as SAP user master
record.
SU01 ,SU02, SU03 Tables are used to to
Provide information about USERS,
Profiles and Authorizations
Using this we are able to detect users
with weak password settings, excessive
transacting rights and conflicting roles.
5.Case Study on IT Audits
44
© 2012 Protiviti Consulting Pvt Ltd.
CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.
Conclusion
With fast growing evolution of IT, and ease in execution of transaction risk levels have reached an all time high.
In order to ensure an effective audit and risk management function at a global level it is imperative that CAE’s start looking at enhancing the reach of IA to relevant IT
processes.
45