Auditors blame IT for botched identity management

Auditors and compliance professionals are frustrated with how their IT departments handle identity and access management (IAM) projects, according to a new survey.

Almost half (45 percent) of the 845 respondents recently questioned by the Ponemon Institute said their own organisation did not effectively focus its IAM policies and controls on areas of business risk.

The compliance professionals, 68 percent of whom said IAM products were in use in their organisations, also expressed frustration that IT and business management groups weren't collaborating well in deploying IAM.

"The compliance and audit folks think collaboration is important, but they acknowledge their companies' shortfall in this area," says Larry Ponemon, chairman and founder of the research firm. The "Audit & Compliance Professionals: Survey on Identity Compliance" study released this week by Ponemon was sponsored by SailPoint Technologies.

Sixty-five percent of those surveyed complained that "IT staff lacks understanding of risk management and compliance," a drawback that made it difficult to implement IAM controls effectively. The IT department in most cases was deemed the most responsible for selecting, deploying and monitoring IAM products in the organisation.

The poll also found that IT departments and audit and business people often do not collaborate well on compliance. Of those polled, 61 percent said "there is no collaboration whatsoever" or "collaboration rarely occurs"; 25 percent called it "okay, but could be improved," and 14 percent calling it "excellent."

Ponemon said the study shows that according to the respondents, "the IT people don't have an appreciation of audit and compliance, what the rules are, and don't prioritise compliance. They think IT cares more about efficiency."

He added a similar survey of IT people last February on the same topic showed the reverse, with IT professionals unhappy with audit and compliance professionals.