Friday, April 23, 2010

Identity and Access Management Research Paper (Underconstruction)

Introduction
There are many technologies that currently exist. These technologies provide protection over sensitive information which people can access. Examples of these technologies include identity and access management, biometrics, certificate authorities, and with newer technologies are likely to arise in the future. But the topic of identity and access management is very broad, and is likely these technologies that protect sensitive information are considered a part of identity and access management.


As stated by the AICPA, identity and access management (also abbreviated as IAM) is the “implementation of physical, technical, and administrative controls that limit access to company resources to authorized persons. A challenge exists with achieving easy access by authorized users while making resources inaccessible to unauthorized users” (AICPA, 2009). Identity and access management “encapsulates people, processes and products to identify and manage the data used in an information system to authenticate users and grant or deny access rights to data and system resources…the goal of IAM is to provide appropriate access to enterprise resources” (Identity, n.d.). These two different sources are both stating that identity and access management is a way to restrict the usage of all sensitive information from people who are not permitted to view that particular information.

Step 1: Define the Framework and Research Questions

Hype Cycle

As of 2005, the analysts from Gartner determined that “most identity and access management technologies are maturing” (Witty, 2005). I believe that this is still the case today. Those same analysts determined that there were seventeen different technologies under the span of identity and access management that should be discussed under the hype cycle of this technology. When looking back at 2005, we see the following curve that exists for the hype cycle of IAM:

Figure 1:
Hype Cycle for Identity and Access Management Technologies, 2005


Note: This graph shows the position of different IAM technologies along the hype curve in 2005. The hype curve displays how companies are adopting these different technologies as well as their maturity along the curve. Retrieved from “Hype Cycle for Identity and Access Management Technologies,” 2005, Gartner.


Now that the hype cycle has been shown for 2005 in association with the IAM technology, let’s discuss how the cycle has possibly changed over the last five years.

Clifford Lynch, an editor of The Coalition for Networked Information, addressed in his discussion draft the feasibility of authentication and access management. The first problem that the technology needs to solve is to operate at a “practical level”. This means “it needs to be sufficiently robust and simple so that user support issues are tractable” or good (Lynch, 1998). He also discusses how biometrics (where identity and authentication is verified using attributes “2D and 3D faces, fingerprints, irises, speech, and keystroke dynamics”) is not easy for every business to operate (Yager, 2010). Lynch reports that any authentication that is “requiring specialized hardware, such as biometric systems or smart card readers, is certainly not going to be feasible on a cross-institutional basis” (Lynch).

However, since Lynch wrote his discussion draft in 1998, authentication has improved a great deal, especially in the area of identity and access management. This leads us to back to the hype cycle. This curve for IAM shows the various technologies that are classified as IAM with their hype and maturity that companies should consider before adopting the particular technology. At this point, four of the technologies, under the scope of IAM, will be discussed. Their location on the hype cycle, as well as their overall position of IAM on the curve, will be addressed.
Federated Identity Management

Throughout my research on IAM, I have seen this topic appear quite frequently and definitely believe it needs to be discussed here. In 2005, federated identity management was declared as a part of the “climbing the slope” stage of the hype curve. Federated identity management is “a new standards-based approach to directory services that streamlines and secures user access to networked resources. It enables a single sign-on” (Kobielus, 2005). This technology is basically integrating directory services in order to share user information amongst different points of login. Gartner analysts believed, in 2005, that this technology was climbing the slope (of enlightenment) where there is increased experimentation and research, as well as case studies. In 2010, I believe this technology is on the verge of entering the plateau of productivity stage of the hype curve. I believe this because the technology has become more available for the public. There are a large number of materials available for companies to research and there are companies out there promoting their services for that technology.

Password Management

In 2005, Gartner classified password management as the “entering the plateau” stage of the hype curve (Witty, 2005). The plateau of productivity stage of the curve is where “organizations begin to fully realize the benefits of the technology” and the “risk associated with adopting the technology has been reduced” (O’Leary, 2008). Password management is the “automation of password” and was placed in this position, because it is “a typical first phase of an identity management implementation” and “often integrated with the help desk toolset” (Witty, 2005). I believe in 2010, password management has entered the rapid growth phase, because not only does large corporations have this capability but so does the government, industries, non-profit organizations, and every day Internet users. They are able to automatically change their password without the help of a specialist.

Virtual Directories

Virtual directories is a technology that was considered to be “sliding into the trough” in 2005 and was declared as such by the Gartner analysts (Witty, 2005). Virtual directories are a type of software that creates “a logical (virtual) view of a…directory by combining data from multiple repositories” (Witty, 2005). The Gartner analysts determined in 2005 that it was currently on this stage in the hype curve based on the increase in usage. I believe that this particular IAM technology has remained stable on the curve. This technology is still in its adolescent stages, in which more users need additional understanding of how virtual directories are utilized before implementing them in their IAM structures. In researching this particular topic, there was very little information available. With limited information for potential users of virtual directories, it remains in the trough of disillusionment stage.

Biometric User Identification

Biometric user identification was stated to be at the peak of inflated expectations stage of the hype cycle in 2005. Biometric user identification is the “use of unique physical features (such as fingerprints, face, and iris recognition) or, less often, behavioral traits (such as voice, typing rhythm, and signature dynamics) as a form of user authentication” (Witty, 2005). This technology is ensuring a user’s identity through the use of the person’s physical features instead of the mental features of remembering a certain code. I believe that this technology is no longer at the peak of inflated expectations stage of the hype cycle in 2010, and is now at the trough of disillusionment stage. As with the previous stage (at the peak), just like its name, the technology had very high expectations that it could not meet. Its inability to meet those expectations has led it into its next stage. Since the biometric user identification technology did not meet up to its expectations, due to inaccuracy and integration issues, and caused low adoption rates, I believe it belongs in the trough of disillusionment stage of the hype curve.

IAM’s Overall Hype Curve Position

As stated earlier, identity and access management was declared to be a maturing technology by analysts. The Gartner analysts also stated that the “vendor hype concerning IAM technologies needs deflating” (Witty, 2005). In 2010 IAM is currently entering the plateau stage of the hype curve, and for some of IAM’s technologies, they may be entering the rapid growth phase. At the plateau of productivity stage of the hype curve, the “real-world benefits of the technology are demonstrated and accepted” (O’Leary, 2008). During the plateau of productivity, about 30% “of the technology’s target audience has adopted or is adopting the technology” (Witty, 2005). It is obvious that IAM has evidently reached more than 30% of their target audience. It is also obvious that the benefits of this technology are very well accepted.

As of 2005, it was relayed through the analysis that most of the main functioning technologies under IAM were pretty much matured and entering the plateau, except from some technologies such as biometrics, IAM/NAC integration, and contactless proximity cards. Also, if you look at many organizations from non-profit to large corporations, you see several instances of IAM being performed. Employees at the Center for Families and Children (CFC) are able to change their passwords without the assistance from the technology help desk. Everyday Internet users are also able to see IAM in action when accessing their online banking accounts or logging into their school’s academic suite. However, yes, there still needs to be numerous improvements in order for all companies (large and small) to have effective IAM technology accessibility. For instance, the non-profit organization, the CFC, users must contact the help desk if their passwords are forgotten. They also have to use various passwords to access different applications after logging into their computer.

Maturity Level Framework

The maturity level framework is different from the hype curve as it just visualizes and determines the way a technology is changing over time. But I believe this framework ties into the structure of the hype cycle. As indicated several times earlier, Gartner analysts have determined that identity and access management technology is in its maturing stage. A technology that is considered maturing, is a “robust (healthy) technology and there is not much evolution in vendors or technology” and “several dominant vendors” provide this product or technology (Witty, 2005). What analysts are describing here is that a maturing technology is utilized by a majority of its targeted users as well as a virtually established technology with minor glitches. At this level there are still developments to further improve the technology. When there are no new developments, the technology is considered a legacy system and begins to die off.

I agree with Gartner analysts with the fact that this is a maturing technology. Obviously, IAM has changed over the years making it increasingly important. “Ten years ago, IAM was tackled by relatively few leading-edge companies” while “today; it has become an imperative for almost all enterprises. Regulations such as the Sarbanes-Oxley Act and the Statement on Auditing Standards No. 70 now require that companies and their officers be accountable for lack of proper data security” (IBM, 2007). When looking at technologies that are under IAM, such as user IDs with passwords, it is pretty much a standard protocol in every day society. A vast majority of operations on a network needs some type of password. This particular technology is generally a requirement in a business or educational setting. Many of the main functionalities of this technology are maturing and very well mainstream. Yes, there are other technologies under the scope of IAM that have not yet reached this mature mainstream level, but these are just additional technologies in order to improve the security behind IAM.

Of course, there is room for improvement of identity and access management.
Several technologies including biometrics are under the scope of IAM that will continue to improve the technology. Biometrics has been mentioned a great deal during this research paper, but it is important to note that this is a type of IAM technology. Obviously, biometrics is currently not a maturing technology nor anywhere near mainstream. Biometrics needs a great deal of research and development before it can become matured. However, this is just an additional improvement for the betterment of the already established IAM. If there were no improvements with IAM, IAM would become that previously discussed “legacy” and begin to move towards becoming extinct. This is unlikely to be true for a while, because more and more companies need to protect individuals’ identities from criminals. Below includes two tables that summarize what was determined above with identity and access management as well as the four technologies discussed that are under the range of IAM.

Table 1:
The Progression of Technologies under the Span of IAM

IAM Technology Discussed Technology Trigger Phase Peak of Inflated Expectations Phase Trough of Disillusionment Phase Slope of Enlightenment Phase Plateau of Productivity Phase Rapid Growth Phase Maturity Framework Level
Virtual Directories *2005
*2010 Adolescent
Biometric User Identification *2005 *2010 Emerging
Federated Identity Management *2005 *2010 Emerging
Password Management *2005 *2010 Mature Mainstream

Note: The table above reviews the four technologies discussed earlier in this paper and how they have progressed over the past five years.





Table 2:
Overall Identity and Access Management Position

Overall Technology Virtual Directories Biometric User Identification Federated Identity Management Password Management Overall Hype Cycle Position Overall Maturity Level
Identity and Access Management Adolescent Emerging Emerging Mature Mainstream Plateau of Productivity Mature Mainstream

Note: The table above describes where identity and access management stands completely on the hype curve and maturity level framework.


Research Questions

The purpose of this paper is to discuss this technology (identity and access management) and its application to the business and accounting world. As with any business setting, IAM is important to be implemented. In order to understand why the implementation of IAM is important, the following research questions that were derived during the establishment of the two previous frameworks (the hype curve and maturity level framework) must be addressed.

1. How does identity and access management assist with the operation of a business?
2. When and why should companies invest in IAM? What are the benefits of implementing IAM?
3. What is the functionality of identity and access management? How does it work?
4. What are the risks and concerns of implementing this technology?
5. How does the future outlook appear for IAM?
6. What is the role of auditing in regards to IAM?

Step 2: Data Collection and Analysis per “Research Question”
How does identity and access management assist with the operation of a business?

With the increase in transactions over the Internet (e-commerce), the probability of an individual’s or company’s information being stolen increases. Identity and access management helps prevent sensitive information from getting into the wrong hands. IAM helps productivity to increase in addition to giving control over issues such as the termination of employees and security of sensitive information from unauthorized individuals internally and externally. Next will be the discussion of each of these main reasons why IAM is important to a business operation.

Before the implementation of IAM controls, “WellSpan employed one individual who was primarily responsible for decommissioning terminated employee system access on a timely basis. Shortly before termination, the employee’s supervisor completed a manual form intended to identify all of the applications and data that this individual had access to” (Aldhizer III, 2008). The problem with this manual form being filled out is that this employee’s account could possibly still be active after the employee leaves. If the employees wanted to seek revenge on the company, they could easily access the company’s records to release to the public, start their own company, sell the information to someone else, or give away information to a competitor. Computerized or automated IAM controls “eliminates orphaned accounts that linger in IT environments long after an employee has moved on” (Greenemeier, 2007). It is important to have computerized IAM controls to allow for faster and reliable closure of the account and prevent information from being stolen from the company.

With the implementation of IAM in a business, the productivity (where the output or final product increases with less labor) increases. Productivity is achieved when the output or final product increases with less labor, and is very important since companies are not able to hire as many people as they were in the past. If a problem needs to be addressed in the system, such as the change of a password, or to the change of files and/or applications accessible to a user, IAM allows for less “staff needed to maintain the solution” (Aberdeen, 2007). The “highest usage of end-user self-service password reset solutions, and, as a result, claim the shortest turnover time for a password reset request” (Aberdeen, 2007). When IAM controls are centrally managed, the productivity of these IAM controls increase. Centralized management of IAM controls “allows organizations to manage multiple directories from a unified management console and addresses the integration of identity information across systems and applications” (Aberdeen, 2007). Let’s look at an example. Consider an accounting firm that wants to hire a new intern to access their application and prepare taxes. If IAM was not implemented, it would take longer for the intern to access this application. As a result, the productivity would be lowered, because the intern will not be accomplishing any of their tasks.

Lastly, this technology decreases the chance of private information about the company or its employees being stolen. CA Inc., one of the world’s largest information technology software companies state that IAM “ensures that only properly authorized users gain appropriate access to your critical resources. Users are entitled by their role in your organization, and receive only the appropriate levels of access to protected resources and/or other non-IT resources to perform their job functions” (CA, 2006). This includes the elimination of lag time after the termination of an employee. An IAM security control also prevents an outsider from hacking into a system and eliminates the need for several passwords, while continuing to ensure the correct identity of the user on the other end of the network.

These examples show how identity and access management assist with a business in its day to day operations. Key issues discussed here on how IAM operates in a business will parallel the research question on investing and benefits of implementation.

Table 3:
IAM in the Operation of a Business

Termination of an Employee Productivity Security
IAM in the Operation of a Business Reduces or eliminates lag time preventing ex-employees from stealing secrets. The amount of labor time needed to solve the problem is reduced which ultimately reduces costs. Confidential company information such as prospective clients and current client information are protected.
IAM not in the Operation of a Business Lag time is created due to employee information still be accessible after the exit of an employee which risks information being stolen. Reduced efficiency do to it taking longer for a problem to be fixed which causes work to not be completed in a timely manner. Security is lowered significantly; increasing risk of identity theft and the exposure of a company’s sensitive information.

Note: The table above displays the differences between how a business operates with IAM and without IAM.


When and why should companies invest in IAM? What are the benefits of implementing IAM?


“Companies and organizations are increasingly investing in identity and access management’s products and procedures to enforce strong controls and avoid potential data-breach incidents” (Wong, 2010). IAM protects two of the most important access areas within a company, the logical access and physical access areas.

Logical access is where the firm’s network may be breach by a hacker. Software such as firewalls, are utilized to prevent unauthorized users from taking over the system. As in a CPA firm, key elements “that your firms should consider when implementing access policies is all possible points of entry to your resources and assets” (Wong, 2010). On the other hand, physical access is basically where someone either inside or outside the company goes to the actual source (i.e. using a computer already logged in) on the company’s premises. Companies should invest in IAM to protect assets, financial resources, and client and prospective client information from getting into the hands of wrong individuals. IAM helps companies do this by a simple two-step process: “1) establishing user identity or authentication to establish user accountability and 2) ensuring the appropriate level of access is granted” (Wong, 2010).

Figure 2:
Business Drivers for Identity Management


Note: The figure above is retrieved from “Identity Management Market Forecast: 2007 to 2014,” 2008, Forrester.


The figure above describes how identity and access management “helps extend business services, improve efficiency and effectiveness, and allow for better governance and accountability” (Cser, 2008). This figure not only describes how IAM assists with the operation of a business, but also shows how crucial implementation of IAM is for many aspects within the business.

Based on the previous information, I believe that businesses should implement IAM as soon as the business is started. These controls are very important for the company to run smoothly. If the company has any information that needs to be kept confidential, it needs to implement this critical technology as soon as possible to minimize risk of exposure.

It has been discussed why a company should implement this IAM technology in regards to making operations perform and increasing productivity. There are four primary benefits mentioned by Nelson Cicchitto (the Chairman and CEO of Avatier Corporation) which are: “1. Cost reduction, 2. Improved security, 3. Achieving compliance, and 4. Improving efficiency through automation” (Cicchitto, 2007).

When identity and access management controls are automated (computerized), they “can offer genuine cost benefits. A simple example here is password resets. These soak up huge amounts of helpdesk time, and deploying single sign-on can cut costs dramatically” (Mayne, 2009). This improves efficiency through automation as well as reduces costs, which are numbers one and four on Cicchitto’s four main benefits of IAM list. This statement claims that with the elimination of the middle man, tasks can be done at a higher rate due to the ability of automating IAM tasks. This reduces the amount of pay the company has to provide to their technical support, and it also helps create more revenue. “One implementation we did for BT ended up saving it $4.5m per year” (Mayne, 2009).

The next great benefit of IAM is that it improves security. Companies use IAM to “provide security, trust and privacy by identifying users and authorizing access to identity-based systems, information resources and applications” (Vanamali, 2004). In summary, identity and access management is important to protect a company’s information resources and applications by ensuring that only authorized employees are supposed to have access to those resources permitted. On the other hand, IAM keeps out predators that attempt to steal those resources and applications.

For example, at my internship at the US Department of the Treasury, once receiving login information, we were only allowed to access files for the department we were working for. For me, working as the funds control intern in the budget department, I was not able to access information from the accounting department although it was a part of the same office. What is being said here is that it is important to have those controls in place to prevent any misappropriation of information.

The last benefit that Cicchitto listed was achieving compliance. “Compliance requires ensuring policy, procedure, and technical operations are followed” (Frost, n.d.). This is a key aspect of information systems auditing and control auditors, which is to “analyze an organization’s informational system and determine the controls and audit processes required to provide assurance that the information produced is reliable and that the system and data contained therein are secure” (College of Business, n.d.). IAM is a control that helps assist “to address compliance, IAM and related functions of logging, tracking, and provisioning access are critical to achieving this goal” of compliance (Frost, n.d). Other advantages to consider when it comes to the implementation of IAM include “faster response times, easily retrievable evidence of activities, better management of large data volumes, and the ability to centrally administer and monitor systems” (Rai, 2007).


What is the functionality of identity and access management? How does it work?

IAM has three main steps that are included during processing when a particular user has the authority to access information. The three steps are the use of directory services, access management, and identity life cycle management.

As mentioned earlier, directory services are a type of software that creates “a logical (virtual) view of a…directory by combining data from multiple repositories” (Witty, 2005). Microsoft’s Frederick Chong confirms with their statement that directory services is “a digital identity consisting of a few logical types of data and that this data needs to be securely stored and organized” (Chong, 2004). The directories store information, such as trusted passwords and user names.

The next important step of the functionality and anatomy of IAM is access management. Access management is the “process of controlling and granting access to satisfy resource requests. This process is usually completed through a sequence of authentication, authorization, and auditing actions” (Chong, 2004). At this stage, the user is submitting his or her information at some type of single sign-on access point. The system then checks to determine if that user’s information is in the database. If the two pieces of information are matched, then login is a success.

The last important step of IAM is identity life cycle management. This life cycle just demonstrates the time period of a user within a company’s system. The three steps within this cycle are “creation, utilization, and termination” (Chong, 2004). It is obvious that creation is development of a user account, utilization is the user actually accessing the resources, and termination is closing of a user’s account. These key factors create the internal functions of IAM. Below is a diagram of how IAM actually works.

Figure 3:
IAM General Process Description


Note: The figure above was retrieved from “Identity and Access Management Solution,”2005, SANS Institute.

As shown in this diagram, when the users (whether a guest, the president, the registrar, etc.) types in his or her user information, the identity is verified first. Once the identity is verified through a source system, the privileges are managed. For example, either the previous year’s auditing papers or employee names for human resources are found based on the privileges given to that user. This not only prevents outsiders from accessing prohibited materials, it also prevents the registrar from accessing the resources that should be limited to the president, and vice versa.

What are the risks and concerns of implementing this technology?

When a business implements an IAM process it is possible to be exposed to new risks. The following is a list of factors that can pose a risk to a business’s current operations: “organization complacency, participation, planning, communication, incorporation of all systems into the process, process complexity, making the process too weak, and lack of enforcement” (Rai, 2007).

Organization complacency occurs when a company gets stuck in a rut and continues to do what they have always done because they are comfortable with it. They continue with this routine even “if the status quo is inefficient or inadequate from a control perspective” (Rai, 2007). If a company has this mentality, they will not want to improve their systems by implementing IAM.

The next factor is participation. Whenever a company brings a new process into an already established system, more time will be required for that process. This means a greater commitment from employees and an increase in employees’ work load. If the company cannot provide the time required to adopt IAM, implementation will likely fail.

Planning the implementation of IAM is crucial. “Successful projects require well laid-out plans, milestones for delivery, and processes for scoping change management to set expectations regarding resource commitments and timelines” (Rai, 2007). If the company has not spent the time to map out how the adoption of IAM will progress, IAM may not be successfully implemented into the company. As with communication, if the company doesn’t share with any of their stakeholders (owners, employees, customers, etc.) about the new project, they will not be able to provide what is needed for the project. Both of these items not being addressed will lead to the failure of IAM.

With the adoption of IAM, the company should approach it incrementally, instead of any company trying to incorporate IAM into all of the systems at once. To “bring many computer systems into the IAM framework at once can be overbearing and unsuccessful. Prioritizing key business risk areas and the system resources affected by the process are good targets for initial scope” (Rai, 2007). It is also important to note that if the process is too complex or too weak, this will also lead to the failure of IAM.

The last area that a company should be concerned with is the lack of enforcement. The “proper enforcement activities” such as governance, “enable it to operate as designed. If users are allowed to employ varied processes or circumvent established ones, the project’s overall success can be jeopardized” (Rai, 2007). Governance is defined as “the management, control, and orchestration of the various IAM business processes guided by the policies and business requirements of the organization and by local, national and possibly international legislation” (McDuff, 2009). Therefore, if identity and access management is not administered correctly, the overall success of IAM implementation will be diminished.

Mark Mayne says it best in his article labeled, The Big IAM, that if there are “badly-implemented projects, however, will not only soak up precious resources, but will merely automate existing problems, leading to a more costly cleanup exercise in the future” (Mayne, 2009). Companies need to be aware of these risks in order to have a properly working IAM controls within their system. With the recognition of these risks and concerns, some of these risks can be reduced or essentially eliminated. Now that the benefits and risks of implementing identity and access management have been mentioned, companies need to be aware of the future outlook of IAM.

How does the future outlook appear for IAM?

“By 2014, total revenues will reach $12.3 billion, with 57% going to software and 43% going to services. The compound annual growth rate (CAGR) of the entire IAM market during the 2006 to 2014 period will be 21.6%” (Cser, 2008). It is obvious here that IAM technology is here to stay. Increasing numbers of businesses and individuals will need protection from thieves in our society. With technology becoming increasingly sophisticated, hackers and thieves will learn new ways to steal confidential information. Therefore, IAM will be needed to protect companies and individuals.

There are also several new forces that are shaping up the trend in the next couple of years for IAM. The following trends are sure to “shape the market in the next five to seven years: Identity-as-a-services (IDaaS), outsourced identity management, centralized fine-grained entitlement management, consumer identity solutions for proofing and authentication, policy repository convergence, and physical/logical security convergence” (Cser, 2008). These new aspects of identity and access management should become mainstream within this time frame as well as improve the IAM technology overall.

Identity and access management also brings in changes for employees and professionals in society. With the economy in its current state, “companies across all sectors have already begun to lay off staff…inevitable some companies are going to have to lay off talented IT and information security professionals” (Griffeth, 2009). With numerous layoffs, there will be an increase “challenge for identity and access management professionals will be securing data from former employees who know the system from the inside out” (Griffeth, 2009). This means that companies are now laying off people who have the knowledge and experience of working with the networks of the ex-employers. Therefore, companies must increase the IAM controls to keep terminated IT employees retaliating against the company by crashing their systems. There are also concerns as companies continue to cut their budgets. As companies continue to make financial cuts, they must take care that the IAM security program doesn’t suffer.

What is the role of auditing in regards to IAM?

Internal auditors play a very important role in this process in which they assist companies in the development of IAM processes, as well as monitor the implementation and adoption of IAM. Before auditing IAM systems, they need to understand the company’s foundation of IAM. When auditing it is important that the client company has “records of ‘who did what, when’ within the IT infrastructure. Federal regulations such as the Sarbanes-Oxley Act are key drivers of the identity-related auditing requirements” (Chong, 2004). Auditors will need to review those records of what has occurred within the IT infrastructure, as well as be aware of the policies and regulations when reviewing identity and access management controls. “Internal auditors need to examine the identity and access management processes that exist within the organization” whether there is a defined program in place or not (Rai, 2007).

The audit process includes the phases of “audit generation, data collection and storage, and analysis and feedback” (Chong, 2004). Auditors are able to find information through audit trails. An audit trail includes the records that auditors use as evidence throughout the audit process. They could use such applications as firewalls to assist with the detection of invasions from the outside, or “business applications which can produce audit data to aid debugging or comply with regulatory audit requirements” (Chong, 2004). All of the information and evidence the auditors find through audit trails will be collected and stored. This collected information can then be analyzed to lead to a conclusion about what needs to be done within their IAM process. Auditing these IAM controls is important to determine if any type of theft, piggybacking, or anything of that nature has not occurred. This audit should be done as a part of the whole audit process. Refer to table on the following page that summarizes the entire audit process of identity and access management.

Table 4:
Auditing Within Identity and Access Management

Phases What is done? Information Retrieved
Audit Generation Find information through audit trails. They can look at firewalls, VPN servers, middleware components, and business applications.
Data Collection and Storage The storage and collection phase. They collect the data that was found during phase 1 and stored for the next phase of the audit.
Analysis and Feedback Analyze the information retrieved. Review the information found during the audit trail and provide feedback on the findings.


Conclusion

Identity and access management is a well-established technology; however there will be the need of future improvements and further research. Below are several recommendations that identity and access management creators should consider for the future outlook of the technology.

The first recommendation for identity and access management is to “ensure stronger identity management by leveraging additional authentication technologies” (Aberdeen, 2007). This indicates that developers of IAM to work for continuous improvement, research, and new inventions to make sure the technology continues to operate efficiently, regardless of rapid changes in technology. If identity and access management does not create any new developments, the technology will become stagnant and will be unable to protect information it had in the past. This recommendation will assist with the performance of the technology.

The second recommendation given to the IAM technology is that “the market trend toward suites will complicate product selection” (Cser, 2008). Product suites, which are the collection of programs, will be able to support all of the technologies, old and new, that are under the span of identity and access management. Identity and access management will continue to expand, therefore “IT security organizations will face greater difficulty in mapping requirements to a short list of products and finally selecting a product” (Cser, 2008). That is why it is essential for IT security organizations to find a way to streamline these products into one suite similar to the Adobe Creative Suite or Microsoft Office Suite.

The third recommendation that IAM vendors need to address is to “continue to reduce the number of separate identity directories and synchronized separate directories” (Aberdeen, 2007). This recommendation is similar to the second recommendation of creating a product suite in which developers need to streamline the directories in order to reduce the amount of directories required for usage.

The fourth recommendation for IAM is to make it a priority to develop “strong audit capabilities and security information management (SIM) integration” (Cser, 2008). This recommendation is very important because “regulatory compliance is almost invariably or customarily one of the driver of any IAM project” (Cser, 2008). Many organizational executives believe that the reports given to auditors to provide information for auditor questions is what they generally anticipate from the implementation of identity and access management.

The fifth recommendation to educate employees has great importance.
“Be prepared to educate business partners about identity and access management – what it is and why it is important” (Kalin, 2005). If partners, managers, and owners understand what IAM means for their company including the benefits implementation gives, then these decision makers are going to be more readily to accept the adoption of this technology. When persuading management that IAM is beneficial to the company, it is important to mention that it will reduce costs, security will improve, productivity will improve, and most importantly “being better prepared to enforce compliance with regulations and demonstrate that compliance to Sarbanes-Oxley auditors” (Kalin, 2005). Education is critical in successively implementing IAM.

These five recommendations are the concerns and improvements that companies need to be aware of when progressing into the future with identity and access management. Vendors and creators of identity and access management applications need to be able to continuously improve IAM in order to meet the needs of their customers (companies). If vendors let these mentioned recommendations go unaddressed, companies will not want to use such a complex technology. Companies that implement IAM in the present, or future, also need to be aware of these recommendations to make sure that the benefits outweigh the risks of IAM implementation. This can only be done by educating those decision makers of the company.


Works Cited

Aberdeen Group (2007). Identity and Access Management Critical to Operations and Security. Communication News. Retrieved from http://www.comnews.com/WhitePaper_Library/Managed_services/pdfs/Quest_Software_Aberdeen_IAM_Critical_to_Operations_and_Security.pdf.

AICPA (2009). 2009 Top Technology Initiatives and Honorable Mentions. Retrieved from http://infotech.aicpa.org/resources/top+technology+initiatives/2009+top+technology+initiatives+and+honorable+mentions.htm.
Aldhizer III, G., Juras, P., & Martin, D. (2008). Using Automated Identity and Access Management Controls. CPA Journal, 78(9), 66-71. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=35654420&loginpage=login.asp&site=ehost-live&scope=site.

CA (2006). How can Identity and Access Management help me to improve compliance and drive business performance? CA. Retrieved from http://images.vnunet.com/v7_static/itw/pdf/iam_solution_brief.pdf.

Chong, F. (2004). Identity and Access Management. Microsoft Corporation. Retrieved from http://msdn.microsoft.com/en-us/library/aa480030.aspx.
Cicchitto, N. (2007). Evaluating Your Identity and Access Management Options. Enterprise Innovator. Retrieved from http://enterpriseinnovator.com/index.php?articleID=12635§ionID=25.

College of Business (n.d.). Information Systems Auditing and Control. Bowling Green State University. Retrieved from http://www.business.bgsu.edu/amis/isac.html.

Cser, A. and Penn, J. (2008). Identity Management Market Forecast: 2007 to 2014. Forrester. Retrieved from http://www.securelyyoursllc.com/files/Identity%20Management%20Market%20Forecast%202007%20To%202014.pdf.

Frost, R. and Morooney, K. (n.d.). How Identity and Access Management Can Help Your Institution Touch Its Toes. Internet 2. Retrieved from http://net.educause.edu/ir/library/powerpoint/ENT015A.pps.

Greenemeier, L. (2007). Security; Know Your Users Well—Centralized ID and access management is fundamental to securing networks. Information Week, 51. Retrieved from LexisNexis Academic database.

Griffeth, D. (2009). Identity and access management 2009: Staff cuts, insider threats. Search Security. Retrieved from http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1344839,00.html.

IBM (2007). Identity and access management: uncovering the secrets to successful implementations. IBM Corporation. Retrieved from http://www-935.ibm.com/services/us/gts/pdf/sp_wp_identity-and-access-management-uncovering-the-secrets.pdf.
Identity Access Management (n.d.). From Wikipedia. Retrieved March 21, 2010 from http://en.wikipedia.org/wiki/Identity_access_management.
Kalin, S. (2005). How to Tackle Identity and Access Management. CIO. Retrieved from http://www.cio.com/article/14772/How_to_Tackle_Identity_and_Access_Management.
Kobielus, J. (2005). What Is Federated Identity Management? Business Communications Review, 35(8), 56-61. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=17848698&loginpage=login.asp&site=ehost-live&scope=site.
Linares, M. (2005). Identity and Access Management Solution. SANS Institute. Retrieved from http://www.sans.org/reading_room/whitepapers/services/identity-access-management-solution_1640.
Lynch, C. (1998). A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources. Retrieved from http://www.cni.org/projects/authentication/authentication-wp.html.
Mayne, M. (2009). The big IAM. SC Magazine: For IT Security Professionals, 32-36. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=43422929&loginpage=login.asp&site=ehost-live&scope=site.

McDuff, R. & McMillan, P. (2009). An Identity Management Framework and Maturity Model for the Australian and New Zealand Higher Education Sector. CAUDIT. Retrieved from www.caudit.edu.au/educauseaustralasia09/.../Patricia-McMillan.pdf.

O'Leary, D. (2008). Gartner's hype cycle and information system research issues. International Journal of Accounting Information Systems, 9(4), 240-252. doi:10.1016/j.accinf.2008.09.001.
Rai, S., Bresz, F., Renshaw, T., Rozek, J., and White, T. (2007). Global Technology Audit Guide: Identity and Access Management. The Institute of Internal Auditors. Retrieved from infotech.aicpa.org/NR/rdonlyres/...9CE1.../GTAG9IdentAccessMgmt.pdf.

Vanamali, S. (2004). Identity Management Framework: Delivering Value for Business. Information Systems Control Journal (Vol. 4). Retrieved from http://itgi.org/Template.cfm?Section=Home&CONTENTID=21335&TEMPLATE=/ContentManagement/ContentDisplay.cfm.

Witty, R., Allan, A., Enck, J., Hirst, C., Runyon, B., Wagner, R., Perkins, E., Pescatore, J., & Wheatman, V. (2005). Hype Cycle for Identity and Access Management Technologies, 2005. Gartner. Retrieved from http://www85.homepage.villanova.edu/timothy.ay/DIT2160/IdMgt/hype_cycle_for_.pdf.
Wong, J. (2010). Identity and Access Management Continually Rank High in Lists. AICPA. Retrieved from http://www.cpa2biz.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2010/CPA/Feb/IdentityAccessMgmt.jsp.

Yager, N. & Dunstone, T. (2010). The Biometric Menagerie. IEEE Transactions on Pattern Analysis & Machine Intelligence (Vol. 32/No. 2, 220-230). Retrieved from IEEE Computer Society: http://0-www.computer.org.maurice.bgsu.edu/portal/web/csdl/transactions/tpami#4.

Tuesday, March 2, 2010

Identity and Access Management-Technology Briefing

Tuesday, March 2, 2010:

This paper was an assignment for my advanced accounting information systems course that I am currently taking this semester (Spring 2010). Each paper was written on their particular assigned topic which mine was Identity and Access Management. I received a 90% on this technology briefing. References are listed at the bottom.

Identity and Access Management

There are many technologies that currently exist. These technologies provide protection over sensitive information, as to which people can access. There are technologies such as biometrics, certificate authorities, identity and access management, etc., with newer technologies still to come. Throughout this brief, the topic of identity and access management will be discussed through its definition and purpose, centralized management, automation, and its future predictions.
What is Identity and Access Management?

As stated by the AICPA, identity and access management (also abbreviated as IAM) is the “implementation of physical, technical, and administrative controls that limit access to company resources to authorized persons. A challenge exists with achieving easy access by authorized users while making resources inaccessible to unauthorized users” (AICPA, 2009). RSA the security division of EMC also refers to identity and access management as all of the “…policies, processes, procedures and applications that help an organization manage access to information” (RSA, n d.). What the AICPA and RSA is stating in their definitions is that identity and access management is a way to restrict and constrain access to all sensitive, important, and destructive information to people that should not have any contact with it.

Luther Martin discusses identity and access management technology by discussing the three categories that make up IAM. IAM technology is divided “into three general categories: a directory services infrastructure, and the identity life-cycle management and access management applications that rely on it” (Martin, 2007). He describes directory services infrastructure as a single source of identity and confirmation information. The identity life-cycle management and access management applications provide information to, or utilize information from the directory services infrastructure. These categories are important to know how IAM technology is designed and operated. These three categories are able to manage users with their digital credentials (identity life-cycle management), as well as control user access to resources (access management applications) (Martin, 2007). They also further explain how IAM technology helps companies control user access to their resources.

Companies also need to periodically check to determine if their IAM technology controls are working properly. Therefore, it is a need for IAM controls to be tested. In order to “determine the effectiveness of an IAM strategy, periodic audits, reconciliation, and reviews are recommended” (Bi, 2008). By auditing and reviewing these controls, companies will be able to determine if there are any weaknesses within their system that could threaten their security. In the end, IAM is a way to protect a company’s private and sensitive information. However, IAM should be more effective if it is centrally managed.

Centrally Managed

It has been determined that most companies do utilize some form of identity and access management controls to protect their information and applications. But of these companies, most of them do not centrally manage these controls (Greenemeier, 2007). Centralized management is the “management practice in which all or most decision makers (who have the authority, control, and responsibility for the entire organization) are located in one central office (the headquarters)” (BusinessDictionary.com, n.d.). As for centralized management and IAM, this means that IAM controls should be protected and controlled by one management and in one location. However, if a company does not have their IAM controls centrally managed, then that company will not know who has access to their information technology system, which could lead to a security breach (Greenemeier, 2007). Therefore, companies need to put their IAM controls into centralized management to protect information from being released into the hands of criminals, or individuals who do not need to have access to that particular information.

There are also other reasons why it is important to have IAM centrally managed. The first reason that Larry Greenemeier states is that it gives “the ability to track temporary or contract employees who have access to sensitive or confidential data” (2007). This is a top reason for the usage of centrally managed IAM, because companies are able to determine who has access to restricted information. Thus, if there is a security breach, the company will be able to determine who may have potentially caused that breach.

Centralized IAM also allows for the “cut down on the number of names and passwords that users need to access different applications” (Greenemeier, 2007). This is important because this prevents users from having to remember different passwords to log into different applications throughout the company. For example, Bowling Green State University (BGSU) students log into MyBGSU with one password. With this one password, they are able to access their courses, Bursar bill, grades, degree audit, financial aid, etc. But what if each student had to have a separate password to access each of those previously listed items? That is a significant number of passwords for each student to remember, which could lead to users forgetting their password, or the possibility of having to write down those passwords. With centralizing identity and access management, it limits the usage of making requests to the help desks or technical support in relation to password assistance. “Rohm & Haas, a maker of specialty polymers and other compounds, found that its employees on average have 15 different user names and passwords to access the systems they need to do their jobs. This has contributed to the more than 14,000 password-related help-desk calls last year. ‘This in reality actually reduces security because users write these things down,’ says Scott Megill” (Greenemeier, 2007). If all of BGSU students had to have different passwords to access Blackboard, grades, Bursar bill, degree audit, etc. then you will see students constantly carrying around a piece of paper with all of their passwords on it. Thus, if these passwords are lost, they give access to all of their private information to anyone who finds that piece of paper, an unauthorized user. Below you will see a diagram that exemplifies IAM.

Diagram 1: Identity and Access Management Model (Internet2 Middleware Initiative, 2007)-Image Currently Not Available.

The above diagram is similar to the structure that is utilized at BGSU to log into MyBGSU. When someone reaches the login screen for MyBGSU, the user will input their user name and password. The system then reads the user’s login information and pulls up the information that they should access. When a student logs into their MyBGSU account, they are only able to access their personal information, such as their Bursar bill, grades, and courses. On the other hand, when professors log into MyBGSU, they are able to reach all of the courses they are teaching and are able to change information that is inputted into that course community. They are also able to access every student’s grade in the courses they are teaching. Depending on the person’s role (identity) in the college community they will have a different MyBGSU access and result. Logging into MyBGSU is an example of how IAM is used on an everyday basis.

Therefore, it is important for identity and access management to be centralized. It is important because it reduces the risk of a security breach of sensitive information by limiting the amount of passwords needed.

IAM Controls Automated

As stated by Aldhizer III, there are five processes to identity and access management which are the following: new-user access, succeeding modifications to existing users, ending user right of entry, password changes or resets, and third-party admission. It is imperative that these IAM controls, along with other control processes, be automated or programmed. With the large amounts of data that flows through a company, the automation or programming of controls will provide for the enforcement of organizational security policies, as well as improved operational efficiency and increased user productivity (Aldhizer III, Juras, & Martin, 2008). Next there will be a discussion of why the five previously listed IAM controls should be automated.

The first IAM control listed is new-user access. Obviously, new-user access is for example, when a company hires a new employee, or intern, they will have to provide them admission to their network for email and applications. When this IAM control is automated it “can substantially increase user productivity, reduce help-desk overhead, enhance information security, and allow internal audit to provide more value-added services” (Aldhizer III, Juras, & Martin, 2008). As an intern with the Department of the Treasury this past summer, this new-user access control was not automated. All new employees and interns had to fill out paperwork, turn that paperwork into their supervisor, which was then forwarded to the help desk. This process took approximately two weeks for me to be able to have access to the Treasury’s network, as well as access to Oracle. If this process were automated, this would have allowed for the interns and employees to be able to start working sooner and assist with the daily tasks in the department.

The next IAM control that should be automated is the succeeding modifications to existing users. It is important to have these controls automated, because if this process was manual it could take several weeks to make revisions to user access, based on promotions and assignments to new project teams (Aldhizer III, Juras, & Martin, 2008).

The termination and ending a user’s right of entry, due to end of employment, also involves identity and access management automation. As with manual controls over employee termination, these employee’s accounts are still active for a time period after the employee has left the company. If those employees were involuntarily fired, or quit because they were angry at the company, this could lead to material being taken from the company’s database, due to their account still being accessible (Aldhizer III, Juras, & Martin, 2008). But when this process is automated, it substantially reduces the amount of time that the account remains dormant, but open after the employee leaves the company. This in return reduces the risk of an angry employee stealing sensitive information from the company.

The change and reset of passwords due to required password changes, or because someone forgot their password, is another example of an automated identity and access management control. Most companies and educational institutions have automated controls over password changes. If everyday users had to constantly submit paperwork or contact technical support in order to change their passwords, who would they want to change their password? If passwords were not changed, this would enable hackers to easily enter into systems, email accounts, online banking accounts, etc. But when the changing of passwords process is automated, it allows for users to easily change their passwords instantly without the hassle of technical support or paperwork. For example, when someone changes their password to their Key Bank online banking account all they have to do is click change password under their Self Service Security settings. But if every Key Bank online user had to call a phone number and talk to a technical support representative in order to change their password, who would want to go through that hassle?

The last IAM automated control is third-party admission. Third-party activities involve transactions, such as selling to customers or to other businesses, or sharing of controls because of a company department being outsourced. However, it is unfortunate that “many organizations do not have a consistent method for monitoring closely related third-party activities because they do not maintain separate third-party system records” (Aldhizer III, Juras, & Martin, 2008). This is a problem because vendors or customers have access to sensitive data that could easily be stolen. But when third-parties have access, “centralized and automated IAM controls can ensure that separately tagged sensitive data are not uploaded” (Aldhizer III, Juras, & Martin, 2008). This once again ensures that important and private information is protected from getting into the wrong hands of criminals.
As you can see, it is important to have identity and access management controls automated. Many places, such as Bowling Green State University and the Center for Families and Children, utilize automated IAM technology controls because it reduces idle time and provides for efficiency and productivity. But there are still companies and businesses, such as the US Department of the Treasury, that utilize manual identity and access management controls. This delays the time for new employees to become useful on the job and could leave their systems at risk for a possible break in security.

A Few Predictions of the Future of IAM

It is obvious that technology is always changing. In the year 2000, there was no such thing as a MP3 player and now it seems like everyone owns an iPod that may be able to connect to the internet. Just like all other continuously changing technology, identity and access management technology will also continue to change. Gartner, Inc. (a leading technology research firm) analysts identify some predictions that should occur with identity and access management beyond the year 2009.

One of the predictions is that “by 2011, 30 percent of large corporate networks will become ‘identity aware’ by controlling access to some resources via user-based policies” (Stevens & Pettey, 2009). What the Gartner analysts are saying here is that more companies will advance their security by ensuring that the right users are accessing the right resources. Therefore, more and more companies will begin implementing the IAM process similar to what was discussed earlier, which included giving the appropriate access to the correct users, increasing security, and increasing productivity. Gartner analysts suggest that in order for companies to implement this effectively, they “recommend that network managers and others responsible for IAM projects develop strategies for making networks identity aware” (Stevens & Pettey, 2009). Similar to the increase in popularity with the MP3 player technology, the popularity will begin to increase in IAM by companies.

Gartner also mentions three other predictions that will not be further discussed. See the list below:
1. “By 2011, hosted IAM and IAM as a service will account for 20 percent of IAM revenue” (Stevens & Pettey, 2009).
2. “Through 2011, 20 percent of smart-card authentication projects will be abandoned and 30 percent scaled back in favor of lower-cost, lower-assurance authentication methods” (Stevens & Pettey, 2009).
3. “By 2010, approximately 15 percent of global organizations storing or processing sensitive customer data will use OOB authentication for high-risk transactions” (Stevens & Pettey, 2009).
As shown above, through these analyst’s predictions and ease of use, the usage of identity and access management by companies will continue to increase in the future.

Conclusion

In summary, identity and access management as stated at the beginning of this paper is a particular control technology that limits access of resources to particular persons. It has been determined that not only should identity and access management or IAM technology be implemented, but they should also be centrally managed as well as automated. When IAM technology is used in the most efficient way, this increases productivity, decreases idle time, and increases user access security. “IAM solutions employ password synchronization to allow a user to enter just one password to access many different resources across systems and the internet…This saves money and resources as a vast percentage of help desk calls are password related” (Bahlmann & Martz, n.d.).

Works Cited

Aldhizer III, G., Juras, P., & Martin, D. (2008). Using Automated Identity and Access Management Controls. CPA Journal, 78(9), 66-71. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=35654420&loginpage=login.asp&site=ehost-live&scope=site.

AICPA (2009). 2009 Top Technology Initiatives and Honorable Mentions. Retrieved from http://infotech.aicpa.org/resources/top+technology+initiatives/2009+top+technology+initiatives+and+honorable+mentions.htm.

Bahlmann, B. & Martz, C. (n.d.). IAM – Identity and Access Management. Birds-Eye.Net. Retrieved from http://www.birds-eye.net/definition/acronym/?id=1160863505.

Bi, L. (2008). Identity and Access: How to Protect Your Business. Journal of Corporate Accounting & Finance (Wiley), 19(5), 9-13. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=32840432&loginpage=login.asp&site=ehost-live&scope=site.

BusinessDictionary.com (n.d.). Centralized management. Retrieved from http://www.businessdictionary.com/definition/centralized-management.html.

Greenemeier, L. (2007). Security; Know Your Users Well—Centralized ID and access management is fundamental to securing networks. Information Week, 51. Retrieved from LexisNexis Academic database.

Internet2 Middleware Initiative (2007). Identity and Access Management. Retrieved from http://www.internet2.edu/pubs/200703-IS-MW.pdf.

Martin, L. (2007). Identity-based Encryption: From Identity and Access Management to Enterprise Privacy Management. Information Systems Security, 16(1) 9-14. Retrieved from Business Source Complete database: http://0-search.ebscohost.com.maurice.bgsu.edu/login.aspx?direct=true&db=bth&AN=24581860&loginpage=login.asp&site=ehost-live&scope=site.

RSA (n.d.). Identity and Access Management (IAM). Retrieved from http://www.rsa.com/glossary/default.asp?id=1025.

Stevens, H. & Pettey, C. (2009). Gartner Reveals Four Identity & Access Management Predictions for 2009 and Beyond. Retrieved from http://www.gartner.com/it/page.jsp?id=911212.

Sunday, February 28, 2010

Why Switch To IFRS From GAAP

This paper was written Fall 2008 in my Intermediate Financial Accounting course. It was also posted on my professors website at: http://profalbrecht.wordpress.com/2008/12/20/why-switch-to-ifrs-from-gaap/. Read it and feel free to leave questions and/or comments.

The Securities and Exchange Commission (SEC) announced it plans to switch U.S. companies from generally accepted accounting principles (GAAPs) to international financial reporting standards (IFRSs) based on a recent release of a roadmap. The proposed switch has caused much controversy from professors to accountants, but the switch probably will still occur regardless of what the majority may believe. This paper will discuss the background and roadmap of the transition to the IFRSs, the European success of transition to IFRS, along with the benefits of the United States converting, and an argument against the disputers of the proposed United States switch to IFRS.

For people who may not be aware of what the SEC is doing, as stated earlier, the accounting standards will be converted to IFRS from GAAP over the next following years. On August 27, 2008, the SEC proposed that a roadmap will be published as a guideline for the switch to IFRS from U.S. GAAP. The roadmap is a 165-page document that was finally released on November 14, 2008 by the SEC. In the roadmap, it states that it will give a 90 day comment period, which will end 90 days after the roadmap document is published in the Federal Register. Secondly, in 2011, the SEC will decide whether to proceed with the rulemaking to require U.S. issuers to begin using IFRS by 2014. The SEC will move forward with the decision to switch based on seven factors. Some of those factors are: improvements in the accounting standards, education and training of IFRSs in the U.S, and the accountability and funding of the International Accounting Standards Committee Foundation (Journal). First of all, I do believe the United States should switch over to IFRS. However, I do not feel that the SEC should vote on IFRS adoption after companies have spent millions of dollars on converting from GAAP (Maryland).

Throughout the world, several countries are either in the process of switching over to IFRS or are already using IFRS. The European Union has already switched to IFRSs and the same year the U.S. companies have their deadline to switch over, “…China, India, Japan, and Canada also are scheduled to make the switch” (Johnson). The European Union started their transition in 2002 and it ended in 2005. The experience of the European companies also brought on confusion and a burden on their companies, just like the United States is experiencing now. However, the main reason for the EU’s confusion was mainly due to IASB’s (International Accounting Standards Board) failure to finalize many of their rules. The EU’s switch ended up going smoothly and successfully (Johnson). The United States can learn from their European counterparts and could possibly have an easier transition than what the EU experienced. With main competitors in the global economy using or switching to IFRS, the U.S. needs to convert to IFRS.

Why I believe that the United States should switch to international financial reporting standards is because of three important reasons. These reasons include: international financial reporting standards makes it easier to compare, it is internationally understood, and it helps multinational businesses to stay up-to-date and competitive in the globalization of markets.

Switching to IFRS will help companies, investors, and the public globally compare their financial statements easier. “By adopting IFRS, a business can present its financial statements on the same basis as its foreign competitors, making comparisons easier” (American). If every country has a different set of financial standards, while multinational companies exist in different countries, it is difficult to compare how each company stands because there is no consistency. Consistency is a key factor in comparing statements. Without the one set of global standards, it will be more difficult, if not impossible, to compare with their competitors due to extra finances and time. With an international accounting standard in place it allows companies and competitors to be able to compare with each other. Even the Chairman of the SEC, Christopher Cox agreed with the fact that financial statements need to be comparable worldwide by stating, “an international language of disclosure and transparency is a goal worth pursuing on behalf of investors who seek comparable financial information to make well-informed investment decisions” (Maryland). A lot of people may dislike Mr. Cox, but what he stated is truthful and is in agreement with what I have stated on why we should switch to IFRS.

Consistency is not only important for comparability, but also for everyone to understand financial statements internationally. International financial reporting standards make financial statements easily understood. Yes, the world does not have an international language, but a majority of people do speak English which allows people to conduct business globally. Secondly, the United States is the only country that always does things differently. For example, the United States does not use the metric system (i.e. meters, kilometers, etc.); instead we use the customary system (i.e. inches, feet). If you were to drive on the highway in another country, you may not understand how many miles are left because the highway sign only tells you how many meters are left. The United States is the only country that still does not use the metric system. This is a disadvantage for us not being able to understand the metric system. And the same holds true for anyone visiting the United States, the foreigner may not understand our system of measurement. This example of understanding the metric system is similar to understanding financial statements. Lastly, we must not forget that the markets and the economy of today are much more on a global level and not a domestic level. With the U.S. switching over to IFRS from GAAP, it allows our country (the United States) to become a part of that global economy. The United States accepting this switch to IFRS helps people, (domestically and internationally) understand accounting standards all over the world. Everything will be as one; which makes the world one step closer to teamwork and unity. Along with the international understanding and acceptance of IFRS, it also allows for U.S. companies to stay competitive in today’s globalization of markets.

Lastly, the United States should switch to IFRS because it helps multinational corporations. “Such a move would bring efficiency and cost savings to a company like Procter & Gamble, whose foreign subsidiaries are already using IFRS...the company just recently began thinking about an organization-wide conversion to IFRS” (Johnson). For companies that are multinationals, they are already considering their own personal switch to IFRS. Although it will cost them millions to initially convert, the switch will save them money in the future. With the usage of IFRS, a company’s position strengthens in negotiations with credit institutions by reducing the cost of borrowing, due to the positive effect that IFRS has on credit ratings. IFRS will also make it easier for companies to initiate partnerships, implement cross-border acquisitions, and develop cooperation agreements with foreign entities (Pricewaterhouse). All of these advantages will assist in a company’s overall position in the global economy.

Although the switch to IFRS will be beneficial for U.S. companies, some people believe the switch would be at a disadvantage for the country. There are various reasons why people disagree with the switch from GAAP to IFRS. Those reasons are: its uncertainty, there isn’t any enforcement, and it is hard to compare statements.
The first reason why there is disagreement for the switch to IFRS is that the standards introduce uncertainty in the evaluation of financial standards. It raises uncertainty because international financial reporting standards permit managers to exercise their own judgment when deciding what to report in their financial statements (Albrecht). This could lead to possible errors in statements which can cause shareholders, investors, and the general public not to have as much belief in the financial statements. With the uncertainty in financial statements, this could also prevent companies from possibly receiving loans from various financial institutions. Having uncertain financial statements is not good for companies and certainly not good for the United States.

But how exactly are the financial statements uncertain? IFRS provides consistency throughout the world on how to read and understand financial statements. If every country uses different financial standards to compare statements, I believe that would cause even more uncertainty. It would cause more uncertainty because not everyone is going to know how to read and understand another financial statement with different standards, which leads to disbelief in those statements.

Secondly, some people dislike the switch because unlike GAAP, there isn’t much enforcement with IFRS. Unlike GAAP, which has several organizations such as the Securities and Exchange Commission that watches over its accounting rules, IFRS does not. There isn’t a global organization such as the SEC that watches over the international standards (Albrecht). This could cause a problem for fraudulent financial statements which leads back to uncertainty with those statements. “Various parts of the world will be playing by different rules and there will never be enough consistency…” (Albrecht).

This leads back to how international financial reporting standards bring consistency. Although IFRS may not have several organizations watching over it like GAAP, it brings unity all over the globe in preparing financial statements. With all the countries that are reporting with IFRS, each country can watch over each other when it comes to following the accounting standards. And from there is also the International Accounting Standards Board (IASB). IASB may not be like the SEC, but it is an organization that does oversee IFRS. Over time, with more and more countries entering into the IFRS world, more organizations will probably emerge to help regulate the international accounting standards.

Lastly, a disadvantage for the United States switching to international financial reporting standards is that it is hard to compare financial statements. As stated at IFRS.com, “…many countries that claim to be converting to international standards may never get to 100 percent compliance. Most reserve the right to carve out selectively or modify standards they do not consider in their national interest, an action that could lead to incomparability – one of the very issues that IFRS seeks to address” (American). What this is stating is that not all countries and companies will switch their systems over to IFRS completely. With that in mind, it will be difficult to compare statements because you don’t know what that company/country complies to or does not comply to.

What if everyone keeps their own accounting standards that makes it more difficult to compare statements. If there is one international accounting language even with minor adjustments in some countries; investors, companies, governments, and the general public will be able to understand and compare more with one another.
As you can see, the United States switching their accounting standards over to international financial reporting standards from generally accepted accounting principles is necessary if not crucial. The switch or conversion to IFRS will not only be beneficial for the United States but for the world with the growth of globalization. You can also see that having one international accounting language is also beneficial for comparison of statements, understanding, and saving costs for international companies.

References:
• Albrecht, David. 2008. On-line. Available from Internet,
http://profalbrecht.wordpress.com/2008/09/26/why-ifrs-wont-work-in-united-states/, accessed 29 October 2008.

• American Institute of Certified Public Accountants. 2008. International Financial
Reporting Standards. Durham, NC: AICPA. On-line. Available from Internet, http://www.ifrs.com/updats/aicpa/ifrs_faq.html#q6, accessed 13 November 2008.

• Johnson, Sarah. 2007. Could You Switch to IFRS in 3 Years? On-line. Available
from Internet, http://www.cfo.com/printable/article.cfm/10317444, accessed 29 October 2008.

• Journal of Accountancy. 2008. SEC Roadmap for Transition to IFRS Available. On-
line. Available from Internet, http://www.ifrs.com/updates/sec/transition.html, accessed 18 November 2008.

• The Maryland Association of CPAs. 2008. SEC offers roadmap to global
accounting standards. Washington D.C. On-line. Available from Internet, http://www.macpa.org/content/printpreview.aspx, accessed 18 November 2008.

• Pricewaterhouse Coopers. 2008. Benefits of Changing to IFRS. On-line. Available
from Internet, http://www.pwc.com/extweb/service.nsf/docid/FD457308B1141A958025717E0029CBC5, accessed 13 November 2008.

Welcome

Sunday, February 28, 2010:

Hello, this is my newest blog that focuses on the field and career I enjoy most...accounting. I hope you enjoy.

Here are some of the things that you will see in this blog:
-My job search
-Accounting papers
-Fun accounting topics found from YouTube.com
-School
-And many more!

Suggestions are welcome! Thank you for reading.