For many organizations, IT compliance is being seen as essential to ensure regulatory and business compliance. As a result, IT teams need a greater understanding of business functions across divisions. They are no longer an invisible, backend support unit only but can be more involved in streamlining business processes as well.

To help organizations learn how to optimizing their auditing and compliance strategies, I talked with Jorge Rey, an information security and IT audit manager with Kaufman, Rossin & Co. a Miami-based accounting and consulting organization. Here are some key recommendations from Mr. Rey:

• Understand Your IT Compliance Needs: The bottom line of compliance is protecting information. However, not all information needs to be protected the same way. Depending on your compliance requirements, information will need to be protected from unauthorized access, use, disclosure, destruction, modification, or disruption. Understanding what information to protect and how to protect it will help your organization design an information security program that addresses your regulatory and business requirements. Furthermore, it will help you assess what type of audits and related procedures will be required.
• Understand the Types of Audits: Audits should be performed by an independent and qualified group (internal or external). Each organization, regardless of the size and complexity should want to understand how they are managing their compliance efforts, IT risks and how they can improve their processes. There are various types of audits that can be performed and these are: Financial, Operational, Integrated (financial and operational), Administrative, Agreed upon procedures, Information Security and Forensic audits. "Regardless of the type of audit that is or should performed, some organizations depending on their government or external requirements might require to have an external audit group issue an audit report," says Mr. Rey.
• Identify Your Potential Risks and Decide on the Optimal Frequency: Organizations should assess and understand their regulatory and business risk to determine the optimal mitigation strategies and audit frequency. If the organization identifies vulnerabilities and threats to their information resources they will be able to determine the frequency and future benefit of the audit. The controls surrounding a business process should be audited more frequent when the consequences are devastating for a company if the vulnerability is exploited. Thus, the optimal frequency for audits depends on the potential threat and the loss potential. "The frequency of audits should be established during the audit planning. Analysis of short- and long-term planning should be covered during the planning so new risks related to control issues, regulations, technology or business processes are properly identified," says Rey.
• Understand the Impact on IT: It's now more important than ever for business to have an understanding of IT (as well, of course, as IT having an understanding of business). "As a result of IT auditing and/or compliance requirements, it is more important for business process owners to have a better understanding of IT. Business owners are responsible for defining business requirements while IT is responsible for implementing and/or maintaining these," says Rey. "IT typically understands the business process (at the end, they are the backbone of many organizations) but they should not be responsible for making business decisions on behalf of business users unless explicitly requested and risks accepted."