Like it or not, many of today's organizations have to plan for audits - in some cases once a year, in other cases on an on-going basis. Of course, meeting compliance and auditing requirements takes time, resources and money. That's why many organizations have started to look at the effectiveness of their compliance and auditing strategies, with an eye to streamlining and automating processes and simply making audits less painful and costly.

For many organizations, IT compliance is being seen as essential to ensure regulatory and business compliance. As a result, IT teams need a greater understanding of business functions across divisions. They are no longer an invisible, backend support unit only but can be more involved in streamlining business processes as well.

To help organizations learn how to optimizing their auditing and compliance strategies, I talked with Jorge Rey, an information security and IT audit manager with Kaufman, Rossin & Co. a Miami-based accounting and consulting organization. Here are some key recommendations from Mr. Rey:

• Understand Your IT Compliance Needs: The bottom line of compliance is protecting information. However, not all information needs to be protected the same way. Depending on your compliance requirements, information will need to be protected from unauthorized access, use, disclosure, destruction, modification, or disruption. Understanding what information to protect and how to protect it will help your organization design an information security program that addresses your regulatory and business requirements. Furthermore, it will help you assess what type of audits and related procedures will be required.
• Understand the Types of Audits: Audits should be performed by an independent and qualified group (internal or external). Each organization, regardless of the size and complexity should want to understand how they are managing their compliance efforts, IT risks and how they can improve their processes. There are various types of audits that can be performed and these are: Financial, Operational, Integrated (financial and operational), Administrative, Agreed upon procedures, Information Security and Forensic audits. "Regardless of the type of audit that is or should performed, some organizations depending on their government or external requirements might require to have an external audit group issue an audit report," says Mr. Rey.
• Identify Your Potential Risks and Decide on the Optimal Frequency: Organizations should assess and understand their regulatory and business risk to determine the optimal mitigation strategies and audit frequency. If the organization identifies vulnerabilities and threats to their information resources they will be able to determine the frequency and future benefit of the audit. The controls surrounding a business process should be audited more frequent when the consequences are devastating for a company if the vulnerability is exploited. Thus, the optimal frequency for audits depends on the potential threat and the loss potential. "The frequency of audits should be established during the audit planning. Analysis of short- and long-term planning should be covered during the planning so new risks related to control issues, regulations, technology or business processes are properly identified," says Rey.
• Understand the Impact on IT: It's now more important than ever for business to have an understanding of IT (as well, of course, as IT having an understanding of business). "As a result of IT auditing and/or compliance requirements, it is more important for business process owners to have a better understanding of IT. Business owners are responsible for defining business requirements while IT is responsible for implementing and/or maintaining these," says Rey. "IT typically understands the business process (at the end, they are the backbone of many organizations) but they should not be responsible for making business decisions on behalf of business users unless explicitly requested and risks accepted."

-1-

Explore Our Topics

• BPM & Enterprise Architecture
• BPM Standards
• BPM Implementation
• BPM Best Practices
• Continuous Process Improvement
• BPM Governance
• Service Governance

• Business to Business (B2B)
• BPM for Supply Chain
• BPM for Customer Management
• BPM for Financial Services
• BPM for Healthcare & Insurance
• BPM for Government

• Business Activity Monitoring
• Event Processing
• Process Intelligence
• Business Rules Management
• Decision Management
• Operational Intelligence

• Workflow Automation
• BPM & Enterprise 2.0
• BPM & Web 2.0
• BPM & ECM
• Case Management
• Collaboration
• Enterprise Portals
• Social BPM

• BPM & Cloud Integration
• BPM Analysis & Optimization
• Business Process Simulation
• Process Visibility & Monitoring
• Process Orchestration
• Process Discovery
• Process Modeling

Home
Webinars
Blogs
ebizQ Forum
All Topics
Subscriptions
White Papers
Analyst Corner
Follow us on Twitter
Fan us on Facebook

Explore Our Topics

BPM Strategy
BPM Solutions
Event Processing Strategy
Content-Centric & Collaborative BPM
Process-Centric BPM

About Us
Editorial Submissions
Feedback
FAQ
Advertise With Us
Site Map
Privacy Policy
Unsubscribe