Like it or not, many of today's organizations have to plan for audits - in some
cases once a year, in other cases on an on-going basis. Of course, meeting compliance
and auditing requirements takes time, resources and money. That's why many organizations
have started to look at the effectiveness of their compliance and auditing strategies,
with an eye to streamlining and automating processes and simply making audits
less painful and costly.
For many organizations, IT compliance is being seen as essential to ensure
regulatory and business compliance. As a result, IT teams need a greater understanding
of business functions across divisions. They are no longer an invisible, backend
support unit only but can be more involved in streamlining business processes
To help organizations learn how to optimizing their auditing and compliance
strategies, I talked with Jorge Rey, an information security and IT audit manager
with Kaufman, Rossin & Co. a Miami-based accounting and consulting organization.
Here are some key recommendations from Mr. Rey:
Understand Your IT Compliance Needs: The bottom line of compliance is protecting
information. However, not all information needs to be protected the same way.
Depending on your compliance requirements, information will need to be protected
from unauthorized access, use, disclosure, destruction, modification, or disruption.
Understanding what information to protect and how to protect it will help
your organization design an information security program that addresses your
regulatory and business requirements. Furthermore, it will help you assess
what type of audits and related procedures will be required.
Understand the Types of Audits: Audits should be performed by an independent
and qualified group (internal or external). Each organization, regardless
of the size and complexity should want to understand how they are managing
their compliance efforts, IT risks and how they can improve their processes.
There are various types of audits that can be performed and these are: Financial,
Operational, Integrated (financial and operational), Administrative, Agreed
upon procedures, Information Security and Forensic audits. "Regardless
of the type of audit that is or should performed, some organizations depending
on their government or external requirements might require to have an external
audit group issue an audit report," says Mr. Rey.
Identify Your Potential Risks and Decide on the Optimal Frequency: Organizations
should assess and understand their regulatory and business risk to determine
the optimal mitigation strategies and audit frequency. If the organization
identifies vulnerabilities and threats to their information resources they
will be able to determine the frequency and future benefit of the audit. The
controls surrounding a business process should be audited more frequent when
the consequences are devastating for a company if the vulnerability is exploited.
Thus, the optimal frequency for audits depends on the potential threat and
the loss potential. "The frequency of audits should be established during
the audit planning. Analysis of short- and long-term planning should be covered
during the planning so new risks related to control issues, regulations, technology
or business processes are properly identified," says Rey.
Understand the Impact on IT: It's now more important than ever for business
to have an understanding of IT (as well, of course, as IT having an understanding
of business). "As a result of IT auditing and/or compliance requirements,
it is more important for business process owners to have a better understanding
of IT. Business owners are responsible for defining business requirements
while IT is responsible for implementing and/or maintaining these," says
Rey. "IT typically understands the business process (at the end, they
are the backbone of many organizations) but they should not be responsible
for making business decisions on behalf of business users unless explicitly
requested and risks accepted."
For example, when data retention policies needs to be addressed, the business
user should indicate to IT what information resides where and what the retention
period should be. However, this typically rarely happens and IT is the one assuming
responsibility and trying to establish a retention schedule that accommodates
all business users' requirements.
Fine-tuning Your IT compliance strategy: A good way to fine tune your IT
compliance strategy and make audits easier and more consistent is by adopting
a business process improvement framework such as Capability Maturity Model®
Integration (CMMI) (www.sei.cmu.edu/cmmi/).
Key Recommendation: "My number one recommendation is to have executive
management involved including the audit committee and/or board of directors
in your compliance reporting (if applicable)," says Rey. "Not having
them included will affect the organizations ability to align IT compliance
with business and IT risks mitigated."
Lastly, Rey warns companies to start with the basics. "The most overlooked
issue when planning for an audit is the lack of sound risk assessments,"
About the Author
David Kelly - With twenty years at the cutting edge of enterprise infrastructure,
David A. Kelly is ebizQ's Community Manager for Optimizing Business/IT Management. This category includes IT governance, SOA governance,and compliance, risk management, ITIL, business service management,registries and more.
As Community Manager, David will blog and podcast to keep the ebizQ
community fully informed on all the important news and breakthroughs
relevant to enterprise governance. David will also be responsible for
publishing press releases, taking briefings, and overseeing vendor
submitted feature articles to run on ebizQ. In addition, each week,
David will compile the week's most important news and views in a
newsletter emailed out to ebizQ's ever-growing Governance community.
David Kelly is ideally suited to be ebizQ's Governing the
Infrastructure Community Manager as he has been involved with
application development, project management, and product development
for over twenty years. As a technology and business analyst, David has
been researching, writing and speaking on governance-related topics
for over a decade.
David is an expert in Web services, application development, and
enterprise infrastructures. As the former Senior VP of Analyst
Services at Hurwitz Group, he has extensive experience in translating
the implications of new application development, deployment, and
management technologies into practical recommendations for enterprise
customers. He's written articles for Computerworld, Software Magazine,
the New York Times, and other publications, and spoken at conferences
such as Comdex, Software Development, and Internet World. With
expertise ranging from application development to enterprise
management to integration/B2B services to IP networking and VPNs,
Kelly can help companies profit from the diversity of a changing
ebizQ is the insiderís guide to next-generation business process management. We offer a growing collection of independent editorial articles on BPM trends, issues, challenges and solutions, all targeted to business and IT BPM professionals.
We cover BPM standards, governance, technology and continuous process improvement, as well as process discovery, modeling, simulation and optimization, among many other areas. We follow case management, decision management, business rules management, operational intelligence, complex event processing and other related topics. We closely track important trends such as the rise of social BPM, mobile BPM and BPM in the cloud. We also explore BPMís use in functional areas, such as supply chain and customer management, and in key verticals, such as financial services, health care, insurance and government.
ebizQ's other BPM-oriented content includes podcasts, webcasts, webinars, white papers, a variety of expert blogs, a lively online forum and much more.