Supporting Corporate Compliance Roundtable Series

What every IT Professional Needs to Know: What are your Rights in an Audit?

It is my hope that you found value at our latest Compliance Management Roundtable session.  Thank you for the increased attendance, comments and participation.  If you were unable to attend, we will be resuming our sessions next year. It is our goal to facilitate these ITA sessions to discover the common Compliance Management issues, problems, solutions and related news for the membership.

Our interactive Roundtable format is always a great way for you to participate by sharing your ideas and being able to ask the experts!  Please see the meeting notes below, and feel free to add your comments to our blog.

- LF Gibson

Special thanks to our featured speaker, Van Rownd, for leading our discussion on knowing your audit rights.  We hope he was able to answer your questions on:

Q1: What rights the IT Department has regarding the SOX audit procedures?

·          IT Pros need to work with the auditor to see what happens on a daily basis in their own department.

·          It is a good idea to facilitate a 30 – 45 minute daily wrap-up with your auditor, to mitigate problems and concerns – plus aid in their discovery work.

·          Know whom the Auditor answers to in Management.

·          Query your IT Department daily and/or weekly to know what they discussed with the auditor, to aid in your communication.

·          Additional ideas from the group were mentioned and shared…

Q2: What IT Controls do you have in place, and how can they work in your favor during the audit?

·          Auditing Standard 2 has suggested Controls that are an excellent check-point for Automation of your internal IT Controls.

·          Utilize Frameworks and IT Methodologies to automate your processes, and mitigate those ‘manual mistakes’.

·          Put ownership on employees to understand WHY they are doing their job, and how it affects the company, the importance of their duties to the Compliance Audit, and understand this job function from start to finish.

Q3: Defining the Scope of the Audit, and how to align IT Controls to Finance Concerns?

·          Use a matrix to show strengths and weaknesses to help define the scope of the audit.

·          Show the Board of Directors what IT sees as fixables, what the cost is NOT to fix, what’s a DAY 1 doable – and work on defining the “Real Risks” in the Matrix- in prep. for the auditor.

·          Plan, Budget, and then Define a Scope.  Negotiate with the auditor to set the lower priorities on a 2 – 3 years ‘fixable’ timeline.

Q4: How to make the Auditor your Ally?

·          Take a knowledgeable Advocate with you into Compliance Management, Don’t go alone in the beginning, or try to reinvent the “auditing-wheel”.

·          Nothing is perfect on a report, when an exception is found, document the incident and steps taken to resolve, and keep this with the reports.  Auditors will LOVE you for this organizational task.

·          Build a report with your Auditors…  Know your 3^rd Party contracts and vendors – get them in-line before introducing them to the auditor.

OTHER NOTES:

·          SAS 70 Audits where discussed

·          When the SOX Act was written, no one took into account Corporate World of IT…  The SOX Act ends up on “IT’s Shoulders”.

·          There is a known inability to communicate between IT and the Auditors

·          Future Regulations are coming as a surprise to those whom are already Sox Compliant.

·          Reporting needs to be utilized by ALL levels of Management.

·          Can you define what a Real Time Disclosure is for your Company?

·          What are the 4 main Compliance Issues for SMBs?

o         Internal Theft that is publicly admitted drops stock and affects Real time Disclosure.

o         Have you Discussed Business Continuity and Disaster Recovery?

o         Do you have a Risk Assessment Plan?

o         IS Strategic Planning in Place?