All IT organizations need to implement some type of Governance, Risk Management and Compliance (GRC) in their environment. No matter how big or small your organization might be, if your company has 1 password for something, you need oversight.
Oversight of risk has long been a best practice for any company that wants to remain competitive. A controlled environment provides an organization with stream lined processes, reusable procedures, better functioning systems, and typically under budget of expected costs.
This isn’t just some thing to do in order to meet federal, state or industry regulations. It’s about doing being a reliable business partner, a reputable company and an organization that can be trusted with integrity. All the things any size business needs to get an advantage in their local market.
See my IT Governance section for more information about IT Audit, and Governance, Risk Management & Compliance (GRC) and Risk, Security & Compliance Assessments (RSCA).
While my articles for GRC are written for the publicly held company, all of this can be scaled to meet the needs of the mid-sized privately held company or the small business. You only need three people to implement a GRC organization in a small company and they don’t all have to be full-time employees. At the very least, you can find some ideas for securing the technology used in your business no matter what the industry. But GRC is extremely important for retail businesses, especially those doing business on the internet.
One of the first steps to implementing a good governance model is to define your oversight organization. There is no set standard to this. There are many variations for enterprise wide oversight. For instance, some organizations implement a top layer organization under the CFO. While others appoint a new officer CISO (Chief Information Security Officer) and establish oversight in this area. Some organizations place oversight in Legal, others place it in the Corporate Controller’s office. And still others establish the enterprise oversight in Internal Audit.
After working with several large companies, I’ve come to my own conclusion that an enterprise oversight committee is essential. And to be frank, there are places it should not be. Adding oversight to the Audit department lends a certain air of impropriety. Audit finds the problems, so their sister team can fix the problems. Or provide oversight of the fix. In order to provide true Audit independence, these two groups should be in separate organizations.
I love lawyers and have a fascination with the law. But Risk management doesn’t belong in Legal either. Decisions for approaches or initiatives become bogged down with the perception of litigation, instead of the perspective of best practice. I’ve actually had a corporate attorney tell me “We don’t want procedures for this environment. Writing it down means we’re liable to the written document.” Yes that’s true, but every well-organized compliant organization who has implemented best practices will tell you policies and procedures are essential.
Because SOx is focused on financial reporting, the accountability for compliance really sits on the shoulders of the Corporate Controler. The CFO should be seriously concerned with the risks in the organization and how those risks are being reported, tracked and monitored. And that’s an excellent place for the corporate oversight organization to be structured.
It’s important to remember that an enterprise wide oversight team will need to be diverse and specialized. A Regulatory Analyst for your business side will not be able to effectively oversee compliance on your IT side. Many IT professionals have seen a need and opportunity for technical knowledge in a compliance body. Not only to help identify gaps and risks, but also to help solve them as well. Within your corporate oversight group, you should consider having two specialized teams. One that is intimately familiar with the business of your company, and one that is staffed with technical professionals who can work with your IT department.
So consider this structure:
I’ve worked with both the corporate Audit team and with an IT Audit Oversight team and let me say, there’s a difference. The biggest thing to think about is the experience of your IT Auditor. Are they someone who read a book, took a class, acquired certification but never put their knowledge into practice in the real world? Then you don’t want that person providing your Audit of IT-GRC. There’s a big difference between what you read and what you can do in the real world.
Books, classes and certifications are great for the perfect environment. They show you how things should be done. But the world isn’t perfect and every technology environment will have a need to implement work arounds in some fashion. Risk Management isn’t about removing all risk, as that isn’t really possible. It’s about managing the risk you have and ensuring there is acceptance of the stated risk.
Responsibilities Of The Regulatory Oversight Group
The Regulatory Oversight group should be helping to set standards, policies and procedures. Providing guidance for strategic direction on both the business and IT sides of the fence. Working with teams to ensure projects are being developed with compliance in mind. Oversight should be helping the organization identify gaps, risks or deficiencies. In fact, they should be doing that before the auditing body arrives to perform its official audit of procedures and processes. They should be managing the remediation process for reported deficiencies. And finally, they should be working with legal to implement a corporate wide management attestation process.
Oversight should also provide ongoing oversight of the implemented controls. Periodic testing of what has been implemented in these remediation efforts. Periodic testing of existing controls outlined in the Process Narratives. Both are essential to ensuring IT is maintaining a high level of compliance and just as important, retaining evidence and documentation.
Tone From The Top
No matter how you structure your Oversight organization, it will never succeed if senior management does not back the process. “Tone from the Top” is an extremely important component to the successful implementation of any compliance organization. Without this iteration of importance from the top through all levels of management to the lowest level manager, no organization can succeed in meeting compliance regulations and control governance.
Compliance and oversight is the responsibility of every manager in your organization. The CEO and CFO cannot reliably sign the yearly corporate attestation with the accountability of the organizations managers. If a procedure is put into place to remediate a deficiency, the first line manager of that procedure is accountable for ensuring it’s implementation and continued use. The “Tone from the Top” doesn’t stop with the email from CFO. It must become the company motto for all managers, regardless of deadlines or budgets.
IT organizations cannot deliver effective products without adopting a control framework. Frameworks are becoming a part of IT management best practices. They also provide the foundation for governance and compliance. There are two accepted framework models in use today for IT. COSO (The Committee of Sponsoring Organizations of the Treadway Commission) and COBIT (Control Objectives for Information and related Technology).
In general COSO is a business framework that works well on the business side of any company. According to COSO, the definition of the Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
And implements the following Key Concepts:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
But COSO can fall short when providing a framework for IT governance. In 1996, ISACA (Information Systems Audit and Control Association) released a set of control objectives for business applications to address these short comings for IT organizations. This was the first edition of COBIT.
In 1998 the next version of the framework is released which includes the implementation tool set and detailed control objectives. COBIT 3.0 is released in 2000 and includes management guidelines. 2002 brings about the Sarbanes-Oxley law and COBIT is quickly adopted by IT organizations throughout the United States.
COBIT 4.0, released in 2006, includes guidance for management of all levels, from the board to low-level managers. It consists of the executive overview, the framework, the core content (control objectives, management guidelines and maturity models) and Appendices (mappings, cross-references and a glossary). It also maps COBIT to other standards such as: ITIL, CMM, COSO, PMBOK, ISF and ISO 17799. And finally it links business goals, IT goals and IT processes (detailed research in eight industries results in a clearer insight into how COBIT processes support the achievement of specific IT goals and, by extension, business goals).
As time goes on, standards and approaches to business processes evolve. It’s important for organization to stay current on these frameworks, but keep in mind that the basic principles are always the same. Manage the risk and implement best practices and you’ll be able to control and govern your IT environment.
Feeling overwhelmed yet?
December 15, 2006
© 1997-2019 Springwolf, D.D., Ph.D., Springwolf’s Creations. All Rights Reserved.