Putting Together a Plan of Attack
In the last installment, we talked about a common way most of us fall into the world of governance, control and audit activities – through a bad audit. In this episode, we’ll look at the steps you should take to get the issue under control. First off, remember that this initial period is pretty stressful. You can go a long way simply by not letting them see you sweat. Oh, don’t get me wrong, you can sweat buckets, but you don’t want to do it in front of your management or their management. You have control. You have a plan.And that plan is pretty
straightforward. Ask yourself what you can do right now to correct the errors and exceptions that were found as part of the audit. Correcting issues demonstrates an understanding of the issue. It gets the “data” fixed and gives some assurance that another audit of the same materials would not be as painful. This is akin to stabilizing your patient. Once your “patient” is stable, though, the real work begins.
Why did the problem happen in the first place? At the core, most problem that lead to audit findings aren’t because people are unwilling or unable to follow directions, or be because they want to cause problems – even when people admit to working around the process. No, most problems are caused by bad process – the work flow that allows a particular work activity to be accomplished isn’t doing what it needs to in an effective, efficient or timely manner.
So how do you deal with this?
Process is, thankfully, a fairly straight-forward activity to get our arms around, but does take some understanding of the basics to feel comfortable with. Let’s take a case study of a problem I was presented with early in my career.
My organization had recently gone through an audit, and the CIO was in my cube wanting to know why we had so many problems with our user accounts. It was the first I had heard of the issue (I know, my bad), but I was determined to get ahead of the problem.
As we looked through the report from the auditors, we found a lot of issues with user access. We had users long departed from the company who had access to our ERP system. We had users that had changed departments, but who still had access related to their old job role. We had users with application administration privileges that shouldn’t even have access to the system. Obviously, something had gone wrong.
When we take a step back, we’re really talking about a set of processes here -- User Access Termination, User Access Transfers, User Access Creation and Appropriate Access Reviews. These four processes form the basis of most user access management controls. Somehow, these four processes weren’t doing what we needed them to do – manage and report on user access in a way that assures an effective control environment. Put in simpler terms, we couldn’t prove we had control of our environment, and the evidence demonstrated we didn’t.
So, how are we going to scope our work to be successful? For each of the audit points you are facing, you need to address the immediate data issues related to the specific finding. Once underway, you can then take a step back and start analyzing the process to determine what went wrong and why. For management, your plan for each audit point becomes very straightforward – gain immediate control, then deep dive to prevent the problem from occurring again in the future.
In the next episode, we’ll talk more about analyzing processes and creating effective controls to assure processes are doing what you need them to.
Wednesday, August 8, 2007
Welcome
Gov *er* nance
"A method or system of government or management."
Welcome to Easygov-IT.org. Easygov (as I’m going to call it for short) is a blog devoted to governing and controlling IT environments in ways that make sense, add value and allow the organization to drive forward. In short – making IT governance EASY.
I started this site for two reasons. First, governance is a complex and often daunting task to the uninitiated – and unlike a lot of areas in IT, there isn’t a lot wiggle room for making errors and finding your way through the process when the auditors come knocking. Secondly, most of the places that say they want to help you understand governance do so with a hefty price tag attached. After years of learning, experiencing and taking the resources of the internet, it was time I gave back. The best way for me to do that is to share my experiences and information with others.
First, a little background. For the last several years, I have been at the forefront of the companies I have worked for in addressing IT audits, IT controls and IT governance. These have included stints in both the service and the manufacturing sectors – which each have their own rules – and for both public and private firms. Annual revenues for these companies run in the $1-10B range. This combination of organizations has given me a unique opportunity to see a wide variety of audit issues, and work with a large group of people to evaluate situations and effectively address problems.
If you’ve read this far, I’m assuming you have an interest in IT governance, and a desire to make use of the tools and services IT governance can provide your organization. Just as likely, if you’ve stumbled across this page its because you’ve gone through an audit of some type, you got dinged, the board is up in arms and senior management is breathing down your neck to find solutions. Been there. Got the scars. So let’s start with rule number one of the governance game.
Don’t Panic.
There is a lot to do. There is a lot to keep track of. For most organizations, its more than a single person can handle – but that’s why they pay us the big bucks. We’re going to do two things to help make you successful. First, we’re going to define where your effort needs to go and secondly we’ll look at building a good governance team around you – even if they are just your peers.
In the next installment, we’ll discuss how to scope your work to make you successful.
"A method or system of government or management."
Welcome to Easygov-IT.org. Easygov (as I’m going to call it for short) is a blog devoted to governing and controlling IT environments in ways that make sense, add value and allow the organization to drive forward. In short – making IT governance EASY.
I started this site for two reasons. First, governance is a complex and often daunting task to the uninitiated – and unlike a lot of areas in IT, there isn’t a lot wiggle room for making errors and finding your way through the process when the auditors come knocking. Secondly, most of the places that say they want to help you understand governance do so with a hefty price tag attached. After years of learning, experiencing and taking the resources of the internet, it was time I gave back. The best way for me to do that is to share my experiences and information with others.
First, a little background. For the last several years, I have been at the forefront of the companies I have worked for in addressing IT audits, IT controls and IT governance. These have included stints in both the service and the manufacturing sectors – which each have their own rules – and for both public and private firms. Annual revenues for these companies run in the $1-10B range. This combination of organizations has given me a unique opportunity to see a wide variety of audit issues, and work with a large group of people to evaluate situations and effectively address problems.
If you’ve read this far, I’m assuming you have an interest in IT governance, and a desire to make use of the tools and services IT governance can provide your organization. Just as likely, if you’ve stumbled across this page its because you’ve gone through an audit of some type, you got dinged, the board is up in arms and senior management is breathing down your neck to find solutions. Been there. Got the scars. So let’s start with rule number one of the governance game.
Don’t Panic.
There is a lot to do. There is a lot to keep track of. For most organizations, its more than a single person can handle – but that’s why they pay us the big bucks. We’re going to do two things to help make you successful. First, we’re going to define where your effort needs to go and secondly we’ll look at building a good governance team around you – even if they are just your peers.
In the next installment, we’ll discuss how to scope your work to make you successful.
Subscribe to:
Posts (Atom)