Great, Now What??

Putting Together a Plan of Attack

In the last installment, we talked about a common way most of us fall into the world of governance, control and audit activities – through a bad audit. In this episode, we’ll look at the steps you should take to get the issue under control. First off, remember that this initial period is pretty stressful. You can go a long way simply by not letting them see you sweat. Oh, don’t get me wrong, you can sweat buckets, but you don’t want to do it in front of your management or their management. You have control. You have a plan.And that plan is pretty
straightforward. Ask yourself what you can do right now to correct the errors and exceptions that were found as part of the audit. Correcting issues demonstrates an understanding of the issue. It gets the “data” fixed and gives some assurance that another audit of the same materials would not be as painful. This is akin to stabilizing your patient. Once your “patient” is stable, though, the real work begins.

Why did the problem happen in the first place? At the core, most problem that lead to audit findings aren’t because people are unwilling or unable to follow directions, or be because they want to cause problems – even when people admit to working around the process. No, most problems are caused by bad process – the work flow that allows a particular work activity to be accomplished isn’t doing what it needs to in an effective, efficient or timely manner.

So how do you deal with this?

Process is, thankfully, a fairly straight-forward activity to get our arms around, but does take some understanding of the basics to feel comfortable with. Let’s take a case study of a problem I was presented with early in my career.

My organization had recently gone through an audit, and the CIO was in my cube wanting to know why we had so many problems with our user accounts. It was the first I had heard of the issue (I know, my bad), but I was determined to get ahead of the problem.

As we looked through the report from the auditors, we found a lot of issues with user access. We had users long departed from the company who had access to our ERP system. We had users that had changed departments, but who still had access related to their old job role. We had users with application administration privileges that shouldn’t even have access to the system. Obviously, something had gone wrong.

When we take a step back, we’re really talking about a set of processes here -- User Access Termination, User Access Transfers, User Access Creation and Appropriate Access Reviews. These four processes form the basis of most user access management controls. Somehow, these four processes weren’t doing what we needed them to do – manage and report on user access in a way that assures an effective control environment. Put in simpler terms, we couldn’t prove we had control of our environment, and the evidence demonstrated we didn’t.

So, how are we going to scope our work to be successful? For each of the audit points you are facing, you need to address the immediate data issues related to the specific finding. Once underway, you can then take a step back and start analyzing the process to determine what went wrong and why. For management, your plan for each audit point becomes very straightforward – gain immediate control, then deep dive to prevent the problem from occurring again in the future.

In the next episode, we’ll talk more about analyzing processes and creating effective controls to assure processes are doing what you need them to.