Archive for the ‘IT Audit’ Category

« Older Entries

CIO Mistakes to Avoid

Sunday, February 14th, 2010

CIOs are faced with challenges on a daily basis.  This article provides a list 8 mistakes to avoid. It is a pretty good list and a number of items definitely ring true for any leadership position, not just CIO.  Our experiences as IT auditors have shown a number of these occurring, but 2 stick out: “No. 6: Failing to build accountability into the IT organization” and “No. 8: Losing sight of the big picture”.

From an audit perspective, lack of accountability can lead to weak controls of critical systems and data.  Additionally, losing sight of the big picture can lead to projects that are not in line with business strategy and IT departments that do not effectively use resources, time, and money.

What experiences (IT or non IT) have you had in your organization?  What other audit concerns could come from this list?

Posted in IT Audit, Internal Audit, Technology | No Comments »

Real World ERM

Wednesday, June 10th, 2009

The Institute of Internal Auditors (IIA) released a great series of articles on Enterprise Risk Management (ERM), “Real-world ERM” and “12 Key ERM Challenges”, that convey the struggles of implementing ERM and some great insights on how to ‘make it real.’

A quote that stuck out to me was, “there is no shortage of guidance to explain what ERM is and how to implement it, though most of this information is written for risk and control specialists. To succeed, ERM efforts need to include people with other priorities.”

Getting buy-in from management is a top roadblock to successfully implementing an ERM program – or at least to implementing an ERM program that won’t fizzle out quickly. Fortunately, as noted above, there is a multitude of documentation on the concept and benefits of ERM…. and in a later post, I’ll identify the most relatable ways to talk about ERM with management.

Tags: , , , , ,
Posted in IT Audit, Internal Audit | No Comments »

Spreadsheet and EUC Controls

Wednesday, June 10th, 2009

It is hard to find an organization that doesn’t use End User Computing (EUC) applications in some manner these days. EUC applications are owned by user groups and are not centrally supported by a company’s IT group. Without IT’s support, EUC applications are often not tested prior to implementation, secured through access restrictions, monitored for changes in functionality, or tested for compliance with a company’s control standards.

The most commonly found EUC is a spreadsheet, but they may include Access databases or other unsupported applications. Many are integral to completing financial planning, modeling, schedules, consolidations and financial closings. Given the content and use of many EUCs, there is generally a high level of risk associated with not controlling them.

Does your organization know all the EUCs that are financially significant? Does your organization have a plan to manage access, change control, and the functionality of financially significant EUCs?

Tags: , , ,
Posted in IT Audit | No Comments »

« Older Entries