The Keiter Stephens Accounting Blog » IT Audit

CIO Mistakes to Avoid

General — Sun, 14 Feb 2010 18:17:52 +0000

CIOs are faced with challenges on a daily basis. This article provides a list 8 mistakes to avoid. It is a pretty good list and a number of items definitely ring true for any leadership position, not just CIO. Our experiences as IT auditors have shown a number of these occurring, but 2 stick out: “No. 6: Failing to build accountability into the IT organization” and “No. 8: Losing sight of the big picture”.

From an audit perspective, lack of accountability can lead to weak controls of critical systems and data. Additionally, losing sight of the big picture can lead to projects that are not in line with business strategy and IT departments that do not effectively use resources, time, and money.

What experiences (IT or non IT) have you had in your organization? What other audit concerns could come from this list?

Real World ERM

admin — Wed, 10 Jun 2009 16:21:32 +0000

The Institute of Internal Auditors (IIA) released a great series of articles on Enterprise Risk Management (ERM), “Real-world ERM” and “12 Key ERM Challenges”, that convey the struggles of implementing ERM and some great insights on how to ‘make it real.’

A quote that stuck out to me was, “there is no shortage of guidance to explain what ERM is and how to implement it, though most of this information is written for risk and control specialists. To succeed, ERM efforts need to include people with other priorities.”

Getting buy-in from management is a top roadblock to successfully implementing an ERM program – or at least to implementing an ERM program that won’t fizzle out quickly. Fortunately, as noted above, there is a multitude of documentation on the concept and benefits of ERM…. and in a later post, I’ll identify the most relatable ways to talk about ERM with management.

Spreadsheet and EUC Controls

admin — Wed, 10 Jun 2009 16:16:31 +0000

It is hard to find an organization that doesn’t use End User Computing (EUC) applications in some manner these days. EUC applications are owned by user groups and are not centrally supported by a company’s IT group. Without IT’s support, EUC applications are often not tested prior to implementation, secured through access restrictions, monitored for changes in functionality, or tested for compliance with a company’s control standards.

The most commonly found EUC is a spreadsheet, but they may include Access databases or other unsupported applications. Many are integral to completing financial planning, modeling, schedules, consolidations and financial closings. Given the content and use of many EUCs, there is generally a high level of risk associated with not controlling them.

Does your organization know all the EUCs that are financially significant? Does your organization have a plan to manage access, change control, and the functionality of financially significant EUCs?

ERM vs GRC

Ben Sady — Wed, 10 Jun 2009 15:19:52 +0000

“Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC) are pretty similar in definition and are often sited interchangeably. I’ve often asked what the difference was, so I’m sure you may have asked the same question.

After some quick web searching, I found this interesting article on the difference between ERM and GRC.

In it’s simplest form, the difference is simply in their names. ERM includes identifying risk appetite, assessing risk, integrating risk management in daily decisions, and monitoring risks. GRC is an umbrella philosophy that includes risk management, governance, and compliance. GRC may include ERM as the methodology of managing risk, but it may not. If an ERM program is linked to governance and risk, then it might transition into a true GRC program.

There is certainly more to ERM and GRC programs, but that is the nuts and bolts difference between the two.

Are you interested in implementing ERM or GRC programs successfully? If you’ve already implemented these programs at your organization – what pitfalls have you faced? What success stories do you have?”