Financial Statement Audits – IT Lessons Learned | Part I: Strategy & IT Governance

IT lessons
Share Button

This article is co-authored by Natasha Barnes.

Summer has finally arrived and another busy season is done! While conducting IT risk assessments for financial statement audits, there were several recurring themes included in our findings. Our clients consisted of private organizations in construction & real estate, technology, government contracting, and professional services firms. We hope that your organization will find some of these findings useful in addressing risks and enhancing your IT environment. Regardless of whether you’re required to undergo a financial statement audit or not, these are standard elements that may help you to mature an IT program.

Develop an IT strategic plan. Participating clients were at various stages of their business lifecycle. However, Aronson stresses the importance of having an IT strategy that aligns with the business strategy. This should ensure the IT function will meet the business growth needs accordingly. The strategy should focus on key IT priorities that are needed to either scale the business or to maintain business operations. Usually an IT strategic plan is developed for a three to five year span.

Develop a steering committee. Don’t let the term be intimidating. The purpose of a steering committee is to make sure that both IT and business leaders, as well as other relevant stakeholders are meeting on a periodic basis. The meeting agenda should focus on discussing the IT strategic plan and related priorities that impact multiple groups. Maintain records of the meeting notes and attendees. The records should clearly indicate that IT subjects were discussed. It’s also an opportunity for business and IT leadership to come together to collaborate on short- and long-term plans. Without coordination, we found cross-departmental communication regarding IT matters was rare.

Document policies and procedures. To some organizations with few IT team members, we understand it can seem crazy to develop policies and procedures. When the IT team roster can be counted out on one hand, business is typically conducted via Instant Message (IM) or through in-person conversations. That may be true for now, but most business leaders aspire to grow. As organizations continue to grow, it introduces the possibility of inconsistency in protocol with the absence of documentation. These documents should exist to support the protection of information assets and operational standardization and effectiveness. It doesn’t need to be elaborate, but it helps to start somewhere. Also, record periodic reviews of these documents to ensure an authorized person evaluated them to confirm they’re still valid. Signatures, time and date stamps please!

Tip: Worried about maintaining numerous separate policy documents? Consider a policy manual instead that consolidates the subjects.

Caution: Templates for these documents can be purchased from various vendors. If your organization takes this route, be sure to take the time necessary to customize them to your environment. These documents should describe the way you actually do business.

Stay tuned for the next part in this series, which will focus on Risk Management. If you have any questions about implementing these controls in your IT environment, please contact Natasha Barnes at

Read Part II: Risk Management and Part III: Access, Passwords, Configuration, and Change Management.

About Payal Vadhani

Payal Vadhani has written 4 post in this blog.

Payal Vadhani is the partner-in-charge of Aronson LLC’s Technology Risk Services Group. She is an innovative and seasoned executive with more than fifteen years of technology risk advisory and assurance experience. Her experience has been providing internal auditing, IT risk management, information and cyber security, third party reporting, compliance, process improvement, and additional technology risk services to clients across industries. In particular, she has extensive financial services experience. Throughout her career, she has sought to align clients’ needs and strategic objectives with an approach that manages the risks of technology with the benefits. As a trusted advisor to her clients, Payal succeeds in breaking down complex technology concepts and developing pragmatic, cost-effective solutions that minimize risk and add value. She offers significant experience building technology risk management programs and managing large advisory engagements. In her current role, she is focusing on the development of risk services related to existing and emerging technologies including cloud (private and public) computing, mobile computing, big data, social media, and internet of things. Payal earned a Master’s of Business Administration degree in Information Technology from American University. She received her Bachelor’s in Engineering degree in Computer Science from the University of Pune, one of the premier universities in India. She holds credentials in IT Capability Maturity Framework (IT-CMF) and Certified Information Systems Auditor (CISA).

View Archives

Blog Authors

Latest Webinar Videos