This article is co-authored by Natasha Barnes.
Summer has finally arrived and another busy season is done! While conducting IT risk assessments for financial statement audits, there were several recurring themes included in our findings. Our clients consisted of private organizations in construction & real estate, technology, government contracting, and professional services firms. We hope that your organization will find some of these findings useful in addressing risks and enhancing your IT environment. Regardless of whether you’re required to undergo a financial statement audit or not, these are standard elements that may help you to mature an IT program.
Develop an IT strategic plan. Participating clients were at various stages of their business lifecycle. However, Aronson stresses the importance of having an IT strategy that aligns with the business strategy. This should ensure the IT function will meet the business growth needs accordingly. The strategy should focus on key IT priorities that are needed to either scale the business or to maintain business operations. Usually an IT strategic plan is developed for a three to five year span.
Develop a steering committee. Don’t let the term be intimidating. The purpose of a steering committee is to make sure that both IT and business leaders, as well as other relevant stakeholders are meeting on a periodic basis. The meeting agenda should focus on discussing the IT strategic plan and related priorities that impact multiple groups. Maintain records of the meeting notes and attendees. The records should clearly indicate that IT subjects were discussed. It’s also an opportunity for business and IT leadership to come together to collaborate on short- and long-term plans. Without coordination, we found cross-departmental communication regarding IT matters was rare.
Document policies and procedures. To some organizations with few IT team members, we understand it can seem crazy to develop policies and procedures. When the IT team roster can be counted out on one hand, business is typically conducted via Instant Message (IM) or through in-person conversations. That may be true for now, but most business leaders aspire to grow. As organizations continue to grow, it introduces the possibility of inconsistency in protocol with the absence of documentation. These documents should exist to support the protection of information assets and operational standardization and effectiveness. It doesn’t need to be elaborate, but it helps to start somewhere. Also, record periodic reviews of these documents to ensure an authorized person evaluated them to confirm they’re still valid. Signatures, time and date stamps please!
Tip: Worried about maintaining numerous separate policy documents? Consider a policy manual instead that consolidates the subjects.
Caution: Templates for these documents can be purchased from various vendors. If your organization takes this route, be sure to take the time necessary to customize them to your environment. These documents should describe the way you actually do business.
Stay tuned for the next part in this series, which will focus on Risk Management. If you have any questions about implementing these controls in your IT environment, please contact Natasha Barnes at email@example.com.