At its most basic level, an IT security audit is a systematic evaluation of a company's IT security infrastructure that measures how well security policies, procedures, and controls conform to a set of established criteria. Today's internal auditors know that the true value of an IT security audit to an organization goes beyond compliance. By successfully communicating their IT security audit recommendations, auditors can have a major influence on corporate strategy. Unfortunately, many auditors find there is little guidance to help them communicate audit results and recommendations to senior-level managers when preparing for the IT security audit. Consequently, conveying IT security recommendations can be one of the most challenging parts of an internal auditor's job. However, with a little preparation and knowledge, auditors can enhance the way they communicate IT security audit results as well as provide recommendations senior managers can relate to, understand, and implement.
What can the board of directors do to make sure that their CEO has moved to a place focused on mitigating operational risks to enhance opportunities and long term strategy?
Fundamentally, the first task is to make sure that the CEO has a management system in place for operational risk. What is needed is a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organisation’s operational risk enterprise architecture (OREA).
Let’s break OREA down this a little further to get a better view of some of the specific operational attributes:
People
Employee fraud, misdeed, unauthorised activity, loss/lack of personnel and employment law.
Process
Payment/settlement, delivery/selling, documentation/contract, valuation/pricing, internal/external reporting and compliance.
Systems
Technology investment, development, access, capacity, failures and security breach.
External
Legal liability, criminal activities, outsourcing, suppliers / insourcing, disasters / infrastructure, regulatory/political.
The attributes of operational risk are the same key areas that need to have metrics created for measurement and auditing. Performance management, Balanced Scorecard and other methodologies for managing, monitoring and continuous improvement need to be implemented so the boards of directors have a way to get timely alerts, updates and reporting.
The operational risk enterprise architecture (OREA) is a management framework that requires a process approach embedded with the legacy of our quality initiatives of the past several decades. The reason is because of the threat of change itself. The P-D-C-A model (plan – do – check – act) is appropriate for application to this process approach and threat of a constantly changing corporate environment:
Plan
Establish policy, objectives, targets, processes and procedures for managing operational risks to deliver results in accordance with the organisations business objectives.
Do
Implement and operate the policy, controls, processes and procedures.
Check
Assess and measure in applicable areas while reporting results to management for review.
Act
Take corrective and preventive actions based on results to continually improve the OREA framework.
Operational risk management is getting the attention of organizations outside of the major banks at a rapid pace. Board of directors in any industry will soon realize that the successful CEO of the future will be a master of building a culture with effective operational risk management systems at its core.
Furthermore, interpreting how enforcement of IT security controls and policies can strengthen connections with customers and suppliers, how authorization processes can preserve intellectual property, or how separation of duties can drive innovative new business processes demonstrates to senior managers that internal auditors are an invaluable company resource and asset.