IT Risk and Control Solutions Specialists – Why you need them more than ever
Over the years, the capabilities of IT systems have certainly grown by leaps and bounds. But so have the risks that accompany them. Countless threats to IT systems now exist that are capable of seriously disrupting business operations. That’s why companies have to conduct assessments aimed at making sure their systems are still capable of functioning effectively, efficiently, and securely all the time.
If you think you’ve been lucky enough to be spared from these threats, then maybe it’s because you haven’t conducted a risk assessment on your IT system recently. All too often, we hear of CIOs who believed their IT system was in tip-top condition, only to be later caught off-guard by a critical system breakdown that would eventually cripple their business for days or weeks.
More information assets to look after
If, before, you only had to worry about regular office applications, workstations, a LAN and a server, today’s varied and more sophisticated information assets are more challenging to maintain.
In addition to network operating systems, database management systems, content management systems, email systems, virtualization platforms, document management systems, business intelligence applications, and accounting software, a typical enterprise may also have to look after firewalls, intrusion detection systems, storage and backup systems, and data loss prevention systems, to mention a few.
These understandably require the services of experts spanning a wide range of skill sets.
Rising threats to corporate identity and privacy
Individuals are no longer just the ones being preyed upon by identity thieves. Businesses can now be subject to corporate identity theft as well. You could wake up one day finding your business already accused of carrying out illegal activities, a big chunk of your money gone, and your directors? seats already occupied by complete strangers.
To make things worse, corporate threats aren’t just coming from the outside.
Threats to corporate privacy, for instance, can come from within the organisation itself. Sensitive information like trade secrets and financial data are often leaked out (purposely or inadvertently) by employees. This is largely caused by the ever growing number of options for communications and transferring data (e.g. emails, instant messaging, blogs, social networking sites, ftp, P2P, etc.).
Greater challenges in designing, developing, and implementing policies and programs
Laws and regulations like SOX and Solvency II, which have direct impacts on IT, are on the rise. That is why corporate policies and programs now require sweeping changes. You now have to be more deliberate in integrating IT when establishing governance, internal controls, change management, incident management, and performance management.
A solid understanding on widely accepted frameworks and good practices like COBIT, COSO, and CMMI will help you considerably in such undertakings. Using these frameworks as guidelines will not only help you keep your policies and programs attuned to the times, they will also keep you in compliance with regulations.
Increasing demand for disaster recovery and business continuity capabilities
Every time you have a down time, you increase the probability of losing your customers to competitors. The longer the down time, the greater that probability becomes. Therefore, when a major disruption strikes, you should be able to recover at the soonest. If possible, you should be able to deliver products and services as usual.
This of course requires spending to increase your disaster recovery (DR) and business continuity (BC) capabilities. Are you ready for it? Migrating your IT infrastructure from traditional systems to the latest technologies that are better equipped for BC/DR requires careful planning and implementation to ensure an optimal return on investment.
A mobile workforce management software is key to managing an efficient field workforce.? Managing a staff of people can be tricky in any industry. Try keeping track of employees on shifting jobsites, many whom are paid hourly or temporary workers. The added pressure of ensuring the right workers get to the right sites at the right times, but they also need to track hours, parts used, vehicles and equipment assets.
In a previous post, we defined what is an operational review and why they play a key process in the continual evolution of successful businesses.?
Operational reviews allow the organization members to evaluate their performance, according to the procedures, resources properly, timescales and budgets.
In this post, we’ll take a closer look at how to implement an operational review and the steps typically undertaken to help you and your organisation to implement an operational review.
What the steps in a Operational Review Process
There are typically six steps in an operational review that range from preparatory work conducting interviews and collecting documents to the presentation of the final written report.
An audit should be customized to meet a organisatons specific needs, so standard steps can and should only serve as a guideline.? Management and internal and external auditors should adjust the process to address the company’s particular goals and objectives.
Initial Management Meeting
Understanding the problem is the first crucial step of an operational review. This is one of major areas of discussions when the audit team meets with the management, and department heads will be asked to identify any specific areas of concern. Once the problem is identified, it would be easier to come up with workable solutions.
Conduct Interviews
The next step in the evaluation is carried out with experienced teams doing interviews and keeping close observation. Each team essentially watches how employees carry out their responsibilities. This is considered a key part of the process.
When doing the interview, it is also vital that the observing team gains the employees? trust and confidence. Likewise, the staff must be assured that whatever transpires between the team and the employee will be kept confidential. Management must therefore guarantee anonymity to anyone who offers critical information, lest employees withhold vital information and render the data gathered inaccurate.
Systems Review
Employees and management practices will be reviewed by the assessing team according to the standard policies and guidelines of the company. The effectiveness of the controls in place as well as their appropriateness to the current operating conditions will also be evaluated.
Reporting
A documentation of the data gathered and the assessment of the evaluating team, will be submitted to the management after the review process. Flow charts and written narratives of departmental activities are usually part of this report. This is also where observations and recommendations of the team will be presented to the department heads concerned.
Review Results
While the operational review is being conducted, it is important to take into account the vital factors that affect the company: the people, processes, procedures, and strategies. These four factors can determine the company?s progress in the future.
Key Areas of focus in operation reviews
At a minimum an operational review should include the following key ares of assessment
Management Control
Responsibilities, authority, and the scope in which an employee has the freedom to act must be clearly defined and documented. A complete and specific job description for instance, would give the employee a clear perspective on how he acts and functions within the company.
Boundaries should be set not only to benefit the employer but more so the employee as well.
Moral and Ethical Guidelines
Moral and ethical guidelines are just as important to ensure for a smoother employer?employee relationship. Otherwise, personal issues such as work ethics, work attitude and personal values may post problems in the long run if such guidelines are not drawn properly before relationships are established.
Processes and procedures
Evaluating processes is only beneficial if the company itself updates its processes and procedural manuals regularly, or at least when needed. Such protocols may need revision and some steps may be obsolete already. Improving a company?s processes and procedures doesn’t always entail cost. In fact, improvised procedures may even be cost-effective and could make the processes more manageable.
Communication and reporting standards
Gaps in communication could result in serious lapses in internal controls, putting the company and/or its assets at risk. This is where the importance of timely and clear communication comes in. Likewise, reports must be useful, and the flow of information and how it is processed must keep pace with the company?s growth.
Information technology (IT) and security controls can also be included under the communication clause. Proper IT security policies must be in place, state-of-the-art protection techniques employed, and everything be documented, periodically updated, and continually monitored.
Strategic planning and tactics
No company can ever be complete without its strategies. It would unwise for any organization to proceed without first knowing where it stands and what direction it wants to take. Strategic planning draws such a map. It must be aligned to the mission and vision of the company, and should also coincide with the organizational goals set. Strategic planning deals with these three key questions:
What do we do now
Whom do we do it for?
How can we overcome competition
Without clear strategic direction, expectations would likely differ between ownership and management.
Contingency planning, testing and recovery
Contingency plans must be up-to-date, and are essential to the organization. If one course of action fails, the company should have plan B, C and so on. In addition, an organization should be prepared to respond to interference’s.
This includes establishing a formal process to review transactions processing during both disruption and recovery.
Presentation of Report
Based on your objectives and our findings, we will develop detailed recommendations to improve your company?s performance and productivity. Our written report will include a list of both short-term and long-term projected improvements and courses of action, to be mutually agreed upon by both parties.
To ensure the achievement of the improvements we outlined, our team will also assist in the implementation of these modifications.
The plan has three levels of recommendations: one for executives, another for management, and a third one for staff.
The executive summary concentrates on your company?s strengths, weaknesses, opportunities and threats to its entirety. It includes recommendations for any needed changes in policy or governance.
The management plan is based on employee feedback and includes areas of immediate improvement as well as identification of potential problem areas. Concerns from the bottom level management can now be forwarded to the top level management in formal writing. Better working relationships may evolve from this, thereby setting the work environment for a higher productivity ratio.
Lastly, the staff report deals with topics like charting the hierarchy of the organization, and discussing in detail specific control objectives that are critical to the company?s mission. Part of our goal is to encourage personnel to pay close attentions to such changes, if any, as these efforts are essential if they want to bring about both organizational and personal success.
If you would like to further discuss how our operational review services can benefit your company, please feel free to contact us at your convenience to schedule an initial consultation. We?ll be more than happy to assist you.
The General Data Protection Regulation or GDPR is a European Union law reinforcing the rights of citizens concerning the confidentiality of their information, and confirming that they own it. We thought it would be interesting to examine the GDPR effective 25 May 2018 from an Irish citizen?s perspective. This article is a summary of information on the Data Protection Commissioner?s website, but as viewed through a businessperson?s lens.
How the Office Defines Data Protection
The Office believes that organisations receiving personal details have a duty to keep them private and safe. This applies inter alia to information that individuals supply to government, financial institutions, insurance companies, medical providers, telecoms services, and lenders. It also applies to information provided when they open accounts.
This information may be on paper, on computers, or in video, voice, or photographic records. The true owners of this information, the individuals have a right:
To make sure that it is factually correct
To the assurance that it is shared responsibly
That all with access only use it for stated purposes
Any organisation requesting personal information must state who they are, what the information is for, why they need to have it, and to whom else they may provide it.
Consumer Rights to Access Their Personal Information
Private persons have a right under the GDPR to a copy of all their information held or processed by a business. The regulation refers to such businesses as ?data controllers? as opposed to owners, which is interesting. They have to provide both paper and digital data, and ‘related information?.
Data controller fees for this are discretionary within limits. The request may be denied under certain circumstances. The data controller may release information about children to parents and guardians, only if it considers a minor too young to understand its significance. Other third parties such as attorneys must prove they have consent.
Consumer Rights to Port Their Data to Different Services
Since the personal information belongs to the individual, they have a right not only to access it, but also to copy or move it from one digital environment to another. The GDPR requires this be ?in a safe way, without hindrance to usability?. An application could be a banking client that wants to upload their transaction history to a third party price comparison website.
However, the right to data portability only applies to data originally provided by the consumer. Moreover, an automated method must be available for porting. Data controllers must release the information in an open format, and may not charge for the porting service.
Consumer Rights to Complain About Personal Data Abuse
Individuals have a right under the General Data Protection Regulation to have their information rectified if they discover errors. This right extends to an assurance that third parties know about the changes – and who these third party entities are. Data controllers must respond within one month. If they decline the request, they must inform the complainant of their right to further remedial action.
If a data controller refuses to release personal information to the owner, or to correct errors, then the Data Protection Office has legal power to enforce the consumer?s rights. The complainant must make full disclosure of the history of their complaint, and the steps they have taken themselves to attempt to set things right.
Further Advice on Getting Things Ready for 25 May 2018
The General Data Protection Regulation has the full force of law from 25 May 2018 onward, and supersedes all applicable Irish laws, regulations, and policies from that date. We recommend incorporating rights of data owners who are also your customers into your immediate plans. We doubt that forgetting to do so will cut much sway with the Data Commissioner. Remember, you have one month to respond to consumer requests, and only one more month to close things out subject to the matter being complex.
Things happen fast in business and we need to stay on top. It does not seem long ago that some enterprises were still hands-on traders or artisans with a few youngsters to help out. People like that did not do admin and their accounting was a matter of making sure there was enough money in the jar.
When Wal-Mart’s Sam Walton took over his first shop in 1945 things had moved on from there, although he did still deal directly with his customers. When he died his legacy was 380,000 jobs, and a business larger than most economies. So there?s plenty we can learn from how he grew his business.
One of Sam?s secrets was his capacity to centralise what needed gathering together, while empowering store managers to think independently when it came to local conditions. His regional warehouses had individual outlets clustered around them within one day?s drive each. This shared service eliminated 90% of safety stock and released capital for expansion.
Wal-Mart took sharing services a step further in February 2006, when it centralised accounts payable, accounts receivable, general accounting and human resources administration at Wal-Mart Stores and Sam?s Clubs in the U.S. and Puerto Rico. The objective was to bring costs down, while allowing local managers more time to focus on their business plans and other initiatives. As a further spin-off, Wal-Mart was able to integrate its data on a single SAP platform and eliminate significant roadblocks.
This is an excellent example of sharing services by creating own centres of excellence.? Of course, this is not the only business possibility. Other corporates have successfully completely outsourced their support activities, and Wal-Mart has no doubt had a variety of similar offers too. But, is the Wal-Mart picture entirely rosy, or is there a catch?
The Association of Chartered Certified Accountants has indicated that top talent may be the loser globally. This is because the Wal-Mart model removes many challenges through standardisation, and offers less scope for internal promotion as a result. Language and cultural differences may also have a long-term detrimental effect on the way the departments work well together.
Local outsourcing ? this is the business model where several firms engage a shared service provider independently- may hence prove to be a more malleable option for smaller companies. It often makes more sense to hunt down made-to-order services. Offerings such as the professional support we offer on this site.
