Simplifying an organization’s policies and procedures is no easy task. It will likely require subject matter experts from multiple units, including compliance, accounting, audit and human resources. Alternatively, you may sponsor simplifying policies specific to the technology area. Consider Sam Carpenter’s book Work the System: The Simple Mechanics of Making More and Working Less for additional insight on how to develop and regularly adjust business procedures and policies.
You have set yourself up for death by a thousand exceptions
Most corporate policies have a process to allow exceptions. These deviations from corporate policy pose a challenge for auditors. Take software patching as an example.
“A recent client faced auditor questions about their software patching methodology. There was a documentation process, but some of the details were not specified. This became an issue because immediately applying a security patch would break an application. The auditor wanted more in-depth process about how exceptions would be handled,” Ray says.
Delayed implementations of security patches increase security risks, so it pays to document the rationale for your delay.
Improving your audit results as a technology leader relies on a few principles. First, recognize the value that auditors bring to the entire organization. Next, develop an internal process to manage audit activities including closing gaps and answering questions. Finally, seek to develop an ongoing business relationship with the audit group. As Hilton’s Leidinger puts it, “I view audit as another stakeholder with perspectives we need to address in our work.”
Sign up for CIO Asia eNewsletters.