"Major Retailer Breached!"
"Hospital System Looses 3 Million Patient Records!"
These attention-grabbing headlines are no longer an anomaly. Hardly a week passes when news of a cyber attack or breach doesn't hit the mainstream media. While security was once thought to be the domain of a company's IT staff, organizations are now realizing that security is everyone's business, and IT auditors, in particular, are impacted in ways like never before. Hacker threats, evolving technologies, and staff shortages require IT auditors to address the enterprise's increasing IT risks and acquire new skills and procedures.
Enterprise governance issues have bubbled to the top of organizations' priority lists due to the enactment of numerous security regulations that have, in turn, resulted from high profile breaches and frauds. Information technology is not separate from the enterprise – it is a core element that allows the enterprise to run smoothly, efficiently, and profitably. The execution of IT governance will directly impact whether the enterprise will achieve its mission and objectives – and the IT auditor should play an important role in making sure that happens. As a result, enterprise governance and IT governance can no longer be considered independent disciplines; effective IT governance ensures that vital resources are aligned with the enterprise business objectives. In other words: IT auditors now have a greater opportunity to obtain a proverbial "seat at the table."
Assessing IT governance is a challenge – it's not your normal audit and should not be approached as such. Auditors are skilled at assessing controls, but an assessment of IT governance is not about assessing controls; it's about evaluating the effectiveness of management procedures. This can become a political nightmare for auditors.
Assessing your IT governance does not have to be the bane of an IT auditor's existence. Frameworks and proven methodologies are becoming more widely used to provide guidance on planning this critical audit area.
At the IT Audit Management Summit we will review key elements of a sound IT governance framework and how it directly interfaces with corporate governance and enterprise risk management. Attendees will hear and participate in discussions on how IT auditors should approach an audit of IT governance, including planning, critical areas for review, and dealing with high-level corporate politics. An important focus will be on how to avoid becoming embroiled in a political standoff and instead improve your IT governance process.
About the author: Fred C. Roth is Vice President of MIS Training Institute's IT Audit Division, where he facilitates and coordinates its IT Audit and Sarbanes-Oxley IT Audit curriculum. Mr. Roth also provides extensive direction and training to organizations worldwide in planning and assessing IT risk areas. During the IT Audit Management Summit at InfoSec World 2016, Fred, along with colleagues Jerod Brennen, Lisa Hollingshed, and Jeff Lemmerman, will discuss IT Governance and other critical & timely topics to help provide assurance that organizations are effectively controlled and managed.