This week there was an interesting article about IT audits in CMSWire, Assessing and Addressing Technology Risk. Its crux was to define the purpose of IT audits. Are they aimed at determining risk to tech components like systems availability, information access, security, etc? Or should an audit ascertain risk to the objectives of the business? The author, Norman Marks, of the article, is firmly and perhaps controversially in the camp of risk should be measured as a threat to business objectives. He questions emphasizing IT transformation over the business transformation from an auditing perspective. Marks explains auditors should:
“Understand the strategic plans and initiatives of the enterprise and then consider how technology is and will be used. Only now can technology-related risks to the business be identified and assessed — in terms of achieving those strategic plans and related objectives.”
I think Marks makes an interesting case and I believe he’s right. Laserfiche is an excellent tool for auditors and IT to utilize because of its governance capabilities. In this case, I’m not suggesting using LF for the actual audit (and it has a very useful audit trail feature), but for enabling governance of business activities and mitigating risk for the entire organization. Here are some activities an organization can conduct using Laserfiche to achieve these ends:
Records Management Program- The records manager in the organization should team with IT to integrate GRC through the business lifecycle of records, from planning to monitoring following implementation. Documentation, SOPs, policies, and procedures along with retention schedules should be developed and followed. The Laserfiche records management features are frequently used in highly regulated industries to help compliance to both external (governmental, industrial) and internal mandates.
Automation- Historically automation is not an initiative that springs to mind when mitigating risk, but it should be. The IT audit can surface opportunities to embed automation-enabled control activities within IT processes and functions that are inefficient or predisposed to failure due to human error. An example can be the use of automating the monitoring of users’ access upon termination.
Batch Processing- Auditing teams should access the input, metadata assignment, and logic behind the mass capture of business documents. Internal IT should assist with the development of capture programs that support the ease of auditable data. Another area that automated batch processing can augment is an enterprise privacy program. Automating functions like redaction of PII can be an element to address immediate regulatory changes, but also for shifting regulatory climates and consumer expectations, concerning greater individual control of data. In rapidly morphing regulatory environments evaluating the scope and effectiveness of the privacy program, including the established governance and records processes, SOPs, roles and responsibilities, training, and risk management, can help provide how equipped the company is to respond to new regulations.
Disaster Recovery- Consider the current state of disaster recovery architecture for the IT network, systems, and applications to identify any gaps in the ability of IT disaster recovery to meet stated business requirements. CPS in tandem with our partner restorVault has developed a Trusted System that can have your repository up and running in a matter of moments in case you are hacked. Access to business documents will be almost immediately restored ensuring your organization stays up and running.