IT Governance, Risk & Compliance
The client was struggling with a number of compliance related issues that were ultimately related to IT Governance and they looked to Savant Advisory Inc. to help.
"Yet again..." showed up on the external audit reports regarding the IT Audit that had just taken place. This pastern had repeated itself for a number of years. The newly minted CIO decided it was time to put this to bed. He brought in two consultants (one left about half way through the engagement), and instructed us to help get a handle on this. It was clear he was tired of having to answer to the Board of Directors on the number of audit issues.
We went to work designing a mechanism to help implement a full IT Governance structure that would deal with, not only the audit findings, but to help ensure that IT was positioned well to handle other audits that were on the horizon (both internal and external). The mechanism was quite manual, but for good reason. In my experience, the development of an IT Governance model is more of a cultural shift for an organization than most people realize. The manual nature gives them a feel for what needs to be done and help them shift through the process changes. I have noted a number of enterprises that have attempted to go straight to an automated Governance/Compliance process and in 100% of the cases - they failed.
I began working with the process owners who were: identifying the controls that they had in place from the list of items I pre-provided using the widely accepted IT Control Objectives for IT [CobIT]. They either: (A) Had something in place that we could find evidence of; (B) Had something in place but did not have any evidence; or (C) Were not performing the function at all. We tracked all of the items and reported on them to the CIO on a weekly basis. Where control owners were slipping, the CIO got involved and things got back on track.
I still remember the meeting with the external auditors in the office of the CIO. We have covered much ground in a very short period of time and we had whittled the rather large number of items reported down to a simple few. The meeting ended and as we were all leaving, the CIO stepped in front of me so that I couldn't leave and closed the door after the auditors left. He turned around with a big grin and stuck out his hand. "Thank-you!", he indicated. And he nearly shook my hand off.
These projects are challenging but extremely rewarding. Organizations that utilize good IT Governance are always in a better position to withstand not only the onslaught of compliance issues that affront them, but also perform better in the face of market and security adversity.