Today’s CPAs often wear many hats in an organization. This could be because a CPA, by the very nature of attaining the CPA designation, has to demonstrate a solid understanding of all of the factors impacting the success of a business, including finances, risk, operations, controls and technology.
A popular option in today’s business environment is for the CFO, or a similar role in the organization, to have oversight responsibilities for the information technology (IT) function. There are several reasons this structure could make sense for an organization.
- The IT budget for some companies is substantial, and many IT executives have less experience managing such a significant financial responsibility.
- The CFO is well-suited to affirm the control structures needed to ensure IT is functioning in accordance with management’s intentions.
- The (typical) CPA’s strong project management and organizational skills may be needed to ensure key IT projects are completed on time, within budget and to the business’s specifications.
Whatever the reason may be, many CPAs find themselves with a significant degree of influence or responsibility related to their organization’s information technology function. For those CPAs where that is the case, this article will provide you with the key considerations you should know to ensure your IT organization fulfills its objectives.
1. Align IT Objectives with Company Objectives
In the past, IT departments were often left to develop their own plans for the coming year, sometimes due to the fact business leaders didn’t truly “understand” all the technobabble coming out of the IT department, and, in other cases, because the IT department wasn’t seen as strategic to the business. However, in today’s business environment, information technology is one of the most important enablers of an effective business strategy. This is because to achieve almost every business objective, well-functioning and reliable systems and applications are required.
Therefore, to have an effective information technology function, an organization must ensure the IT department’s goals are aligned with the company’s goals. This means, of course, in order to ensure alignment, both the company itself and the IT department should have written, well-defined goals and objectives. The company’s strategic objectives must be defined first, and then the IT department should base its own goals and operating plan on the company’s goals.
Here’s an example: An organization defines a goal that as a part of its growth plan, the company would like to add three new locations during the next 12 months. A logical IT goal to align with that business goal might be “Support Business Growth Initiatives.” As a part of that goal, the IT department would define several objectives, projects or tasks it would undertake in order to accomplish the goal. Once the IT goals are defined, they should be clearly communicated to key business leaders and published, so the leadership team can see the IT department is “in tune” with what the business hopes to achieve in the future.
2. Establish IT Governance
A regular point of frustration for both business executives and IT management teams is the constant inflow of new project requests with seemingly impossibly short deadlines. The pressure to deliver on all the projects while still keeping existing solutions functioning smoothly, all with limited people resources, has led to the demise of many an IT executive. This disconnect, if present, many times comes from the lack of an IT governance process in an organization.
IT governance is the practice of capturing, publishing and regularly reviewing all of the IT department’s project requests with key business leaders. In an IT governance meeting, the IT leadership team should provide a list of all of the key business projects currently underway (and therefore consuming IT resource time and attention), as well as those that are next to be addressed.
Using this forum, the collective group can review the list and confirm priorities or, if necessary, redirect the company’s IT resources to a new project that has been determined to merit a higher priority. In this way, business leaders will be better informed about the status of all of their projects, the likely timeframe for completion and the reasoning behind any re-prioritization, greatly reducing their frustration with IT’s apparent inability to deliver a particular solution. IT leadership will then have clear direction from the business regarding how IT resources should be utilized going forward, reducing their stress level and affirming their priorities.
3. Manage Electronic Risk
A hot topic with most companies today is information security. As data loss, identity theft, malware and hacking attempts have continued to proliferate, organizations of all sizes have found themselves victimized, and the headlines continue to bring unwanted visibility to affected companies.
This fact, when coupled with increasing regulatory requirements for companies in the healthcare and financial services industries, credit card security requirements and breach notification laws in most jurisdictions (including the State of Tennessee), has brought long-overdue focus on the protection of sensitive data.
Information security is about identifying, measuring and managing the business risk related to confidentiality, integrity and availability of information assets to a level an organization can accept. A security professional’s goal should be to advise and educate the company’s management team regarding risks in the environment, and then arm them with the information they need to make well-informed decisions about the risks.
Your organization’s security program should be based on a security “framework,” a set of published security guidelines that can be used as a baseline upon which risk decisions are made.
- There are many frameworks available to use. The best approach is to adopt a framework commonly used in your company’s industry that aligns with any legal or regulatory compliance obligations you have.
- Conduct a risk assessment to identify the security weaknesses in your organization that need to be addressed.
- Once the weaknesses have been identified and prioritized, commission an action plan to address the highest-priority items.
There are a few topics that regularly show up as high-risk issues in risk assessments for today’s organizations.
One high-risk issue that often times surfaces is endpoint security. An “endpoint” is a computer system on your network used by an individual to interact with computer servers or applications. Endpoints can include:
- specialized components such as point of sale terminals.
Endpoints are particularly vulnerable because humans are vulnerable:
- they will blindly click on a link in an email
- connect a laptop to an unfamiliar network
- accidentally leave a smartphone in the seatback pocket of an airplane
All of these innocent mistakes can lead to a loss or compromise of sensitive data for an organization, and, therefore, might require a public acknowledgment of breach by the company. As a part of your security program, ensure your endpoint devices are well protected.
Anti-virus is a must for most desktop and laptop systems. Security patches are released monthly, or more frequently, and should be applied quickly and in accordance with your organization’s established framework and procedures.
Be sure your patching process includes considerations for non-operating system software such as:
- Adobe Reader
- Flash Player
- all Internet browsers installed on the system
These software applications are very frequent targets of attack and are particularly vulnerable to compromise. Also, ensure all devices, including smartphones, require a passcode in order to access the data on the device.
Finally, many of the security laws in effect today provide a company safe harbor against having to acknowledge a breach when the company has encrypted the data on the system, so organizations should strongly consider implementing encryption on endpoints to protect sensitive data.
Another high-risk security issue that should be evaluated is the security of third parties responsible for storing, processing or transmitting data on your behalf. These organizations could be vendor partners with whom a formal business relationship exists, or they could be unwitting parties brought into scope by an employee who has shared sensitive information with the third party.
Examples of “unexpected” third parties are companies that offer file-sharing services such as:
- Apple’s iCloud
These services offer convenience by integrating with endpoint devices to seamlessly copy data from the computer’s hard drive to a server somewhere on the Internet. In this way, the data is now easily accessible by other devices (such as a smartphone or tablet).
These free services do not provide any guarantee of security over the data stored on the service, and your organization cannot be sure sensitive data pushed to one of these “cloud-based” services won’t be seen by unauthorized individuals. Therefore, your company should have a clearly defined policy regarding how file-sharing services should be used (if at all), and employees should be trained accordingly.
Also, you should establish a vendor management process to ensure all third parties who store, process or transmit data on behalf of your organization have a contractual obligation to apply an appropriate degree of security to your data and that they periodically provide evidence (such as a Service Organization Control report) confirming their controls are in place and functioning.
4. Measure IT Performance
If your company makes a significant investment in information technology, it only makes sense that you would periodically evaluate the investment to ensure it is providing value. Sometimes this can be easier said than done.
There are some measurements that can be easily captured to validate the effectiveness of your IT function.
Most companies would agree that the most important measurement for an IT environment is uptime. Uptime is the amount of time the systems are online and available to support business transactions. Be aware that for an IT system to work effectively over a long period of time, it SHOULD have some regular planned downtime for maintenance, patching and upgrades.
These tune-up processes help to keep the systems running as efficiently as possible. The distinction is that a well-functioning IT environment shouldn’t have much, if any, “unplanned” downtime. Have your IT team measure and publish the monthly uptime of important systems for your organization. By doing this, all parties can evaluate the performance of IT systems and decide if improvements or changes are necessary to achieve the desired uptime.
Another important measurement is the IT department’s progress on key projects. The IT department should regularly report on the progress of projects that have been prioritized and assigned in the IT governance process described earlier. If milestone dates are not consistently achieved, you should begin to challenge your IT department’s project management function to understand the reasons for slippage.
Now that you have reliable data, you can make corrections to address deficiencies, if necessary.
These metrics will help you guide the help desk to make improvements to its offerings to ensure it provides the most value to the organization.
If your IT department offers a “helpline,” you should be measuring:
- the number of calls to the helpline per month,
- the number of calls that are resolved without having to be escalated to someone else,
- the average wait time before a call is answered and
- the number of calls that are abandoned before someone answers.
Another important measurement is to regularly evaluate your security posture.
To do this, you should frequently assess your IT environment to identify security weaknesses by conducting vulnerability assessments and penetration tests, and then track the IT department’s progress in applying patches and remediating weaknesses in a timely manner.
As a part of this analysis, be sure to consider vulnerability management. Vulnerability management is any applicable regulations that may apply to your business so you can ensure your organization attains and maintains compliance with those regulations. This process will go a long way towards managing your security risks and helping you ensure that your IT network and systems are appropriately secured.
Information technology is one of the most important enablers of business today. A well-run IT department provides needed capabilities that are highly available, appropriately secured and consistently reliable. In this way, an IT department can truly contribute to the growth and success of a business.
If you align IT objectives, establish IT governance, manage IT risk and measure IT performance, you will get the most out of your organization’s investment in information technology.
LBMC’s approach to risk assessment, testing, and security program design are based on our team’s many years of experience leading security functions, addressing risks and consulting on IT security for companies of all sizes. We know how to implement practical and effective security programs, because we have done it so many times before. If you would like to learn more, visit our IT Security Consulting Services page.
Originally posted in the Tennessee CPA Journal.