Dan Swanson, President of Dan Swanson and Associates has over 30 years of experience in internal audit, IT General Control “ITGC” and IT security auditing experience. As the managing editor of EDPACS since 2006, Dan is a known thought leader and featured columnist for new perspectives on IT risk management. Dan has published over 200 articles and his most notable book Internal Auditing: Raising the Bar can be purchase on Amazon.
Transitioning to COSO’s updated framework will now focus more attention to IT general controls. Dan believes internal auditors need to keep track in what other people are saying their priorities are, and putting them into broad categories. Within the organization, you have to work through what's relevant for your company’s audit plan and here are the TOP 5 Categories most internal audit departments should focus their attention.
1. Large IT Technology Projects: The ongoing investment in IT and bringing systems and technology current within organizations is a major priority and focus for most organizations. Internal auditors need a seat at the table when budgets are created and what results are actually being measured to validate if the project was a true success or failure.
2. IT Security: The ongoing challenge to protect our information, to keep our systems reliable and highly available, yet ensure it doesn’t get hacked. It's a never ending task, a never ending challenge and by auditing those program areas, internal audit can contribute to the organizational success. Internal auditors need to informed of updated security policies IT departments are implementing and what new trends are emerging that could impact the overall operational success of the organization.
3. IT Governance: This is a broad topic and subject to definitional issues but fundamentally, this deals with both the IT plans and the management of IT efforts which link to the enterprise’s strategic directions. IT governance is an essential part of internal audit’s function and looking ways to improve the auditing of their performance is critical, especially given the new era of “Mega Data”
4. Emerging Technologies: Depending on the industry that you're involved with, emerging technologies maybe your business or maybe supporting overall cost of some of your operations for example. These technologies need an IT audit specialist to look at those areas and contribute to our controls and changes in controls from the result of implementing technologies, BYOD (Bring Your Own Device) comes to mind.
5. IT General Controls and Evaluation: IT General Controls on an ongoing basis are typically a hard part of the C-SOX or SOX program especially with the updated 2013 COSO framework. There is an increased emphasis on technology controls and even though we're several years into dealing with SOX programs, this is an opportune time to revisit the program, look at its priorities, and understand how IT general control evaluations can contribute to identify opportunities for management.
Organizations have to invest in their technology on a regular basis and for some it’s a simple upgrade others it’s an entire creation of an IT infrastructure. Regardless, of where your organization is, in this spectrum, you’ll require some upgrade to key business applications in order to stay competitive. From an audit perspective, particularly within the IT audit but even at the corporate audit level, an investment in auditing some of the major initiatives of the company is vital to assessing the risk and assessing the changes to control environment, and this likelihood of success upon implementation.
Here are some key steps to solving this complex issue of how much involvement should internal audit have concerning IT projects.
Step 1: Get involved early by finding out what the project is about, what the project governance is, how it's organized, and the intent of the plan.
Step 2: Conduct a preliminary assessment of the risk to the organization.
Step 3: Review and adopt key auditing standards that fit your organization (e.g. review the Institute of Internal Auditors, GTAG “Global Technology Audit Guide” #12, “Auditing IT projects”). Included in this guidance is an Excel based appendix covering over 30 questions internal auditors need to ask and validate to audit IT projects.
Step 4: Key your focus on project governance and program management.
Set your priorities for 2014 by assessing the needs of the whole organization in the following areas: Large IT Projects, IT Security, Governance, General Control and Evaluation and Emerging Technologies. Enlist the help of experts and read Dan’s new book to learn more.
It's actually the very first IT audit publication that has been operating for about 42 years. Dan been fortunate enough to be the managing editor for the past seven to eight years. They have a dynamic editorial board that participates in the review and comments on every article that gets published. They publish about 25 articles a year on a variety of leading its topics, focused primarily around IT audit and delve in to IT security, IT governance as well as risk management. EDPACS goes back to the actual name is EDP Audit, Control, and Security and it reflects a time 42 years ago when it was all about electronic data processing. As a managing editor, Dan tries to make the articles published each year current and relevant to today's challenges. One of the strengths of EDPACS is that we can run articles up words to 4,000 or 5,000 words which really let you get into the issues related to a topic.
More about Dan Swanson:He has an extensive background in the financial services, healthcare and transportation sectors as well as significant experience in auditing all levels of governmental agencies. He has completed audit and security-related projects for more than 30 organizations including the Canadian Air Force, investors group, World Bank, City of Winnipeg and many more. Dan has served as managing editor for the EDPACS publication since 2006 which is now in its 42nd year and has been a columnist for new perspectives on healthcare risk management for nearly six years. Dan is a freelance writer and has published over 200 articles and his most notable book sold on Amazon is Swanson on Internal Auditing: Raising the Bar.
A famous quote from legendary actor, Jack Nicholson, playing a general that is forced to finally tell the whole truth, due to diligent and persistent questions
by Tom Cruise, playing the part of a defense attorney in “A Few Good Men”.
The “truth hides in poor communication,” says Joe Koenig, retired investigator from the Michigan State Police and lead investigator on the James R. Hoffa case. In his new book, entitled, Getting the Truth, Koenig shares the top signals all internal auditors should recognize if they practice the basics when interviewing their auditee. But shouldn’t the auditee just tell us the truth always? If not then how do we learn to lie? ..
Some would say the answer is very simple, yet the process of implementing the solutions is very challenging. In a unique interview with Sajay Rai, Founder and CEO of Securely Yours, with more than 30 years of IT security experience had this to say. ..
Most small companies spend far less on compliance than do midsize and large companies. Large companies spend the most and show the greatest spread among cost ranges. In fact, the cost of government regulation is more than Corporate Pretax Profits and Corporate Income Taxes combined. Compliance is an issue that must be prioritized by the CFO and addressed – and re-addressed, year after year. ..