Home > Audit, CorpFin Cafe, Risk Management > Internal Audits & a review of Information Systems

Internal Audits & a review of Information Systems

August 28th, 2008

In my last few posts about the internal audit process I reviewed the approaches that were applied to the Finance/Control and Sales/Marketing areas. Equally important, perhaps the most, was the review of the Information Systems. For my time at MGE, I had actually found system uptime and the quality/consistency of data to be some of the best at any company I had worked with. I had not encountered any issues with security breaches of info, nor had I heard any horror stories.

This was one area of the audit that we had any differences of opinion regarding the findings of the auditors and the processes that we had in place. It finally came down to an “recognition” of their findings as opposed to agreement. We also found ourselves in a position in which one finding in the North American audit was the direct result of directives from our headquarters in France not to implement specific action plans. Some of the findings of the auditors included:

1. No comprehensive Disaster Recovery plan. This was the interesting one since we had such a plan in each of our capital budgets for the previous two years and were told by our headquarters that there was no room for this in the Budget. Well….I guess there would be now. The auditors were looking for defined system recovery requirements, storage and data locations, emergency procedures, along with a recovery framework.

2. Lack of segregation / out of date access rights. This was an area that I had addressed in an earlier post regarding access to Finance info. While we had addressed this issue within the Finance department, there was not the follow through to address this on a greater company-wide basis. This was a valid point but ranked lower on their priority list.

3. Lack of formal IS procedures. Another interesting one since they were looking for a set of KPI’s to be implemented to measure the performance of this group. It came down to the fact that we did not use their KPI’s. We had a fairly extensive list of indicators that we used to measure everything from system uptime, storage performance, user service requests, to project management.

4. Platform access rights. We had a single individual who had access rights to both the Production and Development environments within a certain software application. It was a little difficult to get around this since we only had one person who had an expertise in this platform and were not going to make additional investments in the platform moving forward. Point noted….

As I had mentioned in earlier posts about the internal audit process, this continued to be a very valuable process to help identify potential areas of risk. Fortunately, there continued to be very few surprises as we progressed through this project. I would highly suggest to any Senior Finance professional coming into an organization to read the last internal audit report, or conduct one if one has never been undertaken. Know where your risk is and how your career could potentially be impacted.

Thanks for reading . . . .

Comments are closed.