Posts Tagged ‘information systems’

Internal Audits & a review of Information Systems

August 28th, 2008 Comments off

In my last few posts about the internal audit process I reviewed the approaches that were applied to the Finance/Control and Sales/Marketing areas. Equally important, perhaps the most, was the review of the Information Systems. For my time at MGE, I had actually found system uptime and the quality/consistency of data to be some of the best at any company I had worked with. I had not encountered any issues with security breaches of info, nor had I heard any horror stories.

This was one area of the audit that we had any differences of opinion regarding the findings of the auditors and the processes that we had in place. It finally came down to an “recognition” of their findings as opposed to agreement. We also found ourselves in a position in which one finding in the North American audit was the direct result of directives from our headquarters in France not to implement specific action plans. Some of the findings of the auditors included:

1. No comprehensive Disaster Recovery plan. This was the interesting one since we had such a plan in each of our capital budgets for the previous two years and were told by our headquarters that there was no room for this in the Budget. Well….I guess there would be now. The auditors were looking for defined system recovery requirements, storage and data locations, emergency procedures, along with a recovery framework.

2. Lack of segregation / out of date access rights. This was an area that I had addressed in an earlier post regarding access to Finance info. While we had addressed this issue within the Finance department, there was not the follow through to address this on a greater company-wide basis. This was a valid point but ranked lower on their priority list.

3. Lack of formal IS procedures. Another interesting one since they were looking for a set of KPI’s to be implemented to measure the performance of this group. It came down to the fact that we did not use their KPI’s. We had a fairly extensive list of indicators that we used to measure everything from system uptime, storage performance, user service requests, to project management.

4. Platform access rights. We had a single individual who had access rights to both the Production and Development environments within a certain software application. It was a little difficult to get around this since we only had one person who had an expertise in this platform and were not going to make additional investments in the platform moving forward. Point noted….

As I had mentioned in earlier posts about the internal audit process, this continued to be a very valuable process to help identify potential areas of risk. Fortunately, there continued to be very few surprises as we progressed through this project. I would highly suggest to any Senior Finance professional coming into an organization to read the last internal audit report, or conduct one if one has never been undertaken. Know where your risk is and how your career could potentially be impacted.

Thanks for reading . . . .

How accessible is your Finance data?

August 13th, 2008 Comments off

It seems like a bit of an odd question at first considering we typically work under structures of system permissions, protocols, and how often user profiles should be audited. The key phrase here is “should be”. It’s very easy to become somewhat complacent and rely on written procedures that are in place and the assumption that they are being followed. I was doing some pretty extensive work on some forecasting files, which unexplainably, I could not find during my next session. These were in folders that I constantly worked in and allowed limited access to only a few individuals. I was now unable to locate and needed to know what happened and who was in the files last. For all I knew, I might have mistakenly saved them to a new location….

I ended up finding the files after only minimal effort, but what I found in the process was more disturbing. I requested from our IT group a list of individuals who had general access to the Finance drive and then the permissions that were granted to each one of those individuals. Keep in mind that we only had approximately 30 people in our Finance department. What I got back was a list of about 70 people that had access to our drive! Are you kidding! It didn’t take long to see that a number of these individuals were no longer with the company. There was also a population of folks that had transferred to other functional areas in the company. Most of those that had transferred had not recently accessed the data. Regardless, this had to be immediately corrected.

Our IT group, that same morning, received a corrected list of individuals that should have access to the Finance drive and the changes were implemented immediately. There were some updates to permissions, but these were relatively minor. Lesson learned. Although we had specific protocols in place, they were not always being followed as directed. We also learned that we had to increase the level of communication between HR and IT, and in a much more formal manner. I have always incorporated a certain level of paranoia into my daily routine in regards to identifying risk. This was one more confirmation of that approach. So I ask the question – “How accessible is your Finance data?”

Thanks for reading . . . .