Tuesday, March 31, 2009

Surviving Stress of Organizational Change

Only you can reduce your stress

As companies have to change, make your own adjustments to stay relevant

Whatever is going on, it is the reality, so decide to move on

Look how pressures and priorities have changed, so play by the new rules

Align with organization that changes even if painfully, low-stress entities give short-term comfort, but may not survive

Some things are well beyond personal control, so no use trying to affect something you cannot

When deciding on personal change, keep up the needed pace, so as not to lag behind

Reengineer what is under your scope, to meet current or new goals, eliminating the rest

Increase pace to maximize your personal productivity

Forget spending time worrying; be productive today and create your own future today

Make sure that you take on only as much as you can handle

Develop desire, passion, and love for your job, and stay romantically involved. Much of your life is spent there.

Find new assignments where you can grow, don’t just stay in your limited comfort zone

Life would be unbearably boring if you knew how everything ends. Enjoy uncertainty and instability, as they give the spice to life.

Organizations have to answer to many stakeholders, so they may not be able to look out for you as much we all hope.

Example of Partial Compliance

As with speed limit, you are either under the limit or over.

How To Talk To Auditors

Like any other interaction at work, a professional and trusting relationship is a needed for a successful collaboration.

When interacting with the auditors in a professional manner, you project to audit teams that its function is respected and supported.

Expect professional interaction from the audit team and push back whenever there is an exception to this practice.

To contribute to a successful and accurate audit report, be receptive to auditor observations and the audit team’s recommendations.

Be firm when discussing anything they see as incorrect, in order to ensure there are no misunderstandings.

Keep in mind that you, and not the auditors, are responsible for defining and implementing solutions to issues found in the audit. Everyone will benefit from a cooperative, collaborative audit process that respects the independence and discretion of all participants.

Of course, auditors should listen to process management. And for its part, process management should encourage staff to be open and honest with auditors.

Monday, March 30, 2009

Corporate Compliance Goals Include:

Meet all federal, state, and local governmental laws, regulations, and guidelines pertaining to proper documentation for all processes and services provided.

Monitor the strengths and weaknesses of the documentation processes followed for all operations, and develop means to prevent and detect any improper acts or practices.

Develop a culture promoting prevention, detection, and resolution of exceptions that do not conform to federal and state law and public and private requirements.

Show and communicate the commitment to the compliance process.

Provide a centeral place for information and guidance on relevant federal and state statutes, regulations, and other requirements.

Let everyone know that they should report non-compliance issues, and consequences when not complying.

Develop mechanisms for handling any regulatory investigation or audit.

Record of all due diligence taken to comply with all regulations, rules, as well as interla policies.

How Vague or Transparent Auditors Should Be?

Consider an auditor as a corporate leader. Then, how being realistic or pessimistic affects the audit communication process and auditor effectiveness?

Being vague or diplomatic enhances relationships long after audit findings are remediated. As a leader, an auditor facing hard facts about lack of compliance may need to communicate the causes of low-level of performance. This can reframe any problem into a more pessimistic and less remediation-oriented focus.

An auditor being a leader has to balance the need for productive relations within an organization and frank assessments of condidtions. The concern is, of course, that by the way exceptions are framed, an auditor may be creating a self-fulfilling prophecy, positive or negative one.

What are your thoughts or experiences regarding this?

Sunday, March 29, 2009

Auditors Favorite Laws & More

- You will always find something in the last place you look.
- If you are looking for more than one thing, you'll find the most important one last.
- You will always get all the credit for the dumb audit finding or recommendation.
- When things are going right, you won't notice errors, so listen carefully to thoese being audited
- You only don't understand what you are auditing if you admit it.
- The glass is always full, half with water and half with air.
- You can't reason with Operations people who used to be auditors.
- Every audit finding is replaceable with a bigger finding.
- Whenever you make a finding, you will always find much more that needs to be fixed.
- The probability that you find something wrong is directly proportional to the square of the amount of inconvenience it can cause you during the exit conference.
- No degree of acceptance of audit findings can equal actual remediation of issues
- If things really look good, watch out, there is polyester over your eyes.

IF YOU ARE NOT ALWAYS CONFUSED, YOU ARE NOT IN TOUCH WITH REALITY
So stay confused, it's more fun that way.

Risk Assessment? What's Your Framework?

Consider, if you will,

- Company culture
- Corporate objectives and strategies
- Level of complexity of organizational processes, as they will be analyzed
- Competitive fit for the entity and availability of resources
- Entity units chart, to ascertain level of organizational complexities
- Key processes, transaction types, way of measuring business activities
- Hungry? What's your risk appetite and risk tolerance?
- So, do you have skills and staff and time to get it all done? Congratulations.

Let me know how it turns out.

(the answer is ERM COSO and CobiT, but you knew that)

Become Audit Proof

- Know your business strategy and goals, make sure your controls support them
- ID key business processes, as these are the skills your organization sells
- Protect your key business processes through BCP/DR
- Verify and document process changes
- Risk map your processes and verify that your key controls actually are the key controls
- Consider automating processes to eliminate risks, without causing new weaknesses
- Identify sensitive data, checking for Personally Identifiable Information (PII)
- What will you do when customer data is lost or stolen? Have a detailed plan.
- Document your areas of process owneship to avoid misunderstandings of responsibilities
- Above all, attempt to work together with auditors, enjoying the helpful consultative review.
- Remember that auditors really are to help and advise.
- Auditors want to add value just like everyone else.

Saturday, March 28, 2009

Why Auditors Make Mistakes?

Practice saying "Could you tell me again..."

- Premature stopping of fact gathering and diagnosis
- Relying too much on first impressions
- Relying too much on pattern recognition, especially if it looks like something from the past
- Human tendency to favor negative conclusions or rely on stereotypes to make decisions
- Defining conditions inaccurately because of biases or preconceptions
- Being influenced by others' opinions or analysis
- Judging based on easily recallected data
- Going with the gut, and not the systematic problem analysis

Data Management Notes

Keep your Data Map updated.

If you have paper and electronic, you need to keep the source—electronic. But, if you write anything on the paper, then the paper report becomes a unique document, so you must keep it.

MS Access DB may have to be provided, BUT ALSO reports may have to be run and provided, as these reports may use computations and data combinations, which makes them unique.

MS Excel spreadsheets also give formula information, unlike a paper report from it.

Encryption has to be selective. One company used a single encryption key and had to share that key, which allowed reading all their data, not just what was asked for.

A company must show that it exerted complete control over held documents, by showing restrictions to access, so that the data was not changed.

Data on portable devices is a problem. Get it off these gizmos.

For those people who have hold documents, put RED FLAGS, so that if they try to get a new PC, laptop, that the data on the old one is not destroyed or compromised.

Have documented, enforced, and monitored rules regarding email access and downloading You may end up searching for hold documents on numerous portable devices.

eDiscovery Insights

-Must understand fully lawyers’ requirements
-Seek clarifications and monitoring feedback to ensure staying on proper track.
-Review ops to see what info sec processes can be used for a eDiscovery response program.
-Stay proactive. Develop the capabilities, have processes in place.
-Companies are defaulting to other party as they cannot provide info, usually within 30 days.
-Have not found specific legal requirement on the manner of preserving business documents.
-Look at Rules of Evidence and Discovery in the Federal Rules of Civil Procedures. Fun Read
-ISSUE: Retention of Records
-ISSUE: Back up of Files (BCP) Do not rely on tapes for storage of hold documents.
-Tapes—the problem is that you don’t where on the tape the info can be. Can be costly to find out
-For tapes from years back, must have backward capability to restore the system to the state that existed when the tape was created, to be able to read it without affecting it.
- DEFINE the DATA to be held. All further work will depend on that definition. Make sure it is not easily misinterpreted. Do not get more or you risk fishing expeditions.
- There could be multiple litigation holds on the same data that can extend its hold for years.

Data Breach Handling Considerations

- Have data classification schemes and use them, know what data you have.
- Must make sure that policies and procedures are actually followed.
- Secure “essentials” first, then move on to “excellent” security practices
- Secure partner connections. Many break-ins start with sub-sub-sub vendors.
- Create data retention plan, detailing how long to keep data.
- Have a plan to respond to data breaches, a breach incident response plan
- Conduct mock incident testing, even if only desk testing
- Put firewalls WITHIN the organization between divisions
- Stop communication of sensitive data through establishment of data zones.
- Monitor Event Logs
- Don’t rely on standards.

All the big names that got customer data stolen (we heard about from newspapers) were all PCI compliant.