The compliance audit demonstrated significant gaps in the processes and
policies which had put the new CIO in a quagmire on how to get started. The
report was indeed incriminating to the internal and outsourced team; there were
numerous cases of process being bypassed or ignored along with weak ambiguous
policies and controls. The task appeared to be herculean and the team was
smarting from the beating they had received from the CFO to whom the Audit team
reported. The CIO had come on board a month back and was still undergoing his
induction.
Every company that has an active audit function reviews compliance, risk
and process strength linked to defined policies; the frequency of audit varies
but at least once a year IT does figure in the calendar. They sift through
logs, evidence of process adherence, change requests, documentation, defined
standards, IT security, procurement discipline, and exceptions to all of these.
For IT the exercise is fraught with danger when in the real world compliance is
difficult with almost every senior manager requesting deviation to policy.
To get started the CIO decided to seek help from the audit team who had
engaged one of the big audit firms. The audit team was surprised since none of
the auditees had ever asked them for help; they dutifully connected the CIO to
the Consultants. Citing conflict of interest, they recused themselves from the
potential engagement. Not one to give up so easily, the CIO reached out to their
competitors and engaged them in a full review of people, process, policy and
technology towards creating a practical implementable set of policy.
Months and many iterations later the CIO was satisfied with the end
result in which his team had contributed through the process. The
classification of policies and associated procedures appeared comprehensive and
pragmatic in their intent. The IT team was also content that finally they had
markers that would leave little room for exceptions while the outsourced team
who is responsible for execution will find it easier to comply. But before
putting the plan to action, the CIO sought the opinion of the vocal CFO.
Weeks passed after the documents were emailed with no response; the CIO
personally reminded the CFO of the pending request. Time was running short as
the next audit was due in another few months and the CIO did not want another
negative rating to fend. He also had dependencies on some of the other
functions to work in tandem. Much nudging and cornering later the meeting was
scheduled. The CIO had his team and the consultants on standby should there be
a need to discuss some aspect in detail.
These policies are not user
friendly ! The consultant has given you standard cookie cutter templates ! How
do you expect senior management to comply with these ? We cannot be expected to
change and remember complex passwords every so often. World over businesses are
going digital; how can you have a draconian internet access or social media
policy ? We need to allow people the freedom to engage with customers ! The
world is going mobile; you should allow access to information on demand. You
have to figure out a better way to implement security !
The CFO went on shredding the documents deriving satisfaction in his
qualification and comment; the impracticality of the suggestions had the CIO
wondering if ever the company will succeed in creating a framework that will
protect the systems as well as allow for processes that are necessary towards
good governance. His counter arguments were brushed aside by the CFO who was
unwilling to listen in his quest to add value. The CIO thanked the CFO for his
critique and decided to seek counsel from other CXOs towards implementation.
The rest who had lived with far more restrictive policies elsewhere
commended the CIO for his rational real-world approach. Soon the next audit
came and the results showed significant improvement in compliance which
validated the approach taken. The CEO was full of accolades for the CIO while
the CFO squirmed and then tried to take credit by highlighting his review prior
to execution. The rest knew better and nodded to the CIO on the road taken and
positive end outcomes. The CIO thanked everyone for their understanding.
A few weeks later when the CFO requested an exception to a policy which
was denied as it required the approval of the CEO who was against deviations !
No comments:
Post a Comment