Why is it that some companies succeed and others fail? There is a general consensus certain things are common among successful companies. We call these things key success factors. Key success factors are essential attributes that are critical to an organization reaching its business goals.
There is no agreed-upon list of success factors because they vary depending on the nature of the business, among other things. Some business experts would say good, productive employees are a key success factor. Others believe keeping loyal customers is a critical factor. Still others would submit that having clear policies and procedures is how organizations succeed.
I would not disagree with any of these. However, as a Certified Information Systems Auditor (CISA)and a former IT auditor and manager, I would suggest that having an effective audit function is critical to the success of a business. The purpose of an audit is to evaluate an entity, such as a policy, process or account, to ascertain if it meets a predetermined standard or criteria.
Cybersecurity Ripe for Audits
A successful audit should identify areas of the organization needing improvement, including those that are likely to be high risk. In today’s digital environment, cybersecurity is typically top of mind for company leaders. They often know enough to be concerned, but not enough to actually address those concerns. In other words, there is no question that cybersecurity is an area of high risk for most organizations, but how they should respond to this risk is unclear.
It is the job of the IT audit function to determine how the organization should respond to risks that are specific to their operation and then evaluate whether the response is appropriate based on auditing standards and best practices. One common response to mitigate risk is to implement countermeasures, also known as controls. In those situations it is the responsibility of the auditor to evaluate the effectiveness of the controls to determine if they will indeed work.
For example, business leaders often believe that a firewall is a sufficient response to cybersecurity concerns. Some questions IT auditors will ask these situations include, What type of firewall is it? How has it been configured? How often are the rules updated? The IT auditor will also inform senior management that a firewall is only one of many controls that should be considered when responding to the threat of a cyberattack.
While the audit team should be actively involved in the tactical procedures of auditing the company, a skilled audit team that partners with the board of directors and senior management will not only identify aspects of the company that need attention, but also develop an audit plan that supports the organization’s overall strategy and act as consultants to help move the company closer to its vision. Over time, with the ongoing involvement of the audit team on the tactical and strategic levels, the organization can certainly count audit as one of its key success factors.
Note: For more on auditing cybersecurity, view this article in @ISACA.com.
Paul Phillips, Technical Research Manager, ISACA
[ISACA Now Blog]