Performing an Audit of Corporate Policies and Standards 
                                                   Part 2 of 2
By:  Mitchell H. Levine, CISA
                                               Audit Serve, Inc.
Policies and standards need to be written in a manner in which they can be enforced.  One of the common mistakes of the deployment of policies and standards is not having an adequate review process (i.e., comprised of individuals representing business, IT, Human Resources and Legal departments) to ensure that the policies are appropriate for an organization.  It is not being suggested that policies and standards should only be instituted where compliance can be assured.  Instead, a process needs to be in place to identify those areas of an organization which are not in compliance with policy and standards.  In addition, an effective process needs to be in place to ensure all areas of an organization are made aware of the changes to policies and standards.  Since policy and standards are applied to various levels of IT which includes network, operating system and application levels, there could be varying degrees of compliance.
The most important component of the enforcement of policies and standards is the method used to establish waivers on non-compliance.  The policy and standard waiver process need to be a formal process in which a committee is established to review the merits of non-compliance.  The compliance waiver process is typically based on the implementation cost or the unavailability of technology to meet compliance requirement.  It is important that the residual risk to the impacted area be defined whenever a waiver is being granted.  Regardless of the reason of the waiver process, it is important that these compliance waivers be re-evaluated on an annual basis since technology can change over time which can introduce alternatives to consider.
One of the other inherent problems with standards is the manner in which they are written.  Standards must be written as mandatory requirements.  Otherwise, there is no requirement to have compliance.   Therefore, definitive words such as “must” and “will” need to be used and not words like “should” and “potentially”.  Standards also need to be written in a manner which there is no room for interpretation of the underlining requirement.
Audit Program - Evaluating Policies and Procedures
1) Determine whether an effective design is used for corporate policies and standards
2) Determine whether the structure of the corporate standards provides a basis for compliance
3) Determine whether an effective process is in place to ensure that all impacted areas of an organization are made aware of any new or revised policies and standards
4)  Determine whether policies and standards are reviewed and approved by committee which includes participants representing all potentially impacted areas of an organization
5) Determine whether the audit department has incorporated the standards into their audit processes
6) Determine whether an effective process has been established to identify non-compliance with corporate standards.  In addition, determine whether remediation projects are being formally tracked and prioritized.
7) Determine whether the organization has established an effective process for evaluating corporate standard compliance waivers
8)  Determine whether SOX controls have been established based on corporate standards
Copyright  2009, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.