Our Holiday Schedules

Summer:
Last week in July
(approximately July 21-30:
SOX and DF anniversaries)

Winter:
Last week in December
(approximately Dec 25-31:
i.e. Christmas-New Year's)

 

Contact Us

USA: 1-888-WHY-GRCG
Fax: 1-888-FAX-GRC-G
E-mail: email@grcg.com

Main: +1.212.626.9016
Fax : +1.212.712.8897

Shining the Light on IS/IT Governance, Risk, and Compliance

 

The Wild West. Booms and Busts.

It’s been little more than a quarter of a century since the microprocessor enabled Apple to launch its IPO and IBM to corner the PC market – at least temporarily. For all intents and purposes, information technology is akin to the Wild West, replete with the gold rush of the dot-com boom in the 1990s and its subsequent bust. In the process, publicly-held companies swaggered into the saloon and bellied up to the bar, buying round after round of hardware and software that sometimes added value to their businesses and other times drew them into a showdown with their shareholders and other stakeholders.

Initially, this new frontier of information technology remained unfettered, largely because few could anticipate the legal issues that might arise. Over time, various legislative bodies and regulatory agencies staked their claims, yet a gang of rustlers – Enron, Adelphia, and WorldCom, to name three – managed to defraud their shareholders, employees, and the public. The posse rounded them up and sent them to the clink, but the U.S. Congress decided it was time for a new sheriff to ride into town and enacted the Sarbanes-Oxley Act of 2002 (SOX Act). This far-reaching statute dramatically changed the face of American business (and, ultimately, global business practices), with an emphasis on what has come to be called Information Security and Information Technology Governance, Risk, and Compliance (IS/IT-GRC).

A Moving Target. Leaders Caught in the Crosshairs.

Governance, risk, and compliance are three words that represent the essence of sound business practices. The underlying principle of GRC is that a publicly held company has a duty to deploy its assets in a way that furthers its business goals and objectives. GRC is a means to fulfilling that obligation.

When it comes to information security and information technology, however, GRC can seem like a moving target, and everyone from board members to managers to auditors seemingly caught in the crosshairs. Internal processes and procedures can lag behind technological advances, making it difficult for governing boards to provide diligent oversight. Similarly, implementing new laws and regulations can mean revamping existing systems for compliance. In the process, those responsible can easily lose sight of the fact that information technology can and should be utilized to move the company’s goals forward.

It’s important to note, however, that “IS/IT-GRC” is an umbrella term that can describe a variety of activities within a company. The primary components of IS/IT-GRC are described below.

Governance: Governance broadly describes the role of a company’s board of directors, which is primarily responsible for acting on behalf of those who provide capital (shareholders) to oversee those who use the capital (managers) in order to achieve business objectives.

In the IS/IT arena, governance includes confirming that IT contributes to the company’s goals, that IS mechanisms are in place, that lines of accountability are developed and followed, that strategic planning incorporates the need for evolving IT solutions, and that legal and regulatory obligations are fulfilled.

Risk Management: Broadly speaking, risk management consists of recognizing, assessing, and mitigating threats to the value of a company, as well as recognizing, assessing, and seizing opportunities that add to the value of a company. Typically, there are three facets to risk management, encompassing strategic planning, operations management, and internal control.

Within the context of IS/IT, risk management often focuses on two components: IT assets, personnel, processes, and controls that provide managers and boards with the ability to assess, prioritize, and address risks; and creating a corporate culture that increases vigilance about IT risks, causes, and solutions.

Compliance: Companies must comply with myriad laws and regulations – everything from employment laws and tax codes to occupational safety regulations and zoning laws. Within the realm of IS/IT-GRC, compliance can include security standards, intellectual property rights, privacy laws, and industry-specific laws such as HIPPA.

For publicly held companies, IS/IT is a critical component of SOX Act compliance. At the heart of The SOX Act is Section 404 of Title IV, which mandates that auditors submit an annual management report that gauges the efficacy of a company’s internal controls, as well as a second report from management and auditors that assesses internal controls over financial reporting.

Complying with Section 404 requires, for example, that IT systems are in place to trace every transaction to its source, that a variety of logs are maintained and reviewed by an independent party, that all digital media is routinely backed up, and that all data is verified.