Checklist 2.0 News

One of the best places to learn the definition for Best Practices is Wikipedia:

• “A best practice is a technique, method, process, activity, incentive, or reward which conventional wisdom regards as more effective at delivering a particular outcome than any other technique, method, process, etc. when applied to a particular condition or circumstance. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications.
• Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.”

In particular, at Checklist 2.0 we focus on the definition of Best Practices as explained in the second bullet point. Our belief is “Don’t reinvent the wheel”.  Everyone – no matter what their profession – wants to apply the best approach to accomplish a task utilizing the minimum available resources.

In fast changing and complex domains like IT, Best Practices can be leveraged effectively as the underlying technology framework and methodologies.  The IT house is dominated by few major vendors like Microsoft, Oracle, SAP, Google and others. The huge similarities of system installation and functionality requirements by the customer base make Best Practices technology management a huge attraction.  There are several key advantages of having a Best Practices based IT approach is :
1) Benchmarking operations with industry peers to calculate the real return on investment
2) Leverage expensive human capital without time consuming trial and error approach
3) Reduce the total cost of operation by using the collective knowledge of leading edge sources
4) Identify and target well-known gaps or vulnerabilities

How to build multi-dimensional Best Practices
You may understand the value of Best Practices, but the key question is how do you identify, organize and create specific Best Practices to solve business problems and provide end-to-end business solutions?

Best Practices, when captured need to be associated with several dependent factors which would help the consumers to apply and filter based on their specific situation.

For example, a house built in a tropical climate will be designed to reflect the local environment, utilizing local materials, have different a foundation, and connect to local utilities different to a house built in Alaska.  Though each house serves the same purpose, they will vary based on local factors such as climate, weather, local resources and need.

Identifying these different requirements at the beginning and tagging the Best practices based on climatic condition, materials used, plumbings and electrical, local codes, statutes and regulations, etc. is going to help a larger audience to manage and generate specific best practices to be applied during a construction.

Another key factor is the need to keep Best Practices up-to-date.  You may not want to reference a Best Practice white paper published several years ago or read a book outdated even before it goes to press. Building a Best Practices unit which has logical distinction from another unit is the key.  You need to identify and tag the different requirements to build the proper Best Practices.

Who needs to build the Best Practices and when?
In the increasingly connected world the best ideas and practices can come from anywhere. The key to leveraging best practices is to get an up-to-date details of the practices that has several dependency factors and share it globally for users. For example, a doctor in India, where the population is large, operates on at least 10 to 20 patients a day. Best practices used by the doctors to have operate many patients with higher success rate is only can be developed in places like this one. In case of natural disasters in the other part of the world, these practices can be effectively leveraged to handle more number of patients. The key two things to make this process effective is:
1) Sharing of the practices on a global platform
2) Categorizing the practices for different conditions like large number of patients, small number patients etc.,
So, by building a platform to identify, organize, and update Best Practices you will improve efficiency and leverage expertise.

Why IT Audit Planning is using Best Practices
IT Governance and Strategy are critical to an organization’s success.  IT plays a major role in the technology dominated business processes.  A Best Practice based audit plans to evaluate risk uses an 80-20 rule.  This allows you to eliminate all the low-hanging fruit with the global Best Practice knowledge base and helps organizations quickly achieve its desired business objectives. Key to the risk assessment and audit plan process is breaking down the IT Universe into smaller more manageable sub-components. Typically, the IT sub-components are defined as infrastructure, and applications. Contained within the infrastructure sub-component are servers, routers, communications, desktops, etc.
This hardware controls the flow and processing of information throughout the organization. The second sub-component is applications. This is the software used to record and store business transactions. Examples would be database, enterprise resource planning, or business intelligence software.  These controls consist of security applications, disaster recovery
plans, and service level agreements (SLAs).  By leveraging the best practices developed at the sub-components level an IT auditor can quickly build an audit plan based on specific criteria of his/her need and provide a risk assessment report of the IT environment. Checklist 2.0 is built using the principles highlighted above and we would love to hear your thoughts.

Traditional auditing is about the evaluation of an organization’s financial systems and processes. The primary objective of traditional auditing is to detect fraud. Traditional auditing focuses mostly on integrity of the financial transactions and compliance to the policies and procedures of an organization.

While IT Audits includes revenue recognition, accounts receivable, and account payables business processes, the audit itself is often automated using some third-party tools or home-grown customized IT applications.

IT audit is a paradigm shift for auditors who are usually involved in traditional auditing.

Traditional auditing is a multi-year, periodic procedure to assess the way organizations carry out their business that impacts the financial statement.

Traditional auditing is time consuming and highly manual.  A financial audit is an intensive project going over several thousand records focusing on compliance of the transactions to organization’s policies.

Traditional auditing is done to ascertain the validity and reliability of information presented to shareholders, investors and regulatory agencies.

In contrast, IT auditing is not often about identifying issues.

Traditional auditing is sometimes expanded to different domains including accounting, quality, energy, etc.

As there are several vendor-based built-in solution or plug-in tools available to identify IT vulnerabilities, it makes sense to use these tools to assess IT environments.

Many IT auditors may not have up-to-date training or expertise for executing a configuration audit of a complex environment such as an ERP (Enterprise Resource Planning) system. The complexity and the variations of IT system implementation render itself for an automated scanner to verify the settings per vendor recommendations, best practices and other standards.
IT auditors need to assess the gaps in policy, processes, and procedures in routine IT tasks including : software development life cycle, access control management, change management, and patch management.

As more and more organizations are moving from implementation of new technologies to more maintenance mode, IT audit focuses not so much on finding problems.
IT audit is focused on fresh look at processes and setup comparing the way the organization’s  IT is run with the industry peers, and the recommended best practices by subject-matter-experts and vendors.

In essence, an end-to-end IT audit identifies opportunities for improvement in implementing best practices and introducing or fine-tuning business policies, processes and procedures. In the case of regulatory compliance, rules governing the law requires an assessment of IT systems internal controls by an independent auditors.

The focus of traditional auditing is financial accounting. Integrity of financial transactions is audited to create a comfort level for the organization’s stakeholder. In IT audit, the focus is only the IT systems that are in scope for the audit objective. As more and more business processes are being automated using sophisticated end-to-end IT systems, IT audit is an integral part of the audit.