|Best Practices Yield Results
While many midsize accounting firms have a reputation for delivering solid tax and accounting services, others venture into what many in the profession would consider “unchartered waters.” These operations, advisory and consulting services might take years to develop with an initial ROI that may prove hard to justify.
The more innovative firms are the ones who not only understand the marriage between IT and audit, but offer varied services. Pannell Kerr Forster of Texas (PKF Texas) is one of those firms. The Houston-based firm brought in Dan Ramey late last year to head up its Internal Audit Department – not an arena to look at PKF Texas’ own numbers, but a service line offered for companies that might lack the staff to have their own internal audit function or require more in-depth services.
Based on his considerable experience in enterprise and IT risk assessment engagements with corporate and nonprofit organizations, Ramey brought technical acumen and a focus on IT. At PKF Texas, Ramey assists companies in designing, planning and conducting financial, IT and operational auditing activities, including risk identification and control assessment with an emphasis on process improvement recommendations and standardization. He leads a team of six internal auditors who help businesses more effectively assess and implement internal controls in order to assist management in running the company.
Although Ramey and his team work on engagements for any number of reasons – from Quality Assurance Reviews of corporate internal audit departments, to developing internal audit processes – it’s the work in risk assessment that he finds the most rewarding and the most challenging.
“Finding ways to keep company, client and employee data secure will continue to get harder every year. Every time we think we are catching up, the bad guys are one step ahead of us,” he says.
Ramey believes this is the primary reason why the majority of Top Technology Initiatives for 2008 are focused on governance and security management, pointing to #4, IT Governance, as a smart place for companies to start when assessing their own risk.
“Business owners should work jointly with process owners and IT departments to develop good governance. IT is a big piece of improving overall controls. If businesses want to get ahead of the curve, they need a top-down approach when assessing their IT risks.
“Most companies think that by having an IT staff they are protected, but it really takes a person from outside the organization with an unbiased opinion to accurately assess what your greatest risks are,” he continues. “After reviewing all processes, this outside person is able to provide a complete analysis for a company to understand what their specific risk factors are and most importantly, how to mitigate them.”
Specifically, Ramey talks about #3 – Business Continuity Management and Disaster Recovery Planning – as an area most business owners too often overlook. He encourages his clients and all business owners to take this issue more seriously.
“There are too many companies that encounter a disaster and are never able to recover and don’t get back to work. The U.S. Department of Labor estimates that more than 40 percent of businesses never reopen following a disaster. Of the remaining companies, at least 25 percent will close within two years.”
Ramey says most companies think that by simply backing up their data each night, they are protected.
“What if there is a fire in your office building tonight? Where will you meet tomorrow? Where will you get new computers and office equipment? What about your phone lines? The primary question you need to ask yourself is ‘How will I get back to work and meet the needs of our clients and employees?’ Business continuity planning and disaster recovery are about more than just protecting your data; it is planning how your entire company will get back to business.”
With so many opportunities for business data to be breached, it may be difficult to know where to start. Ramey sums it up by suggesting a business benchmark the list of Top Technology Initiatives against its own initiatives and then ask the question, “How do I, as a business leader, find best practices without reinventing the wheel?” Often, the solution is to bring in outside help.
“By using risk assessment advisors, protecting yourself, your employees and your clients is easier than you think.”