Ted Flom, CPA, CISA, CIA
Member in Charge
314.983.1294
tflom@bswllc.com
IT Audits
As the largest and most experienced IT audit group in this region, our team have extensive expertise with technologies and competencies that you won’t get from an IT audit generalist. Our professionals have significant, relevant, real world experience and expertise which allows us to provide practical and actionable advice and feedback. You won't have to train us, because this is what we do, better than any other firm. We are confident you will find the risk advisory services team of Brown Smith Wallace the most qualified partner to assist you with your IT audit needs.
We have significant experience providing IT audit services, and have the client roster to support it. Our project management skills allow us to find ways in which we can positively impact their success. We don’t just identify issues, we help you address and remediate challenges as they arise.
Working with the IT audit team at Brown Smith Wallace combines a high level of expertise with strong client service while providing these solutions:
- IT audit plan development and risk assessment
- IT audit outsourcing
- Co-sourcing
- IT security
- IT advisory services
- Business continuity and disaster recovery
- System implementation risk management
- Segregation of duties programs
IT Audit Plan Development and Risk Assessment
We are frequently hired to assist clients with the development of an IT risk assessment to help them:
- Obtain a better understanding of the IT risks impacting the organization
- Prioritize IT risk areas
- Develop annual or multi-year IT audit plans
We assess threats to the IT infrastructure, the probability of occurrence, the potential impact to the organization and its ability to accomplish its goals. Our IT risk assessment will assist management in identifying appropriate risk mitigation approaches for identified threats that will reduce risks to an acceptable level.
IT Audit Outsourcing
We work with a number of companies as their complete IT audit function. They engage our team to provide IT audit outsourcing. Our highly experienced team can help you:
- Establish a new internal audit function
- Manage the internal audit function
- Perform risk assessments and develop audit plans
- Perform specific internal audits
- Work with executive management and the audit committee
- Provide subject matter expertise
- Provide an internal audit framework and methodology
Companies find IT audit outsourcing to be cost effective because:
- We provide internal audit professionals with specialized skills when you need them.
- Management can effectively manage costs along with peaks and valleys in the internal audit schedule.
- We bring IT audit best practices to the engagement as standard procedure.
Our approach is risk-based and flexible to address your unique environment and budgetary constraints. We work closely with our clients to ensure all activities are thoroughly planned and executed to minimize the impact on normal business operations.
Co-Sourcing
We also have the talent and expertise to provide you with a wide variety of co-sourcing options. You can maintain control of the audit function while utilizing our internal audit specialists, as needed, to address your staffing needs. Co-sourcing engagements can include staff augmentation or engagements to perform specific audit projects. Companies often hire us as their co-sourcing partner to address staffing shortfalls or to contract for specialized expertise (e.g., information security professionals).
We have the depth and breadth of experience to help you with specific audits, risk assessments or special projects. By co-sourcing with us, you are able to effectively manage costs while addressing staffing and technical needs, ultimately increasing the value proposition to your company.
IT Security
The communication and commerce of the business world are highly integrated with technology, which has led to a need for information security to protect business activities, technology and corporate data. IT security threats, vulnerabilities and data exposures challenge every organization. The goal is to effectively manage and control these risks, which can potentially have a significant impact on your business. All too often, organizations are unaware of the IT security risks they face, lack information security, and are unable to manage risks in the event of an IT security breach. The Risk Services practice at Brown Smith Wallace can help your company maintain security and privacy.
IT Advisory Services
Technology must provide efficient access to information to help management make better, faster decisions. Brown Smith Wallace’s IT advisory team has extensive experience and technical knowledge to help your company link its technology and business goals while maximizing the efficiency of your IT resources. We help your organization transform technology from an expense to a strategic investment by providing an independent and objective evaluation of your technology, costs and business fit in these areas.
Business Continuity/Disaster Recovery
Did you know that 50% of companies experiencing a computer outage will be forced to close within five years.
We can help you develop a disaster recovery and business continuity plan that documents the necessary procedures to restore business operations in the event of a disaster. Working with this plan will enable you to take proactive steps before a disaster occurs.
Whether we review an existing plan or help you establish a new one, our methodical, logical approach is applied. We take a holistic approach to developing your business continuity or disaster recovery plan by focusing on your restoration objectives. The areas typically covered include human resources, facilities management, communication systems, information technology, infrastructure resources and media relations.
System Implementation Risk Management
Organizations often undertake system implementation initiatives in the hopes of realizing significant benefits. While these significant, strategic initiatives can offer many long terms benefits to the organization, they are often fraught with risks that need to be well understood, managed and monitored. In response to our clients’ needs, we have developed a methodology that is focused on identifying project risks and understanding and evaluating the effectiveness of approaches to mitigating such risks.
System Implementation — Risk Management Program
Our System Implementation Risk Management methodology is focused on risks inherent in system implementation projects such as:
Project Management – How does the project team ensure that the project is being managed in an effective and efficient manner? This includes project management risks such as:
- Project management capabilities
- Managing project scope (including budget, resource requirements, timelines, organizational impact)
- Identification and achievement of project objectives
- Risk identification and resolution
- Comprehensiveness of project plan
- Project monitoring and reporting
Business Processes – How has the entity ensured that adequate controls have been developed for the business processes impacted by the new system implementation? We focus on performing analyses of impacted business processes and perform the following:
- Identify business process objectives and related risks
- Understand controls in process
- Evaluate the effectiveness of controls
Security – How has the entity ensured that security controls have been built into the application, database and operating system?
IT Operations – How has the entity ensured that adequate IT operational controls are in place to support the operation and maintenance of the system?
Data Integrity – How will the entity ensured that adequate data integrity controls are in place with respect to data conversion and data interfaces?
Our methodology is designed to provide a comprehensive evaluation of risks associated with each phase of the system implementation project. It is modular and can be designed in a manner to target specific risks and/or phases of the implementation. We work with our clients to design an approach that is appropriate to their needs.
While our methodology can be applied to any system implementation project, we do have specialized capabilities and resources devoted to the major system implementation such as SAP, Oracle, JD Edwards, Peoplesoft, etc.
Segregation of Duties Programs
User access and segregation of duties (SOD) are critical building blocks of a company's internal control and risk management programs. SOD administration and management is a daily process that needs to be built upon strong policies and procedures including timely and ongoing monitoring.
Our SOD services are tailored to help you with the design, implementation and monitoring of information security and internal controls within your information systems environment. Today, many of our clients are putting in place Continuous Controls Monitoring solutions (e.g.,SAP’s GRC, and ACL). Our information security and internal control experts work with clients to assist with the following to achieve the maximum benefits from these implementations. Our approach includes:
- Analysis and cleanup of access profiles
- Managing privilege requirements in daily operation
- Performing periodic audit of access using automated tools
- Design of SOD baselines and policies
- Assessment of existing SOD programs
ERP implementations are typically highly complex, time constrained and costly. As a result, information security and internal controls are two areas that are often not adequately addressed until after go-live. We have found it is critical for a company to have experienced project team members that are specifically focused on these critical implementation areas to ensure they receive the appropriate focus and maximum benefits.
Click to receive your complimentary copy of Insights magazine.