However, COBIT and COSO, while they are helpful, have something of a one-
size-fits-all feel to them and may not be specific enough to get your company
to its desired scenario, ensuring that all is well under the hood.
Therefore, to augment these frameworks, it is advisable to bring in an inde-
pendent auditor to identify critical transactions and examine whether the
company has the right controls around those from an IT perspective.
The frameworks may be too generic to rely on entirely, but if your company
has a breach of security, you would at least be in a position to say that you
have a documented structure in place: You have performed due diligence.
Further, these frameworks can serve as an organizing principle around which
you can develop your compliance initiatives, ensuring that all the bases are
covered.
Keeping up with the pace of change ................................................
A properly functioning IT governance framework recognizes the constantly
changing nature of IT. Such a framework would frequently evaluate current
processes against a changing landscape — new threats, risks, laws, and
evolving technologies in order to keep the calculus of negligence tilted in
your favor.
Your company may have come up with a better mouse trap five years ago, but
unfortunately the mouse has gotten a lot bigger and a heck of a lot smarter.
Within the brief evolutionary cycle of risk and compliance, it is very easy to
neglect to recognize the true threat posed by the mouse and adequately
adapt your systems.
Perspective is key, and one of the best ways to gain a good perspective is to
look outside of your company to experts that can help you see with clarity
what your industry expects, what your customers and vendors expect of you,
and what regulatory agencies expect of you. Challenging your own assump-
tions about how up-to-date and correct your systems are may require looking
to an auditor to gain much needed perspective.
If you do this due diligence, in a pinch, you will be able to look at the norms
and exceptions (for example, the tolerances and when you may have exceeded
them) for your spend management systems and clearly declare whether your
reporting is complete, accurate, and valid as measured against the industry
and aligned with the company’s risk and compliance profile.