Red Clay Renovations (RCR) is a technology based company that relies heavenly on technology for business operations. Company information systems hold data that is critical to business operations. The Chief Information and Security Officer and the Information Technology Governance Board have taken great strides in the last year to enhance the security of the organization while incorporating new technologies to meet corporate objectives. Policies have been created that are designed to fill many weak points in corporate security structure. The policies were disseminated to all employees and a signature was required for a validation of receipt and understanding. There is a need to evaluate if policies are understood and adhered to by all employees. A company wide audit system is necessary to measure employee awareness of IT security policies. Audit results provide policy makers and management guidance on the challenges of using information technology policies (Abou-El-Sood, Kotb, & Allam, 2015).
Audits are designed to provide information to an organization on the effectiveness of the system audited. Audits can be conducted by internal teams or outside contractors. It is imperative the auditors remain impartial in their assessment (Mcdonald, 2000). Remaining impartial ensures the integrity and accuracy of results. Red Clay Renovations should utilize their information technology services and human resources departmental personnel to conduct the internal audit. Auditors from these departments will be able to solicit honest responses without having a direct stake in the results.
The employee awareness audit should cover all IT policies that have been created or revised in the past twelve months. Such policies include but are not limited to: bring your own device, data breach response, management and use of social media, website governance, acceptable use, and preventing and controlling shadow IT policies. Audits and reviews should be conducted annually. Annual audits will account for any changes of policies and include company advances in the use of information technology.
Audits should be conducted onsite at the data gathering location (Adams, 1999). On site audits helps target audience fell most comfortable and will provide honest responses. Audit teams should schedule times with regional managers and executive staff to conduct onsite audits. Audits should include a questionnaire designed around employee responsibilities regarding IT policies. Questionnaires should be followed up by a short one and one interview with an auditor. A standardized list of interview questions should be developed for one on one interviews. The questions should be designed to assess an employee’s understanding of company policy objectives and personnel responsibility.
Audit results should be delivered to Chief of Staff and the IT Governance Board. Results can then be disseminated to all executives that are involved in the policy approval process. Results should be used to provide a benchmark to measure policy effectiveness. Audit results should be retained for five years or until no longer included in benchmark average.
Abou-El-Sood, H., Kotb, A., & Allam, A. (2015). Exploring Auditors’ Perceptions of the Usage
and Importance of Audit Information Technology. International Journal Of Auditing, (3), 252.
Adams, N. H. (1999). NEVER AUDIT ALONE–THE CASE FOR AUDIT TEAMS. Quality
Assurance, 7(4), 195.
Mcdonald, I. G. (2000). Quality assurance and technology assessment: Pieces of a larger puzzle.
Journal Of Quality In Clinical Practice, 20(2/3), 87-94.