CLIENT STORY

When one defense IT operations organization resolved to become proactive when managing and monitoring compliance and risk mitigation, Electrosoft implemented systems and processes to support the transformation.

PROBLEM

Leaders at one defense organization recognized that their team was spending too much time and effort mitigating IT audit findings and resolving issues of noncompliance.

The agency is responsible for conducting IT operations audits as well as managing remediation and mitigation of IT findings and issues of noncompliance. They must adhere to a range of evolving federal IT audit controls and guidelines, including:

• Federal Information System Controls Audit Manual (FISCAM)
• Federal Information Security Modernization Act (FISMA)
• Statement on Standards for Attestation Engagements (SSAE)
• Financial Improvement and Audit Readiness (FIAR) Guidance
• National Institute of Standards and Technology (NIST) 800-37, and
• NIST 800-53, or the “Risk Management Framework”

They wanted support to quickly resolve IT operational deficiencies – and to move to a proactive posture, where they could self-identify and resolve potential risks. Leaders wanted to drive improvements so they could operate from a position of strength and best practices.

SOLUTION

In order to move from a reactive posture, driven by findings identified by the independent public auditor (IPA), to a more robust, self-identifying, continuous, proactive posture, the agency’s IT Operations Department needed to develop, train and implement root cause analysis and corrective action planning processes.

The Electrosoft team started by helping the agency address findings identified by the IPA, helping them fix the most pressing issues. But we didn’t stop there. Together with the client, our team leveraged the audit findings to improve systems and processes.

Our team provided high-level coordination and communication with stakeholders to develop and implement standardized audit life cycle operating procedures. To ensure the procedures were operationalized, we provided training, monitoring, control and reporting to stakeholders. We also improved root cause analysis and corrective action planning processes.

For example, we implemented and trained agency personnel on the use of a centralized performance tracking and reporting solution as “a single version of the truth,” emphasizing that “you get what you measure.” Replacing a manually intensive Microsoft Excel tracker, we are automating the audit response life cycle using Remedy and SMART reporting.

Using NIST 800-37, the Risk Management Framework and FISCAM as guides, we also developed and implemented a Risk Control Matrix for all IT General Controls and Business Process Application Controls. The Risk Control Matrix will be the foundation for a proactive approach to internal and external audits, integrating risk management with controls selection, testing and standardized reporting. This approach supports best practices of the Office of Management and Budget (OMB Circular No. A-123), Complementary User Entity Controls and the annual Office of the Secretary of Defense Statement of Assurance.

Finally, to drive continuous improvement, we track and monitor accurate, timely, authoritative and effective performance metrics important to senior leaders of the agency’s IT Operations Department. These metrics are reviewed by agency leaders as well as high-level U.S. government leadership.

RESULTS/BENEFITS

Implementation of Electrosoft’s solution has resulted in significant improvement in the audit response and closure processes and significant reduction of the operational stress on the agency.

Improvements and efficiencies include:

• Reduction of manual notification and status tracking for Notices of Findings and Recommendations (NFRs)/Corrective Action Plans (CAPs)
• Automated reporting and notifications
• Improved self-service status visibility
• Access to centralized audit data including delays, risks, re-baselines, testing issues and recovery plans used for various priority status updates and reporting

The government client has determined that this improvement will have significant benefits in the following areas:

• Increased awareness of CAP milestone status
• Seamless transition of audit CAPs through the audit NFR remediation process
• Reduced operational disruption for status reviews
• Increased information accuracy and timeliness
• Increased quality assurance throughout life cycle of CAP milestone implementation
• Reduced testing activities by implementing continuous testing regime and removing duplicate tests

Today, building on the success of the new systems and procedures, the defense organization is exploring potential expanded use for broader agency DLA NFR and CAP management.