Accounting firms in the Chicagoland area are coming under more scrutiny from both clients (Are you protecting our data?) and compliance enforcement. To bring your IT systems into line with the expectations of both parties, it’s critical for your CPA firm to have the right IT policies in place.
IT policies are those sets of rules, best practices, and standards that dictate the protocols that run your IT environment. IT policies are designed to:
- Reduce redundant work on the IT management side of things
- Promote productivity for the end-user
- Bring security and stability to the system
- Lower unplanned downtime
- Meet compliance mandates
In order to do all of that, an IT policy must be optimized in three ways.
- Content
- Administration
- Practice
The Components of an IT Policy
So, what should go into an IT policy? Every good IT policy has these components:
- A Clear Objective
Firms that deal with IT services for accounting every day know that there isn’t one singular objective, but rather, three.
- Keep you running.
- Keep you secure.
- Keep you compliant.
A clear statement of purpose helps your IT support team to focus first on what is critical for your operations.
- Descriptions of Affected Users
Once your IT consultants have outlined the objective of your IT policies, it’s time to move on to the impact of those policies on real people. Not all IT policies are designed to be applied to all users equally. IT administrators, for example, often have more leeway within the policies than the average end-user. Another example would be how the policy impacts visitors to your office differently than your admin staff. Visitors logging onto the network would have much more stringent parameters than the in-house CPAs and staff.
Clearly identifying the audience will increase the relevancy of the standards.
- History of Revisions
Knowing what has changed in the IT policies over time helps eliminate redundancies and is a step toward helping your business stay within compliance structures. In an IT compliance audit, the history of revisions demonstrates to the auditor that you are giving attention to detail.
- Standards for User Practices
In order to keep users from doing whatever they want – crossing cybersecurity and compliance lines in the process – IT policies set standards for best practices enforced across your IT environment. Although from an end-user perspective standards are the most visible element of an effective IT policy, standards are only a part of a bigger IT policy picture.
IT standards are formulated on the basis of the unique needs of the business and tailored in relation to the IT policy’s objective and audience.
In general, the IT standards that your IT services for accounting firm will put into place will include:
- Device usage (which devices are appropriate for which contexts, and how they should be used)
- General security standards (i.e. password usage, physical device security, file sharing protocols)
- How data is archived (if data is not touched for a period of time, what happens to it?)
- How data is shared
- How data is stored
- Software usage (which programs are appropriate for which contexts, and how they should be used)
- Steps to take in the event of an attack or breach
- Who can access and share data
Good IT security policy hinges on having the appropriate standards and enforcement in place.
The Administration of an IT Policy
Somebody has to be in charge. An IT policy is just a bunch of words on a piece of paper unless someone is there to implement and oversee the launch of and adherence to the policy.
Without an IT administrator, an IT policy ends up being as good as a fire drill that never happens.
IT policy administration starts at the top. Sure, it’s the IT specialists that are always pounding the drum about IT best practices, but the directives and culture of cybersecurity and compliance must flow down from the executives.
While one would naturally assume that the responsibility for your accounting firm’s IT policy rests in your IT department, it does not. Ultimately, it is the CEO, CIO, or CISO that shoulders that accountability.
The IT department (in-house or outsourced) implements the IT policy under the authority given to it by that C-suite leadership.
It will benefit your company culture if you position adherence to IT security policy as something coming from the top – not simply something that the “IT guys want everyone to do.” The more buy-in you can get from your end-users, the more secure, compliant, and productive your IT systems will be. This is the critical nature of top-down leadership in IT policies.
The Practice of IT Policies – Putting words into action
Now that we’ve gone over what goes into an accounting firm’s IT policies and have indicated the individuals charged with implementing and governing those policies, it’s time to move on to putting the IT policies into practice.
While accountability for an IT policy should come from the top levels of an organization, its enactment will nearly always be carried out by the IT department.
Successfully carrying out an IT policy generally involves:
- Development of role-based access protocols
- Periodic reviews to assess policy adherence
- Policy revisions based on needed changes
- Set up of built-in IT restrictions for applications, mobile devices, internet, and network
- Setting up systems to adhere to policy standards (technical set up)
- User education and training
When Was the Last Time an IT Services for Accounting Professional Examined and Updated Your IT Policies?
The Alavanca Systems team works almost exclusively with Accounting firms here in Chicagoland. Over the years, we’ve come to realize that IT policies and policy enforcement are often the last thing on the list for CPA firms.
Why?
Because as long as the computers, server, network, and cloud assets are running, it’s all good – right?
Wrong.
Unfortunately, it only takes one IT incident that involves client data to bring your CPA firm into the crosshairs of compliance oversight bodies and auditors. An auditor will want to examine your IT policies, their implementation, adherence, and management.
One conversation with Alavanca Systems will either put your mind at ease regarding your IT policies or set you on a course to implementing policies that meet the expectations of clients and the mandates of legislative/industry standards.
We can help. Call or email to get answers to your questions about IT policy creation and management.
Ciro Cetrangolo is an IT specialist with over 30+ years in the IT services industry. Ciro has a deep understanding of the software, workflow, and underlying technology of accounting organizations and helps firms like yours achieve the secure, stable, and streamlined IT environments you need to accomplish your work more effectively. See my Amazon Author Profile