Description of the department and organization
In the modern business environment, there are a number of challenges facing organizations in terms of compliance between different departments inside a single organization. In order to align the responsibilities of the employees with the level of their access to corporate information and prevent organizational risks of various nature, in Human Resources, there are a variety of Controls practices used (Purce, 2014).
The main purpose of such techniques is to incorporate a sustainable change in the domains of organizational architecture. Specifically, those domains may include Tools, Technology, Information Processing, and Human Resources. The sample organization used as the subject of this design inquiry is Netflix, Inc. There are a number of crucial functions that a new department dealing with Controls Testing and the Compliance Process should administer due to the company’s constant need to update its architecture and protect various aspects of insider information.
New department’s mission and objectives with respect to executing Controls Testing
One of the most rapidly growing issues in the corporations nowadays is the problem of compliance that becomes more complex with enormous speed, and “because of regulatory requirements [it] can affect a company’s business processes, and moreover, these requirements are often vague and confusing (Cannon & Byers, 2006, p. 37). However, among the regulations that are of special importance in corporate architecture, there is Sarbanes-Oxley Act that can be used in the field of IT governance in relation to such domains as processes and information (Damianides, 2005). In such a way the objective of the controls testing is to ensure that not only all the regulations are strictly followed at the level of each of the domains, but also that they are compliant with one another and not confusing for the employees and users.
Another important objective is the risk mitigation activities since the testing of various corporate controls will help in defining the most vulnerable areas in the corporate architecture, as well as the specifics of interactions between particular domains. In such a way, the overall mission of the activities associated with the controls testing and the compliance processes is to align the functioning of all the corporate domains with the organizational goals in such a way that the regulating and reporting process is clear and can be sustained on a regular basis.
Critical Controls Testing activities the department will perform
One of the key activities in terms of controls testing and the compliance process is to define the necessary regulations. Secondly, in order to manage controls testing and the compliance process, it is important to conduct the analysis to estimate “the organization’s internal environment and its congruence with the company’s overall internal environment” (Racz, Weippl, & Seufert, 2010, p. 157).
In such a way, it would be possible to improve the interaction between different domains. The third activity is the comprehensive analysis of requirement for each of the domains, that will allow identifying “derivation of IT compliance and IT compliance reporting objectives from business objectives” (Racz, Weippl, & Seufert, 2010, p. 157). As a next stage, it would be, therefore, possible to conduct the segregation of functions and duties of the employees in relation to the various process controls.
The fifth step is the incorporation of the background checks and other Human Resources management controls that mitigate the risks associated with some of the human factors. Such activities are more effective if they are compliant with the organizational goals and the rest of the security practices in the organization.
Another recommended activity is the process of event identification that will concern such domains as Technology & Tools and Human Resources. It is also important to note that event identification will contribute to the risk assessment in IT compliance by identifying compromising events. As the result of this activity, it would be possible to improve many technical solutions, including firewalls (Whitman & Mattord, 2011).
The eighth recommended activity is to deviation analysis, which includes analysis of the risk responses. Among the other recommended activities, it is important to ensure the status reporting on a regular basis and in relation to all the domains. Finally, the tenth activity is to sustain consistent status and risk response documentation in all the domains with the orientation at long-term practice and improving informing and communication.
New department interfacing with corporate governance
The status of each of the controls testing is to be reported to the corporate governance regularly. In such a way, the required independence in each domain will align with controlling practices with minimized risks. Considering the fact that all departments have their task specification, corporate governance is to align those requirements with the security standards.
Continuous monitoring of the effectiveness of the Controls Environment
Continuous monitoring can be achieved by means of the auditing and documentation activities and obtaining feedback from each of the domains (Alles, Brennan, Kogan, & Vasarhelyi, 2006). Overall, the main objective of the new controls testing and the compliance process is to conduct a long-term practice of mitigating risks of different domain and to align them in a relation to not only installed regulations but also corporate goals and objectives of the company.
References
Alles, M., Brennan, G., Kogan, A., & Vasarhelyi, M. A. (2006). Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. International Journal of Accounting Information Systems, 7(2), 137-161.
Cannon, J. C., & Byers, M. (2006). Compliance deconstructed. Queue, 4(7), 30-37.
Damianides, M. (2005). Sarbanes-Oxley and IT governance: New guidance on IT control and compliance. Information Systems Management, 22(1), 77-85.
Purce, J. (2014). The impact of corporate strategy on human resource management. In New Perspectives on Human Resource Management (pp. 67-80). London: Routledge Revivals.
Racz, N., Weippl, E., & Seufert, A. (2010). A process model for integrated IT governance, risk, and compliance management. In Proceedings of the Ninth Baltic Conference on Databases and Information Systems (pp. 155-170). Berlin: Steinbeis Hochschule.
Whitman, M., & Mattord, H. (2011). Roadmap to Information Security: For IT and Infosec Managers. New York: Cengage Learning.