The Managing Partner’s Guide to IT Audits

A great Leadership Conference. The MPIEs always excel.

Stanford J. Smith, Jr., Esq.

Martin Pringle – Wichita, KS

I look forward to this Conference every year. It really helps me to be a more effective firm leader.

Jason P. Waguespack, Esq.

Galloway Johnsonh – New Orleans, LA

A very organized and well-run conference. Great food. Great hospitality.

G. Wayne Hillis, Esq.

Parker Hudson Rainer & Dobbs – Atlanta, GA

Thank you for allowing me to participate. Your team is masterful at making all feel valued at your event and I dare say helping attendees see the value in attending.

Gerry Riskin

Edge International – Anguilla, BWI

Thank you for the invite to speak on the Managing Partner panel. Even though I have now attended 7 MPFs, I always bring back substantive and helpful information for my partners.

Marc D. Chapman, Esq

Dean Mead – Orlando, FL

Hands down the best leadership conference for managing partners I've ever attended.

Robert A. Young, Esq.

English Lucas Priest Owsley – Bowling Green, KY

I highly recommend the MPF Leadership Conference. I've participated many times, as have several of my partners. We leave with new ideas and fresh perspectives every time.

Thomas C. Grella, Esq.

McGuire Wood & Bissette, PA – Asheville, NC

I thoroughly enjoyed participating in this year's Conference. Thank you for your enthusiasm and leadership.

Richard N. Sherrill, Esq.

Clark Partington – Pensacola, FL

Thank you for what you do for our industry. I go to a lot of conferences, and your event is the one I look forward to and gain the most from each year.

Charles B. Jimerson, Esq.

Jimerson & Cobb, PA – Jacksonville, FL

Thank you for putting on another outstanding MPF Conference. I came away, once again, feeling reassured and encouraged.

Christine A. Gimber, Esq.

Weld Riley – Eau Claire, WI

The Managing Partner’s Guide to IT Audits

by Lee Hovermale and Don Champagne

An IT Audit is not about ordinary accounting controls, traditional financial auditing, or compliance testing.However, the auditor will assess the design and efficiency of controls to determine whether they are suitable to properly mitigate risk.Risk factors include system-related issues, change management and vulnerabilities and other factors related to your technology.In fact, a company’s IT infrastructure brings a unique risk to the firm that would not exist without IT being present.

For example, some of these risks include:

Cyber-attacks through website or hosted platforms
Infection by virus or malicious software
Denial of service attacks
Ransom attacks
Phishing emails
Loss or leakage of confidential information

As the firm’s chief executive officer, you are the person ultimately responsible to ensure that the IT systems and controls are aligned with the firm’s goals and legal requirements and are being managed, maintained, updated and kept current. In many cases, you are relying on your COO, an internal IT professional and/or your outside service provider to manage these risks. However, that reliance does not replace your ownership of this responsibility. It is therefore imperative that you understand what systems and policies are involved in protecting the firm’s data, how they work and the level of risk you and your firm will accept. When it comes to the acceptable level of risk, you should determine your Recovery Time Objectives (RTO) and your Recovery Point Objectives (RPO) and the cost per day of the firm being shut down.These metrics should be identified and included in your overall Disaster Recovery/Business Continuity plan. The development of a DR/BC plan should start with a Business Impact Analysis (BIA) which addresses these needs by practice area, office and for the firm overall. If your firm has not formalized a DR/BC plan for all potential disasters, you should begin that process. However, that is a subject for another time.

RTO is the length of time that a service level within your business must be restored after a disaster or disruption to avoid unacceptable consequences associated with a break in business continuity. For example, most firms feel that they cannot be without email for more than one day. The RTO for email would be 24 hours. Your IT system should, therefore, be designed around being able to meet this RTO. RPO is the maximum period in which data might be lost from an IT service due to a disaster or disruption. For instance, email may be needed within 24 hours, however, you may feel that your time and billing system can be down for one week before it negatively affects the business. These are metrics that you must plan with your management team before deciding on your IT system design. These metrics should be published to the firm to set the expectation with the partners and will be what you will be graded against when a disaster occurs. Your internal IT department or outside service provider should be keenly aware of your specific RTO’s and RPO’s and manage to them. Of course, the level of risk you are willing to accept is always based on the cost to cover that risk. This is where an experienced IT consultant can assist you with developing your DR/BC plan and your IT system to meet those requirements.

To be certain that your IT system is being managed and maintained to meet these requirements, it is best practice to have an IT audit performed periodically to document your compliance level and provide a roadmap for remediation when needed. This cannot be performed by your own IT department or service provider as they are the ones actually being audited. As you know from experience, there are many issues that arise in a normal business month that affect your IT systems. Some are more problematic than others and some are down-right disasters. Fixing problems during a crisis is often done with the goal to fix it ASAP. Some fixes are just temporary or workarounds. After every disruption event, your IT person or vendor should document the changes made in your system and prepare a post-mortem written report for you and your COO that explains what happened, why it happened, lists what needs to be done to permanently fix the problem along with the cost of the fix. Unfortunately, most IT people have difficulty with documentation and these follow-up steps get lost once the crisis is averted and they get back to handling their backlog of work that built up during the crisis. Your COO is responsible for the management of his team and should be managing this process.

Other areas that cause a system to fall out of compliance include:

The time involved to maintain the infrastructure is often put on the back- burner due to your IT department’s workload;
Delaying infrastructure refresh of hardware and updating software;
Cost of maintaining IT; and
Lack of understanding the consequences of not performing regular maintenance and refresh.

Over time, your well-designed system is no longer configured the way it was initially and could eventually result in a slowness in your system causing the productivity of your attorneys and staff to suffer and ultimately a crash/outage. For these reasons, it is best to bring in an independent third-party IT auditor to verify and evaluate your IT systems.

An IT Audit should cover the following areas:

Review of all documented policies and procedures, IT budget and actual IT spend
Review of DR/BC Plan including RTO & RPO
Basic internal & external security scan
Patching process and status (servers, network devices, workstations)
Endpoint security
Network file share security
Backup Redundancy
Offsite backups and failover sites
Sample file level data recovery
Ransomware attacks prevention and response processes
Active Directory accounts review
Password policies (User and IT systems)
Encryption (including server drive level encryption)
Wireless network security
Version status of applications
Security logs archiving
Review age of infrastructure hardware (servers, storage devices, network devices, switches, workstations,etc.) in all locations
Review of physical server rooms, UPS, cooling systems/ventilation, etc.
Interviews with executive leadership, attorneys and staff around feedback of systems and IT support
User services and training

This may seem daunting, but every law firm, regardless of size, must deal with these issues or face the cost of downtime from an event that could probably have been averted with proper planning and regular system maintenance. An IT consultant can help you and your COO navigate these waters by explaining your technology, supporting your IT department as a resource for the more complex issues and solutions and providing on-going strategic advice to you and your management team.

# # #

About Authors

Lee Hovermale
Chief Executive Officer, FlexManage

Lee currently serves as Chief Executive Officer of FlexManage. Prior to his role as CEO, Lee spent 11 years as Executive Vice President for the company’s South Central region. Lee can be reached at lhovermale@flexmanage.com.

Don Champagne, CPA, CGMA
Reginoal Director, FlexManage

Don Champagne is the Regional Director of FlexManage for Louisiana. As Regional Director, Don is the client advocate and advisor for all clients in Louisiana. Don can be reached at dchampagne@flexmanage.com.

About The Author

An Information Technology Audit is the examination and evaluation of the firm’s information technology infrastructure and its policies and procedures to determine whether the IT systems are up and available at all times, are safeguarding the firm’s assets, safeguarding data integrity and operating efficiently to achieve the firm’s established goals and objectives, including the firm’s responsibility to protect its clients’ data. IT auditors examine not only physical security controls but also overall business and financial controls that involve the IT systems to determine the risks to the firm’s information assets and help identify ways to minimize that risk. An IT Audit is not about ordinary accounting controls, traditional financial auditing, or compliance testing.However, the auditor will assess the design and efficiency of controls to determine whether they are suitable to properly mitigate risk.Risk factors include system-related issues, change management and vulnerabilities and other factors related to your technology.In fact, a company’s IT infrastructure brings a unique risk to the firm that would not exist without IT being present. For example, some of these risks include:

Cyber-attacks through website or hosted platforms
Infection by virus or malicious software
Denial of service attacks
Ransom attacks
Phishing emails
Loss or leakage of confidential information

Your reliance on your IT department or outside IT service provider can also be a risk depending on their technical ability and staffing level for the services expected of them. Without periodic evaluation and examination, these risks can become reality and go unchecked for extended periods of time. As the firm’s chief executive officer, you are the person ultimately responsible to ensure that the IT systems and controls are aligned with the firm’s goals and legal requirements and are being managed, maintained, updated and kept current. In many cases, you are relying on your COO, an internal IT professional and/or your outside service provider to manage these risks. However, that reliance does not replace your ownership of this responsibility. It is therefore imperative that you understand what systems and policies are involved in protecting the firm’s data, how they work and the level of risk you and your firm will accept. When it comes to the acceptable level of risk, you should determine your Recovery Time Objectives (RTO) and your Recovery Point Objectives (RPO) and the cost per day of the firm being shut down.These metrics should be identified and included in your overall Disaster Recovery/Business Continuity plan. The development of a DR/BC plan should start with a Business Impact Analysis (BIA) which addresses these needs by practice area, office and for the firm overall. If your firm has not formalized a DR/BC plan for all potential disasters, you should begin that process. However, that is a subject for another time. RTO is the length of time that a service level within your business must be restored after a disaster or disruption to avoid unacceptable consequences associated with a break in business continuity. For example, most firms feel that they cannot be without email for more than one day. The RTO for email would be 24 hours. Your IT system should, therefore, be designed around being able to meet this RTO. RPO is the maximum period in which data might be lost from an IT service due to a disaster or disruption. For instance, email may be needed within 24 hours, however, you may feel that your time and billing system can be down for one week before it negatively affects the business. These are metrics that you must plan with your management team before deciding on your IT system design. These metrics should be published to the firm to set the expectation with the partners and will be what you will be graded against when a disaster occurs. Your internal IT department or outside service provider should be keenly aware of your specific RTO’s and RPO’s and manage to them. Of course, the level of risk you are willing to accept is always based on the cost to cover that risk. This is where an experienced IT consultant can assist you with developing your DR/BC plan and your IT system to meet those requirements. To be certain that your IT system is being managed and maintained to meet these requirements, it is best practice to have an IT audit performed periodically to document your compliance level and provide a roadmap for remediation when needed. This cannot be performed by your own IT department or service provider as they are the ones actually being audited. As you know from experience, there are many issues that arise in a normal business month that affect your IT systems. Some are more problematic than others and some are down-right disasters. Fixing problems during a crisis is often done with the goal to fix it ASAP. Some fixes are just temporary or workarounds. After every disruption event, your IT person or vendor should document the changes made in your system and prepare a post-mortem written report for you and your COO that explains what happened, why it happened, lists what needs to be done to permanently fix the problem along with the cost of the fix. Unfortunately, most IT people have difficulty with documentation and these follow-up steps get lost once the crisis is averted and they get back to handling their backlog of work that built up during the crisis. Your COO is responsible for the management of his team and should be managing this process. Other areas that cause a system to fall out of compliance include:

The time involved to maintain the infrastructure is often put on the back- burner due to your IT department’s workload;
Delaying infrastructure refresh of hardware and updating software;
Cost of maintaining IT; and
Lack of understanding the consequences of not performing regular maintenance and refresh.

Review of all documented policies and procedures, IT budget and actual IT spend
Review of DR/BC Plan including RTO & RPO
Basic internal & external security scan
Patching process and status (servers, network devices, workstations)
Endpoint security
Network file share security
Backup Redundancy
Offsite backups and failover sites
Sample file level data recovery
Ransomware attacks prevention and response processes
Active Directory accounts review
Password policies (User and IT systems)
Encryption (including server drive level encryption)
Wireless network security
Version status of applications
Security logs archiving
Review age of infrastructure hardware (servers, storage devices, network devices, switches, workstations,etc.) in all locations
Review of physical server rooms, UPS, cooling systems/ventilation, etc.
Interviews with executive leadership, attorneys and staff around feedback of systems and IT support
User services and training

# # #

About Authors

Lee Hovermale Chief Executive Officer, FlexManage Lee currently serves as Chief Executive Officer of FlexManage. Prior to his role as CEO, Lee spent 11 years as Executive Vice President for the company's South Central region. Lee can be reached at lhovermale@flexmanage.com. Don Champagne, CPA, CGMA Reginoal Director, FlexManage Don Champagne is the Regional Director of FlexManage for Louisiana. As Regional Director, Don is the client advocate and advisor for all clients in Louisiana. Don can be reached at dchampagne@flexmanage.com.

The Managing Partner’s Guide to IT Audits

About Authors

About The Author

About Authors

Company

Resources

Contact

SIGN UP FOR:

The Managing Partner’s Guide to IT Audits

About Authors

About The Author

About Authors

Company

Resources

Contact

Connect us on: