The term information systems is usually interpreted as the hardware/software and processes that provide data and services. An information system also includes the personnel who implement and maintain information systems. The organization should have organizational policies and procedures for hiring, termination, promotion, and retention. The existence of and adherence to these policies and procedures reduces overall risk for the organization and improves the quality of the staff. An organization that effectively communicates and enforces procedures ensures that the staff is as effective and efficient as possible; in turn, this improves the overall effectiveness and efficiency of information systems. In addition to internal policies and procedures, organizations must develop policies that ensure compliance with external laws and regulations. Some internal policies might include the following:
To protect itself, the organization should implement controls (hiring practices) to ensure that prospective employees have the skill sets and background necessary to perform the duties outlined in the job description. Some of these controls might include education verification, past job performance, and local and federal criminal checks. Upon hiring, the organization might implement confidentiality agreements or noncompete agreements, or bond employees to protect against losses due to theft, neglect, or errors. As part of employees' introduction into the organization, they should be aware of promotion policies, training, required time reporting, and vacation procedures. In addition, the organization should schedule regular formal communication of company policies and procedures. This communication might take the form of required presentations, periodic reviews of all policies by the employees, or formal training. Written policies relating to vacation and termination are important in reducing business risk. If employees are required to take regular vacations, it allows others to take over duties in their absence and reduces opportunity for that person to commit improper or illegal acts. It might also be possible to discover fraudulent activity, assuming that there is no collusion between employees. A termination policy ensures that, upon employee separation, the assets of the organization are protected. All keys and access badges must be turned in, and login and password information must be suspended or removed. Termination policies should include procedures for both voluntary and involuntary terminations. Involuntary or immediate terminations are an emotional time for the organizational management as well as the employee, and delineating specific procedures ensures that the employee is properly escorted from the premises, that the employee turns in all material owned by the organization, and that staff and security personnel receive notification regarding the employee's status. Employees who know specifically what is required from them tend to be happier employees and, therefore, perform better than employees who are unaware of the organization's policies and procedures. As an IS auditor, you must look for the existence of personnel policies, the frequency of communication, and a formal process for change. While observing and questioning employees, you can determine whether the policies are communicated and observed by employees as they are performing within their functional areas. |