Under the stress of an IT audit, some CIOs flat out rebel.
Greg Wallig, a senior manager for business advisory services at tax and business consultancy Grant Thornton LLP, recalls a client's CIO who was so intent on keeping his company's data secure "that he wouldn't share any information" with internal or external auditors. Many people tried to convince the CIO to change his mind, but he refused. Ultimately, he was removed.
Utter the word auditor, and many CIOs cringe. After all, IT auditors are professional nitpickers who identify problems and get CIOs to fix them. No matter that an auditor doesn't always understand how critical a given technology is to the business. No matter that a CIO is supposed to keep his company's enterprise resource planning system up and running, not take the system offline during business hours to review it for compliance with a lengthy checklist of controls.
Yet in the name of the
Further, most midmarket companies don't have the resources or the need to form internal audit departments. So they rent services from consultants, only adding to the sense that IT auditors are outsiders who don't really understand IT.
But, slowly, things are changing. After a few years of working closely with IT auditors to achieve SOX compliance, some CIOs have discovered an upside to the relationship: With proper care and feeding, auditors can actually be an asset.
"If you think of it as continuous improvements, . . . [auditors] are really there to give you ways that you can improve," says Mary Lynne Perushek, CIO and vice president of Donaldson Co. Inc., a $1.7-billion manufacturer of filtration systems in Minneapolis. "They may find things you don't know, [and] that can be a shock. They're there to be of service to you."
This was first published in July 2007