Under the stress of an IT audit, some CIOs flat out rebel.
Greg Wallig, a senior manager for business advisory services at tax and business consultancy Grant Thornton LLP, recalls a client's CIO who was so intent on keeping his company's data secure "that he wouldn't share any information" with internal or external auditors. Many people tried to convince the CIO to change his mind, but he refused. Ultimately, he was removed.
Utter the word auditor, and many CIOs cringe. After all, IT auditors are professional nitpickers who identify problems and get CIOs to fix them. No matter that an auditor doesn't always understand how critical a given technology is to the business. No matter that a CIO is supposed to keep his company's enterprise resource planning system up and running, not take the system offline during business hours to review it for compliance with a lengthy checklist of controls.
Yet in the name of the Sarbanes-Oxley Act (SOX) and in the quest for better IT governance, CIOs are supposed to submit to their IT auditors. That relationship can be even more strained at midmarket companies, where management is often making the transition from the informality of a small company to the formal business processes that come with size.
Further, most midmarket companies don't have the resources or the need to form internal audit departments. So they rent services from consultants, only adding to the sense that IT auditors are outsiders who don't really understand IT.
But, slowly, things are changing. After a few years of working closely with IT auditors to achieve SOX compliance, some CIOs have discovered an upside to the relationship: With proper care and feeding, auditors can actually be an asset.
"If you think of it as continuous improvements, . . . [auditors] are really there to give you ways that you can improve," says Mary Lynne Perushek, CIO and vice president of Donaldson Co. Inc., a $1.7-billion manufacturer of filtration systems in Minneapolis. "They may find things you don't know, [and] that can be a shock. They're there to be of service to you."
Certainly, auditors can find shocking shortcomings. Ross Wescott, now chief auditor for the Oregon utility Portland General Electric Co., has discovered a few unsavory surprises for CIOs, including a massive security hole when he was at another company. In that case, the IT department "didn't bother turning on the security at the core level," says Wescott, who helps develop the auditor certification test at the Information Systems Audit and Control Association. "They were rolling this out to core applications. The apps people thought the core people were setting security, so they didn't do it. There was no security anywhere." Fortunately, Wescott discovered the problem before anyone took advantage.
More typically, auditors find small problems that can lead to big ones later, such as a deficient signoff process that allows projects to go forward without the proper approvals or a software flaw that makes generation of timely reports difficult. To get the most from auditors, CIOs need to understand that auditors are trying to help. But most CIOs still don't get this. "I would say a good 60% to 70% don't understand the purpose of the compliance program" or how a lack of controls "can lead to errors in financial statements," says Kris Ruckman, a Grant Thornton auditor.
Once a CIO sees auditing as a process of continual improvement, he can better manage his relationship with an auditor. (Some CIOs are in charge of their auditors, but typically auditors maintain independence and report to a board of directors' committee, CSO, or chief compliance officer.)
A good CIO-auditor relationship starts with using standards that make sense for the business. In the days before SOX, many auditors pushed proprietary standards. But now most have gravitated toward industry-wide frameworks, such as Control Objectives for Information and related Technology (CobiT), the IT Infrastructure Library and ISO.
CIOs should find out which standards their auditors use; if another framework is more appropriate, they should make an argument for switching. Wescott says it doesn't matter to auditors which standard a CIO picks as long as there is an agreed-upon standard against which to measure performance.
Sometimes CIOs can help pick consultants to perform an internal IT audit. Internal IT auditors may be consultants or employees, but their job is the same: to prepare IT for an external audit. In 2004, John Lambeth, a certified auditor and VP of IT and security at Blackboard Inc., a $183-million e-learning company in Washington, D.C., began looking for an internal auditor after his company became subject to SOX.
Lambeth consulted with Blackboard's external auditors, Ernst & Young LLP. "It's important to vet your choice with your external auditor," he says, since an internal auditor helps meet the external auditor's standards. If external auditors have had a positive experience working with internal auditors, "they're going to feel more confident in the work of that third party," Lambeth says.
In the Loop
Ultimately, Lambeth chose Jefferson Wells International Inc., an auditing firm based in Milwaukee. Now he makes a point of maintaining a three-way dialogue between himself, internal auditor Jefferson Wells and Ernst & Young, thus minimizing the risk of surprises during the external audit.
When Blackboard needed a system to detect unauthorized changes to its infrastructure, for instance, Lambeth's team worked with Jefferson Wells to develop a tripwire that would pass internal audit standards. But before proceeding, "We took that to E&Y and said, 'We're going to do this the following way. Does this pass your muster?'" Lambeth says. By maintaining a continuous dialogue with both sets of auditors, Lambeth got faster feedback on how to proceed. If he hadn't consulted with them frequently, it would have taken much longer to bring them up to speed on certain issues.
Neville Teagarden, CIO and SVP at ProLogis, a $2.5 billion, Denver-based real estate investment trust, has also seen the benefits of working closely with auditors. "You want to engage your internal auditors at a steady pace throughout the year," he says. "If you're just trying to compile things for year-end, you're missing the opportunity during the course of the year to improve processes."
Auditors like continual engagement too. A familiar relationship makes it easier to deliver unwelcome news. "If I'm going to hear bad news, I'd rather hear it from someone that I know and trust than from somebody that I don't know," says Wescott, who adds that a closer professional relationship turns auditors and CIOs into colleagues. "That way you keep the right to say that the emperor wears no clothes," he says.
Ideally, the CIO-auditor relationship starts during the interview process. Who better than the CIO to tell a potential auditor how well IT is run and to describe its role within the rest of the business? New CIOs should sit down with their internal auditors within a month of arriving at a company, Lambeth says.
It's also a good idea to meet with external auditors. As a new CIO, says Lambeth, "I would say, 'One of my goals is to ensure that you as the external auditor are comfortable with the way in which IT is executed, and I want to set up an ongoing set of dialogues to make sure you are comfortable with [the way] we are developing applications,'" Lambeth says. To this end, Lambeth believes CIOs should promise external auditors continuous online access to the IT department's controls and documentation.
If a CIO maintains an ongoing dialogue with auditors, he is more likely to consult the auditor at the outset of major projects, which can lead to a smoother audit once the project is completed. According to Ruckman, only about half of CIOs "are proactive enough to sit down and do that up-front discussion." These CIOs are "doing it of their own volition, not after external auditors have written them up."
John Kichak, VP and CIO of UNC Health Care, a nonprofit health care system owned by the state of North Carolina, is part of this better half. One current project, for example, is upgrading the hospital group's Web site to give patients access to their medical records online. He expects to roll out the system this fall.
Kichak consulted his IT auditors from the start, thus ensuring that the technology would comply with all relevant regulations, including SOX and the Health Insurance Portability and Accountability Act, which requires health care providers to meet standards for the privacy and security of patient data. Kichak has 150 employees in the IT department and five auditors who work for the chief compliance officer to review their work.
"We sat down with them ahead of time. That's the best way to go," Kichak says. In these meetings, auditors gave him checklists of requirements. Kichak also provided lists of his concerns about functionality, cost and other issues. From there, "the two marry up and that's what we work on," he says.
Still, both sides have different goals, so things don't always go smoothly. "You could end up with the audit folks saying, 'I prefer that something be designed for easy reporting,' and IT would say, 'I prefer to do it this way so I can deliver a two-second response time,'" Kichak says.
To ensure that competing goals don't devolve into bickering, Kichak works with the hospital's chief compliance officer to clearly define each group's responsibilities. Kichak consults with the chief compliance officer once a week during a formal meeting of C-level executives and meets with him informally even more often. When disagreements percolate to Kichak and the chief compliance officer, Kichak says, "One of us will make a ruling, [and] typically it's me."
Sometimes auditors' checklists are out of step with the realities of the technology that's available in the marketplace. Kichak's auditors, for instance, require passwords to be eight characters long and to include both upper- and lowercase letters. But sometimes the best software for the job only accepts passwords of six characters.
If Kichak worked for a corporate power like Wal-Mart, he could force vendors to comply with his standards. But midmarket companies don't have that kind of clout, so Kichak must make exceptions. "What are you going to do?" he says. "Send a million-dollar product back? For 99% of us, that isn't going to happen." To give IT auditors a better understanding of the health care systems they review, Kichak puts auditors through "the same training that I would give an end user who would have to use the system every day."
Nevertheless, auditing can be disruptive, especially when auditors aren't sensitive to the fact that it's costly to take systems offline. Kichak limits disruptions by using software tools that clone the systems to be audited. These tools take a snapshot of a database or part of a database. Then Kichak's team puts that database on a different server where auditors can examine it and IT "can continue to run production and day-to-day service" without disruption, he says.
For systems running on Unix or mainframes, Kichak simply negotiates with auditors on downtime. "I try to get them to do audits in the off-hours," he says. "There's a bit of contention over that. They want to do it from 8 a.m. to 5 p.m.," while the rest of the hospital "wants us to provide good service" during the same hours. The solution: "[Auditors] have learned to compartmentalize their work around some of the things we have to deliver," Kichak says.
Until a few years ago, most IT auditing standards addressed only specific issues, such as how to gather, distribute and store data. An audit focused on "details first, like how a control is working," says John Carrow, VP and CIO for Unisys Corp., an IT consultancy based in Blue Bell, Pa. It overlooked big issues, like how a company makes decisions about whether to invest in certain IT projects.
As the CobiT standard has evolved, these issues have become auditable. Carrow sees this as a welcome change, because strategic issues are "part of the overall maturity process" of an audit. In general, midmarket companies that hire consultants for IT audits are unlikely to ask auditors to examine issues that aren't on the checklist for the standards they've chosen. But midmarket companies that have their own IT audit departments can use them in innovative ways.
Wescott, for instance, says he once helped a CIO who had a personnel problem: His help desk staffers weren't getting along with their manager. Rather than alarm everyone by bringing in human relations at the outset, the CIO asked Wescott to investigate team dynamics under the guise of conducting a help desk audit.
Wescott isn't sure whether help desk workers believed that the audit was real. At any rate, he conducted extensive interviews with staff and the manager. "The relationships were so broken that the staff was happy to talk," he says. "I didn't even have to ask questions. They just blurted it out. Their anxiety flowed out of them." Wescott took the information back to the CIO, who passed the issue on to HR. The manager was ultimately reassigned. That is an example, Wescott says, of how the CIO can use an auditor as a "secret buddy."
Joan Indiana Rigdon was a contributing writer for CIO Decisions. To comment on this story, email email@example.com.