This would keep you up at night:
You’re the CIO of a credit union, and on Friday night you get an e-mail from a customer suggesting that you check your company’s electronic banking site. You open a browser and discover, plastered across the homepage in gigantic crimson letters, a very famous four-letter word. You’ve been hacked! You quickly phone your website outsourcer, only to discover that everyone has left for a long weekend. Meanwhile, your browser is emitting more “You’ve Got Mail” chirps, letting you know that your new corporate message is not going unnoticed.
Sound bad? It gets worse. During the inevitable meeting with top management to explain how this happened, you discover that your external auditors?the bean counters you’ve ignored for the past six months?have just reminded the board of directors that this never would have happened if you had listened to their advice about systems security. So now this act of website vandalism makes it appear to your CEO that the accountants can do your job better than you.
Fortunately, the CIO who suffered through that scenario did hang on to his job. (Find out how later in the article.) But the lesson is clear: In the wake of business scandals and ongoing pressure to contain corporate costs, the accountants are coming, and they’re gunning for the IT group. Both internal auditors and outside certified public accountants are focusing on IT processes like IT security, not just the results of individual IT projects. In some cases, they are bringing technical experts with them.
Adding to a sense of urgency, regulators are getting involved on both sides of the CIO-auditor relationship. The audited results of some corporations are finding their way to CIOs’ desks: Some companies are asking their CIOs to sign off on their financial statements to comply with the Sarbanes-Oxley Act, which seeks to ensure the accuracy of financial statements. And under the same law, the Securities and Exchange Commission in January mandated that accounting firms must retain for seven years records (including electronic records) relevant to audits they perform.
For a CIO, it all adds up: Prepare to answer more questions, in more detail, than ever before.
But while this increased scrutiny takes up important staff time and represents a challenge to the CIO, it’s also an opportunity. CIOs can use auditors’ analyses to improve their processes, to assess and manage risks, and identify problem areas. Here are nine strategies for surviving the auditing process with the auditors working with you, not against you.
Survival Strategy 1. Know that the world has changed. No one believes IT is a superhero.
In the past, both the external auditors (the CPAs who check a company’s books) and internal auditors (who work with management to ensure compliance with accounting standards) tended to view IT with awed respect. But that’s no longer true, says Jeffrey Ward, a partner at Clifton Gunderson, a CPA and consulting company. (Ward’s auditing practice pointed out the security glitch in the website defacement scenario.)
“We’ve lost the blind faith that technology experts know what they’re doing,” Ward says. At the same time, the pervasiveness of computing has made the CIO a key person in nearly every auditing situation. “CIOs are being held much more accountable for what’s going on at an increasing number of levels in the typical corporation because IT support is integral to almost all financial and nonfinancial activities,” he adds.
The sudden auditor skepticism about the godlike status of IT is a direct result of the dotcom crash and the corporate accounting scandals of the past two years, according to Jack Cooper, who until a year ago was CIO at pharmaceutical maker Bristol Myers Squibb. Cooper, who now heads supply chain consultancy JM Cooper and Associates, serves on the audit committee (a subset of the board of directors) for two publicly held companies. He says that Sarbanes-Oxley “gives audit committees an enormous responsibility to ensure that companies are correctly managing risks and fully disclosing all relevant information.” Cooper notes that one of those risks involves the day-to-day performance of the IT function. “The auditors are going to make certain that CIOs are doing everything possible to prevent an unforeseen disaster,” he says.
Survival Strategy 2. Make auditors part of the management team. Consider them friends.
CIOs should never treat the auditors as adversaries, warns Steve Raish, CIO at retailer J.C. Penney. “I believe that it’s important for IT managers to take a proactive approach to working with auditors, getting them appropriately involved even in the design stage of new systems,” he says. J.C. Penney, for example, has had a policy for many years that internal auditors must be involved in every phase of a project’s development. Under Raish’s leadership they are frequently called in as consultants on key issues such as security and reliability.
This proactive approach greatly lessens the likelihood of audit difficulties, according to Ken Askelson, an IT audit manager at J.C. Penney who heads the group responsible for monitoring the activities of the retailer’s IT teams. “I can’t count how many times IT professionals in this firm have called me in to meetings to discuss the implications of a new system or procedure,” he says. This policy of early participation has allowed Askelson to contribute his perspective, for example, to the policies, procedures and internal controls required for applications that process accounting records. “Our participation helped ensure data validity and integrity,” he says.
Survival Strategy 3. Communicate. Provide auditors with a full understanding of the IT department and its responsibilities.
Cooperating with auditors means communicating?a lot. “The most important things that a CIO can do in working with internal and external auditors is be involved, to be supportive, and to be open and honest in all situations,” says Lisa Harris, senior vice president and CIO at Gevity HR, a human resources outsourcing company. “An independent view of a system, a process or a control can only help CIOs more effectively support their companies.”
Cooperation is a must if a CIO wants to avoid unpleasant surprises during an audit, says David Goltz, who recently served as acting CIO and CFO at Destiny Health, a health-care insurance carrier. “I have been involved at Destiny in more than one instance where a bug in a program was fixed so that it worked going forward, but the old data was inaccurate,” says Goltz, who is now president and COO at a health-care startup. “The easy fix was to alter the historic data because reprocessing would have been a huge burden.”
Unfortunately, the programming staff neglected to inform the accounting staff (and through them the auditors) that changes had been made to the database. “When the auditors went into the system to test and verify the hard copy reports that the numbers on the books were based on, they couldn’t get it to tie out,” says Goltz. “And when they discovered that the data had been altered, the entire process became suspect, which resulted in multiple hours of work pulling original documentation to see that, in fact, the ultimate numbers were accurate.”
Survival Strategy 4. Seek auditors’ help in evaluating business risks.
The Sept. 11 terrorist attacks had a major impact on auditors’ agendas, says Cooper. “Audit committees now have a broad mandate to ensure that the integrity of the company is maintained. A war between India and Pakistan could have a severe impact on some companies’ ability to compete,” he says. “Audit committees are now responsible for ensuring that the CIO is taking steps, such as moving key IT functions back to the United States, in order to offset those risks.”
Today’s world demands extensive disaster recovery planning, according to Bob Wischnowsky, who as CTO at FleetBoston Financial has responsibility for the company’s entire computing infrastructure. “Auditors want to be certain that a company’s infrastructure can survive even an attack that might cripple an entire metropolitan area,” he says. “They won’t be satisfied with some outdated plans that were made back in the pre-Y2K days.” Don Cyr, a deputy auditor at FleetBoston Financial, says his auditing colleagues and their compatriots in FleetBoston’s IT groups have strengthened their partnership on internal audits since 9/11.
Survival Strategy 5. Let the auditors in. Give them access to strategic plans, documentation, security logs and test results.
It’s not unusual for IT groups to lack the information that auditors need to evaluate them, Ward says. He’s encountered companies whose tools were outdated and that couldn’t provide even basic security data. Another time he requested wiring schematics of the data center. “They hemmed and hawed and three days later came up with some handwritten diagrams, which were wrong,” he says.
CIOs are sometimes guilty of not taking issues such as security seriously enough, according to David Foote, president of Foote Partners, an IT management research company. “When the security function reports through the IT infrastructure, the CIO often doesn’t want to be seen as the ’enforcer,’ and thus there’s a tendency to say, We’ll worry about security later,” Foote says.
Instead, CIOs need to use the auditors to help create greater awareness of security issues, says Vince Laino, who serves as both CIO and CFO at environmental consultancy Weston Solutions. Laino believes that CIOs shouldn’t be afraid to use the authority of the auditors to force security issues and cites a case at his own company where auditors demanded that all terminals lock up if left unattended for 15 minutes or more. “The end users hated it,” he says. “But once I explained that failure to comply might result in a failed audit and consequent loss of our government contracts, everyone fell into line.”
In other words, if you need to play the good cop, let the auditors play the bad cop.
Survival Strategy 6. Alert auditors to new IT implementations. Get projects on the books accurately.
Keeping the auditors in the loop for new development projects helps ensure smooth audits because auditors can provide advice on security and reliability early in the game, making it easier to include appropriate controls and procedures. However, there’s another reason to get the auditors involved up front: proper accounting for IT projects.
According to accounting standards, short-term projects such as system maintenance are supposed to be expensed in full during the current year (like a utility bill) while projects with long-term impact are supposed to amortize over several years as a capital expenditure (like constructing a new office). “The difference can have an enormous effect on the reported profit of a company,” explains Goltz, the former Destiny Health CIO. However, because the boundary between those two types of IT work is often unclear, CIOs have been known to be pressured into accounting for a short-term project as if it were a long-term expense. If recorded improperly, the company’s accounting records don’t accurately reflect its financial health. Keeping auditors apprised on major projects helps ensure that all IT work is recorded appropriately.
It also keeps you out of trouble.
Survival Strategy 7. Get auditors to help you understand when to cache it and when to trash it.
As previously mentioned, the SEC has set up records-retention policies for CPA firms performing audits. Auditors are also excellent resources for CIOs who need to build policies for handling information within their companies. For example, most companies have a policy where they keep backup data for a certain amount of time. Goltz once dealt with a situation in which people who were leaving his company erased data that was needed to complete a transaction. However, the loss wasn’t discovered until two weeks after their departure and the backup was only kept for a single week. “The data was gone, and we had to start over,” he says. In hindsight, he believes that collaborating with auditors might have resulted in policies to provide some protection from such losses.
Wischnowsky, CTO of FleetBoston Financial, says that getting the auditors involved in information policies helps IT groups include those policies as part of the application development process?rather than having to return to a system later to insert rules about what to keep and what to delete. He points out that the latter situation almost always involves unexpected cost overruns. “CIOs need to take auditors seriously when they say that they’re only here to help,” he adds.
Survival Strategy 8. Make the auditing process part of the IT routine.
As Wischnowsky notes, the ultimate responsibility for ensuring that IT groups pass audits lies with the CIO and IT managers. “Good [accounting] controls and practices must be built into the day-to-day activities of the IT department,” he says. FleetBoston Financial has implemented a self-testing process where managers and teams are responsible for certifying that those controls are in place. Needless to say, such work should be done in coordination with the auditors.
Such ongoing attention to audit-related issues need not be overly burdensome. Laino of Weston Solutions cites a policy that he implemented at his company to test backup and recovery procedures of existing business applications using newly purchased servers before they are deployed in production. “This simulates what would happen if we had to reconstruct the data center from scratch and makes certain that the backup data is usable in a real-life situation,” he says.
And isn’t that why they made you CIO in the first place?
Survival Strategy 9. Respond quickly to correct audit findings.
It’s inevitable that even the best IT groups will get “dinged” in an audit. That’s why it’s important for the CIO to remain highly visible to both the audit committee and the top management of the company. “A CIO should always feel comfortable going directly to the CEO or the CFO concerning anything that might be covered in an audit,” says consultant Douglas Hubbard, president of Hubbard Decision Research. The proactive approach that both CIO practitioners and auditing experts cite works to a CIO’s benefit here; it’s better to face problems head on knowing what auditors have seen, what they are examining?and maybe even having led them to some examination targets.
Which leads us back to the credit union CIO whose website was defaced. According to Ward, whose company audited the institution, the CIO avoided being fired because he took the precaution of reviewing security risks with the rest of top management, which decided not to spend the extra money to mitigate the risk. Sharing the information and the decision making also meant sharing the blame. So while the CIO in question didn’t exactly come out smelling like the proverbial rose, he did avoid becoming the brunt of a big stink. An ounce of politics is always worth a pound of apologies.