IT audit boom

There’s a delicious irony when two SEC chairmen insist that the commission work under the same regulatory demands as public companies. This would not just be a Sarbanes-Oxley sympathy run, but involve a new type of internal audit.

If the SEC were to operate under the same auditing environment as the companies it oversees, it would need to be audited by a private firm. What’s more, such audits are likely to be more in-depth than what is taking place by the Government Accountability Office (GAO) – which is currently tasked with auditing government and other public organizations – and would involve non-financial measures such as IT audits.

Having two separate entities conduct audits can present unique problems, mostly related to inefficiencies. If, for example, one audit flags a problem, the company will start working on a remedy. Before the problem is rectified, another audit could be conducted and flag the same item, which might bring problems that are in the process of being fixed back to the top of the pile, turning old business into new emergencies.

‘I found that the auditors were working from frames of reference that were not well communicated to the IT staff at the SEC,’ says Chrisan Herrod, who until recently was the commission’s chief security officer and responsible for IT compliance. She now serves as an executive consultant for compliance at Scalable Software. ‘I learned that you have to be aggressive in understanding what [auditors are] looking for,’ she adds.

Sure, corporations could welcome the SEC to the audit headache club, but more important is the basic lesson that audits demand expertise. However, companies have lost much of their ability to adequately deal with audits over the last decade or so by changing their underlying information architectures and mix of staff. Now firms are vying for rare experience and searching for new ways to leverage it if they want their IT departments to properly respond to audits.

Although Sarbanes-Oxley is the obvious example of the difficulties caused by regulations, the audit problem has become far broader for many companies. Health insurance requires HIPAA compliance, for example, and handling pension plans means Gramm-Leach-Bliley. The combinations can be overwhelming.

Ask Pitney Bowes CIO Greg Buoncontri how bad it gets and he explains how his department undergoes several audits a month between pure IT audits and those involving finance and controls. ‘It’s a big systems complex – people in three large areas, four if we count our outsourcing partners – and the auditors have a regular cycle of hitting each of the systems,’ he notes.

Separation causes problems

Most companies are short-handed in key areas, making things worse. At one time, people trained to test the accuracy and integrity of how information systems run business processes, such as IT auditors and systems analysts, were more regularly found in corporations. But then came the 1980s and ’90s, and companies decided they had to move fast and not worry so much about dotting i’s and crossing t’s.

‘Internal controls became a specialty that got separated from the core auditing business,’ recalls Lee Dittmar, leader of the enterprise governance consulting practice and co-leader of Sarbanes-Oxley services for Deloitte. ‘Instead of having a comprehensive review of controls, as used to happen, it was viewed as more expensive and you could do more testing during the audit [instead].’

Companies cut back on headcount in those areas and trusted that automation would provide a flying buttress for information architecture. ‘IT departments became order takers’ instead of controlling an enterprise approach to information infrastructure, says Dittmar.

Traditional analysts might have been able to help bridge the understanding gap, but IT purchasing slowed down. ‘They are the first to get hit, the systems analysts, because there aren’t new systems to analyze,’ says Barry Goldfeder, chief information and compliance officer at satellite manufacturer Loral Communications. Money was going into enterprise resource planning (ERP) consultants and implementation help, not new systems – and no new analyses means fewer analysts are needed.

There was still a belief, however, that the systems that had been purchased were holding the line. Then budget concerns and attempts to run lean and mean thwarted that great mechanical hope. Such packages as ERP systems and human resource management and supply-chain management applications often had built-in control automation. To benefit from these packages, however, a company had to implement them fully, and that happened very rarely. The safety net was never erected, and the results were at times disastrous.

Last year, Deloitte conducted a study that asked more than 300 companies about the quality of their information. ‘The research came back overwhelmingly saying, We’re not good at this,’ Dittmar says. Someone has to fix the infrastructure and underlying way companies handle data – and as Herrod’s experience suggests, without knowledge of the auditor’s world, IT departments are creating their own personal circle of hell.

Training is only half the picture

An immediate reaction might be to train existing IT personnel to learn audit insights, but experts say it rarely works. ‘The mind-set of a person who wants to be an auditor is not an IT guy,’ says Mark Van Holsbeck, Avery Dennison’s director of enterprise security who is also responsible for IT compliance. ‘IT guys are good at getting something done, but [when] doing something repetitive, they get bored. Being an auditor is repetitive. They don’t jell.’

Furthermore, even for the rare individual with whom the two worlds do meet, looking for double-duty is self-defeating. The person will have time to do one or the other, and anyone with significant IT auditing skills has no need to feel overworked and under-appreciated. ‘They’re now making $285,000 a year and you can’t find them,’ Buoncontri says half-jokingly. ‘That’s a bit far-fetched, but I don’t think it would be too difficult to find that you were in the $150,000 to $200,000 range.’

That’s when a company can find them, assuming it has the budget. ‘We’re in an up market now, and it’s going to become harder and harder to find those kinds of skills,’ says Michael Hughes, vice president of the Revere Group, a Chicago-based consultancy recently acquired by NTT Japan. Sure, there are public accounting firms and some specialty consultancies that can provide IT audit help. But for a larger company undergoing a significant amount of IT audit work, the costs could be astronomical.

There’s always recruiting at colleges to get additional help, but that approach has its own list of problems, according to Jim Hall, co-leader of Lehigh University’s computer science and business dual program. ‘There has been tremendous decline in registration and enrollment in IT programs,’ he says. ‘From what I’ve seen, computer science majors are not taught anything about business. And it’s hard to talk in terms of control if you don’t understand what it is you’re controlling.’

So companies are looking for ways to mitigate the shortages while getting their IT departments out of a defensive audit posture and on to profitable work. Loral actually hasn’t expanded head count, except for adding some experts to handle new ERP and MRP systems. But then, the satellite manufacturer didn’t have huge difficulties with Sarbanes-Oxley. Being a military contractor and ISO 9000 shop started them with a good degree of discipline in documenting policies and procedures – and a central repository to store it all. ‘It was easy enough for us to build on areas where we felt we could improve our processes,’ Goldfeder says.

Sox driving popularity of certifications

When he recruits, Goldfeder does consider Sox. ‘We’re asking people if they have any Sarbanes-Oxley experience,’ he says. ‘It’s not a showstopper, because we train them if they’re going to be a process owner. It’s hard to find because it’s so new.’ When it comes to IT auditors and security specialists, Loral and many other firms look for certifications such as CISSP (certified information systems security professional) and CISA (certified information system auditor).

Not only do these certifications indicate that the person will have relevant experience, but they also add something else. It’s a way of saying, ‘We have folks that met the rigorous standards surrounding that certification,’ according to Gerald Gagne, vice president at Boston-based CPA firm Wolf & Company. ‘They would be considered experts in that field.’ And hiring them could be seen as a good-faith effort to comply with regulatory requirements – a potentially important part of a legal defense should a company find itself in a courtroom. But getting the certifications requires significant professional experience, bringing things back to a lack of available people.

A growing number of companies, recognizing the inherent problems of trying to get the people they need in a tight hiring market and with limited budgets, are looking for new ways to manage the audit process. One approach is to integrate monitoring and auditing into daily business processes and not leave them as a quarterly or even monthly activity, according to John Van Decker, senior vice president of the Robert Frances Group, an IT research and advisory firm.

‘That’s probably a more effective way than just replacing an Excel-based process with a $300,000 application,’ he says. ‘If you took some of those funds and changed workflow or business intelligence, you’d be doing more for your company. Maybe you can reduce your staff by three people because they don’t need to sit and merge spreadsheets or send e-mails. Companies should be doing this anyway – continually testing the status of their business applications in light of changes in the vendor landscape and technology.’

Merging compliance with IT

IT and audit departments can also find better ways to allocate scarce personnel. Pitney Bowes started by adding one senior person – a former IT auditor – who reported directly to Buoncontri. She doesn’t have a staff but rather works directly with other project leaders. The audit department has brought on a few additional auditors, and the IT department has moved to a more formal, disciplined approach to developing and maintaining software.
 
As a result, the company went from testing 1,300 control points in its first year of compliance work to needing to check only 400 the second. The significant savings in time and resources came from plugging gaps and adding an organizational understanding of what auditors wanted.

Computer Associates, which has seen its share of SEC investigations and governance problems, is working under the dual pressure of regulation and a deferred prosecution agreement. ‘It’s critical that we have a very good team in place so we can assess our control environment and be compliant,’ says CIO Kevin Kern. So he hired someone he knew from two previous positions – James Mullen, a former CIO and IT auditor as well as an expert in Six Sigma quality management.

Kern moved IT to centralized governance and compliance and had Mullen work with CA offices around the world to ensure that everything was being done the same way. Furthermore, Kern uses a balanced scorecard for managing his 600-person department so each employee ‘is aware of the compliance activities and their role in maintaining compliance all the way down.’ As a result, the company has cut $5 million in annual compliance expenses, and because compliance is mandatory, that all falls to the bottom line.

IT controls impact company-wide compliance

One principle being used by a number of companies is to hire someone with significant experience in audit and compliance who then works with others to drive the necessary principles down to business processes. That means regular IT personnel not suited for auditing don’t have to do it – they just need to implement the principles passed down by high-level experts. It also means that IT compliance stretches far beyond the IT department, because automated controls are, after all, for the entire company.

In fact, the solution to some IT problems might even be in other departments. As Buoncontri notes, many IT departments face resource constraints that are compounded when ‘customers tend to abdicate a lot of security and control issues to IT.’ For example, when someone is promoted, the affected department often expects someone technical to decide what person should have access. Yet that’s a business decision; technology should only be the enforcer.

Once IT is working with the other departments, controls discipline moves to how people approach their jobs and becomes instilled in processes, which makes the automation and auditing of the controls that much easier. Then the company can take the data it’s developing through compliance and do something positive. ‘A leadership team across the business can interpret the data and see what they can do to take advantage,’ Hughes says.

So companies looking to take on new senior IT auditors or update their internal IT controls should consult their governance and compliance professionals because effective IT audits will have a huge impact on these areas, and the cost of getting it wrong will be borne by the entire company.