THE CHALLENGE: Traditionally, internal auditors have been feared by IT organizations. But, rather than view auditors as foes, technology executives must learn to embrace auditors' expertise. After all, auditors' advice can help IT departments deliver better results.
Mention the words "internal auditor" in most organizations and you're likely to make those around you uncomfortable. The cringing is a throwback to the days when auditors arrived on companies' doorsteps and poked their noses in everyone's business. Their stone-faced gazes created a quiet but disconcerting presence. Factor in their pointed questions and it was enough to make even the most composed CIO nervous.
Today, however, the relationship between internal auditor and technology executive has changed. Smart IT managers no longer view the internal auditor as a foe; rather, IT execs see the internal auditor as a friend and someone who can help the IT department achieve its overall objectives.
In the early days of the brokerage business, says Josh Levine, chief technology officer at E*TRADE FINANCIAL, the relationship between internal auditors and line managers was often "adversarial." Internal auditors, he notes, were viewed not only as independent, but as "very rigid" and inflexible. "The IT folks would spend hours refuting things the auditors would find," Levine says.
But those days are long gone, continues Levine, who has spent 20-plus years in the business. Now, he says, the opposite is true. "It's a friendly relationship - auditors are part of the business, a full partner looking out for you," he relates. "It's anything but adversarial - over the years, internal audit has become a key part of IT and IT delivery."
Levine's not alone in his assessment. Tim Buckley, CIO at Valley Forge, Pa.-based Vanguard, says it's all about building a better operation, and internal audit is part of the process. "It's nice to have that objective and forthright pair of eyes tell you how you're doing," he suggests.
That set of eyes helps move projects along, according to Kevin Shearan, director of technology delivery and an executive vice president at Mellon Financial in Pittsburgh. "It's rare where it's solely the audit perspective that gets a project off the ground," he says, but an internal auditor's view can influence how a project evolves.
Shearan notes that Mellon has focused on implementing the Capability Maturity Model for software development, a five-step process for measuring and improving an organization's software development efforts that was created by Carnegie Mellon University's Software Engineering Institute (SEI). He says the process results in more disciplined structures and involves a rigorous certification process. Internal auditors "are very supportive of that because it's something that matches their goals," Shearan asserts.
Shearan, who spent five years conducting IT audits, says that if the auditors raise a red flag, then the IT managers work with them to determine if the risk that has been identified is real and what corrective steps need to be taken, if any. "It's a very healthy, strong relationship," he says.
A Line of Defense
Another area that's benefited from internal auditor input, Shearan says, is security and controls. He notes that Mellon spends $5 million a year on patching security flaws in software, and having the internal auditors' input on improving controls and security is essential for a financial services firm.
That also applies to what Shearan calls Mellon's "trusted network," an extension of its proprietary network that reaches around the globe to Mellon's vendors. "We use global resources and offshore resources as part of our resources pool," he notes. Building it involved a lot of work by auditors in assessing controls and security issues to make the network as safe and efficient as the head office's network, according to Shearan.
E*TRADE's Levine says that internal auditors also have shown their worth in dealing with the Sarbanes-Oxley Act, which requires publicly traded companies to establish internal controls for financial reporting and requires management to assess the effectiveness of those controls. The company's external auditor also must attest to management's assessment of the firm's controls.
NYSE-listed companies are required to have an internal audit function in place to provide management and the audit committee with ongoing assessments of the firm's risk management processes and system of internal control. "We're looking to learn from the way that an auditor views that system infrastructure," Levine remarks. He says that strategy was driven home in the last few years as firms ramped up for Sarbanes-Oxley. "I think we had a good understanding of documentation, what was expected from us, how we needed to deliver and what standards we'd be judged against," he asserts.
Levine notes that the most recent project on which the internal auditors had an impact was E*TRADE's conversion to ADP's back office last September. "That was something very critical to us," he says. "We had a lot of discussions with auditors up front so that we knew we had all the bases covered."
Levine says it was a case in which the IT department and internal auditors worked together to make sure that they covered all the processes correctly and that check points were established and followed. Auditors are "very good for the process," he adds.
A Team Effort
According to Vanguard's Buckley, one thing that has changed in the relationship between internal auditors and the IT department is how early in a project auditors get involved. Before, their involvement was more after the fact, checking things after they were complete. "Now, on the big projects, we invite them in earlier to get involved in the requirement process. Are we asking the right questions? Are we missing anything from an audit standpoint?" he says.
"The auditors are there to make sure we are doing our best to safeguard [our systems]," Buckley adds. "They're not there to make life difficult."
Shearan agrees that it's a team effort. "What we do is influence each other's thinking and point of view," he explains. In the end, Shearan says, auditors gain more of an appreciation for the business rationale behind the way IT builds systems, while the IT and business sides develop a better understanding of controls and what drives auditors. "It really does broaden individuals," he says.
Buckley adds that if there's any debate or discussion, it's not about what needs to get done - the auditors and IT managers are usually on the same page when it comes to that topic. Rather, the discussions, he says, focus on "when it can get completed."
According to E*TRADE's Levine, when it comes to prioritizing which projects get funding, the auditors aren't calling the shots. "We have a great environment where we openly discuss how we want to spend our capital," he says. "I don't think we'd ever have to use audit as a mechanism to get funding."
Auditors' true value, he adds, is in collaboration. "The best part of working with a great set of auditors is that they get you to step out of yourself and look at problems from a different perspective," Levine says. "It's very good for groups to step out of their everyday view of a process and look at it from an internal audit perspective."
Auditors ask many of the right questions, Levine suggests. Are controls in place? Is there proper documentation? Have things been properly tested? In the end, he says, it's all about the customer. "Anything that helps the customer and reassures the customer, especially when dealing with their money, is a great thing," Levine adds.
"I think that nowadays, especially with Sarbanes-Oxley and with demanding customers, internal audit plays a very important role in making sure you have the right policies, processes, procedures and documentation," he continues. "We all want to deliver for customers and deliver for the regulators and make the process as smooth as possible."
10 Questions to Ask Your Internal Auditor
1. Have we identified the key risks in this technology project?
2. Do our processes identify and analyze threats to our IT systems?
3. Do we have controls in place to cover our really big IT risks, or are there any gaps?
4. Does IT have a culture in which people take risk and controls seriously?
5. Can we trust our reporting and monitoring?
6. Are we directing and controlling our IT business properly?
7. Is the information created by our systems reliable?
8. Does the technology department comply with relevant legislation?
9. Are we doing enough to safeguard our IT assets?
10. How do we control change and IT system development initiatives?
Source: The U.K. and Ireland branch of the Institute of Internal Auditors (www.iia.org).