Risk Management

You Bought It, Now Audit

Your technology infrastructure can be audited -- and probably should be.
Bob ViolinoJune 23, 2004

These days, audits are rarely a source of solace, but finance executives who find IT daunting may actually be relieved to know that IT audits are suddenly in vogue, and provide exactly the sort of big-picture view that most CFOs need. IT audits are not, as you may have guessed, a matter of pure accounting. The term covers a lot of ground, but in general it can be thought of as the processes by which organizations evaluate virtually any aspect of their technology controls, capabilities, and performance. While IT audits have been conducted by some companies for years, they’re moving into the mainstream as regulatory compliance, risk management, and information security become higher corporate priorities.

If done properly, experts say, IT audits not only reveal weaknesses in compliance, security, and other areas but also help companies save money by finding ways to use IT hardware and software more efficiently and get a better handle on technology assets. Organizations can use IT audits to ensure that their technology initiatives are in sync with business goals and practices.

“These audits provide our CIO with an independent and objective review of his areas to ensure data resources are protected, appropriate internal controls are in place, systems are designed and developed to meet our business needs, and internal system resources are used effectively and efficiently,” says Ken Askelson, IT audit manager at retailer J.C. Penney Co. in Plano, Texas.

There are many types of IT audits that cover a broad range of technologies and processes. One type assesses IT governance, determining how well the IT department is managed and staffed, and how efficiently it supports business operations. Information-security audits examine security policies and such technologies as firewalls, as well as analyze the integrity of networks, databases, operating systems, Web servers, and applications.

Audits can focus on such major IT assets as ERP systems or on individual applications like payroll and accounts payable. Some audits evaluate the effectiveness of business-continuity and disaster-recovery programs, and others make sure that organizations have adequate and up-to-date software licensing in place. Still others are dedicated to ensuring that organizations are in compliance with such regulations as the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act.

IT audits frequently begin with a risk assessment, in which an organization obtains an overview of the major systems and applications used to support critical business processes. The intent is to identify existing or potential areas of risk that should be addressed in future IT audits, says Paul Rozek, director of technology services at Jefferson Wells International, a Brookfield, Wisconsin, consulting firm that has seen its IT-audit work increase by 40 percent between 2002 and 2003. Organizations can then prioritize the audits based on the level of risk. That initial assessment can also give executives a good sense of the systems the organization has in place, and whether the company has sufficient expertise and staff resources to conduct subsequent, more-focused audits. If not, the organization will have to consider getting help from an outside expert (see “Deciding Who Does What,” at the end of this article).

The actual audits of individual aspects of IT, which can last a few weeks or several months, involve testing the technologies and controls that are in place, to make sure they are meeting corporate expectations. Once audits are complete, reports are sent to the appropriate managers so they can address specific needs.

For example, an information-security audit report would go to the CIO or other senior IT executive, as well as to the chief information security executive. Rozek says many IT-audit reports include an executive summary for higher-level officers and more detailed information for the people who will actually be putting necessary fixes in place.

“As with a financial audit, always think of who the audit audience is,” says Rozek. “Make sure the report has insights that executive management will understand, and also give sufficient information from a process-control and technology-control perspective.”

Experts say CFOs should be copied on most or all IT-audit reports. “The CFO should absolutely rely on IT audits that affect the programs or operations for which they are responsible to provide assurance that the proper data security and controls” are in place, says Paul Hoshall, principal of Hoshall Associates, an IT-audit training and consulting firm in Fairfax, Virginia. “Without audits, I don’t know how you can do this.”

Michael Cangemi, president and CEO (and former CFO) of consumer leather goods designer Etienne Aigner Group in Edison, New Jersey, agrees that finance chiefs should push for IT audits and always be briefed on their findings. “When you do audits, you gain a basic control over the entire IT environment and systems. What better way is there for a CFO to verify that the company’s investment in IT is working the way the board and management expect it to?” asks Cangemi.

Cangemi has a special appreciation for the audit function. He began his career in the 1970s working in IT auditing before advancing to high-level positions in finance, and authored the book Managing the Audit Function (Wiley & Sons), a new edition of which came out in 2003.

Etienne Aigner relies on an auditing firm to examine its critical business systems, such as those used for an electronic trading network with major retailers, a sales force automation program, and its growing Internet business. Cangemi says the audits make sure that systems are meeting standards for performance.

At J.C. Penney, the internal auditing department, which includes an IT auditing group, reports to the executive vice president, secretary, and general counsel, and works closely with the CFO and other members of senior management to develop annual audit plans and coordinate audits of key areas within the organization. The IT audit group audits such areas as telecommunications systems, business applications, network architecture, data-center operations, change management, disaster recovery/business continuity, electronic commerce, information security, and database security. And, of course, Sarbanes-Oxley.

IT audits do more than provide peace of mind or point out room for improvement: they can also zero in on potentially serious problems. The 15-member IT audit team at Depository Trust & Clearing Corp., for example, might conduct a weekend test of a backup system to simulate an abrupt shutdown, to ensure that it switches operations to an alternate site within seconds, as it is supposed to do. Since auditors look at communications and overall responsibilities across functional departments, they help pinpoint any breakdowns that could have an adverse impact on the organization, according to senior IT auditor Fredric Greene.

How frequently IT audits should be conducted depends on the type of audit and the individual needs of the organization, says Fred Heller, an IT-audit expert at Jefferson Wells. Certain IT assets, such as key business systems and applications, should be audited at least once a year. Others, such as data centers, can be audited every three years or so. “Companies can do multiple audits at the same time or on a cycle basis,” says Heller. “Sometimes they need to do specific audits [at a certain time] because of a high risk, and the next year they have a different cycle.”

A growing number of companies are conducting audits of extensive IT projects — such as an infrastructure overhaul or a rollout of mobile computing devices — to ensure that initiatives are running on time and on budget. “An IT audit can provide an assessment of how a project is being managed, how the systems and applications are working, and whether you can move to the next phase,” says Heller. Many involved in IT audits stress that they are now a fundamental part of overall IT management.

Bob Violino is a freelance writer in Massapequa Park, New York.

Deciding Who Does What

There’s no shortage of companies that provide IT-auditing services, from traditional accounting firms to small, specialized consultancies.

Small and midsize companies are more likely to hire out IT-auditing jobs than larger organizations because they lack internal expertise or resources, experts say. Larger organizations often have an internal auditing staff, equipped with the know-how to conduct a range of audits. But staff reductions, and increasingly complex and rapidly changing technologies, have forced even bigger companies to look outside for help in certain areas, says Paul Hoshall, principal of Hoshall Associates, an IT-audit training and consulting firm in Fairfax, Virginia.

Some companies mix and match, doing their own IT audits while occasionally turning to service providers for help. Financial-services firm Fidelity Investments in Boston conducts audits of IT-management processes, general controls, infrastructure, and applications.

“If the internal audit staff is properly objective, has management’s support, is adequately resourced, and has the requisite technology and audit skills, I think they are better positioned to do the work” than an outside firm, says Jay Stott, vice president of IT audit at Fidelity. “They usually will have greater knowledge of the business, organization, and operating environment, and therefore are better able to evaluate the full range of risks and controls that are important to the organization.”

In some situations, Stott says, specialized technology knowledge that’s beyond the staff’s capability is needed. For example, Fidelity used a networking specialist to audit its voice networks when it lacked internal expertise.

Sometimes companies gain knowledge from service providers that they can use later on. Retailer J.C. Penney Co. does most of its own audits, but several years ago it “co-sourced” an audit of its ERP system. Based on what it learned, it now handles that job itself. —B.V.

Peering Inside the Box

When it comes to conducting IT audits, organizations can turn to a familiar resource for help: IT. There are dozens of software products on the market that provide all kinds of help with the auditing process. A quick sampling of functions addressed by these tools includes risk analysis and simulation, remote network auditing, audit planning and budgeting, databases for audit findings, customized reports and graphs, work-tracking systems, data mining and analysis, computer forensics, asset and software management, business intelligence, inventory management, configuration management, and security.

Paul Hoshall, principal of Hoshall Associates, an IT-audit training firm in Fairfax, Virginia, says the number of available tools has grown in part because in many cases, auditors have had to do more work with fewer people on staff, and more and more audit information resides exclusively within the computer. “We’re also dealing with a significantly changing [IT] environment,” including bigger and more-complex infrastructures, says Hoshall. “A lot of things occur inside the box, and we need to reach inside the computers and networks to find out what’s going on.” But fully automated audits are unlikely, because the final step in any audit is the exercise of human judgment as to what to do next. —B.V.

4 Powerful Communication Strategies for Your Next Board Meeting