Auditors: A CIO’s New Best Friend
Anyone remember waiting with a big smile for a meeting with internal auditors? No? Well, let’s take a look at how the age-old fear of internal auditors (and external auditors, too!) can actually be a win for CIO/CTO’s.
History shows us that auditors usually find ‘things’ that are wrong, especially with newly implemented technologies and/or applications. Mostly applications. Many CIO’s fear these folks because they tend to find things that should have been part of the an original implementation, or culled out during initial analysis. Whether an application is transactional, reporting, on-prem, in the Cloud, it does really matter. When an auditor finds poor or no controls, lousy documentation, vague responses to basic questions, questionable security, poor or limited user training, they get nervous and rightfully should. After all, an auditor’s job is to protect the assets of the company and prepare the company for external auditors who will validate the financial books, the information systems that manage the financials, the security surrounding those systems, and usually, a lot more.
So, let’s take a different approach. As a CIO or CTO, why not invite the internal auditors into the conversation right from the start. As an Interim CIO/CTO, one of the first people I want to meet is the head of internal audit. Why? Because they have a set of eyes and a different view on how systems should be managed and controlled. And they have history of what’s not gone so well in the past. There are always ‘gotchas’ in any company’s infrastructure, application portfolio, user acceptance, or operational procedures. Having the head of internal audit and their teams be a part of any implementation at arm’s-length can bring valuable insight ahead of problems. In my experience, I want a direct line to the head of internal audit when I suspect something might not pass the sniff test. I have also found that having internal audit as a team member (yes, arm’s length), brings about a new way of thinking for the IT team. When I was the global CIO at a very large company based in The Netherlands, the multi-country teams would discuss various points about a system implementation, risks, controls, training, compliance, etc. When team members or project leads start saying, “this has to pass internal audit,” it brings about a completely new paradigm to the team. They then look at implementation’s as not just ‘getting it done,’ but also with a view that they’re conscience of the need to insure compliance, standards, security, etc. are adhered to. This is critically important when implementing systems or technologies in a multi-country environment where legal compliance, controls and risk management can be different in each country. Internal audit can help navigate these waters of uncertainty.
Let’s look at a couple of examples where having a direct relationship with the head of internal audit really helped. In my first example, IT was approached by the head of internal audit on suspicion that accounts receivable ageing and cash collections in a certain country were out of whack. They came to me because on the team, I had a person who spoke fluently the language of the country in question and who was also familiar with the applications and systems implemented in the country. I sent this person on a fishing trip to ascertain what was going on from the systems perspective. Because he was in IT, he was able to get into the guts of core systems and processes quickly. What he found was that someone had actually put custom code into an application that managed credit processing for new orders. Essentially, the software was doctored to bypass the credit check processing and accept the order – any order or any value regardless of the creditworthiness of the customer. This way, sales were achieved, bonuses paid, but the company was being scammed and put at risk as receivables climbed and cash was late or not at all. The discovery and a report to the head of internal audit resulted in a complete revamp of operations in the country and the replacement of all the senior management (and several IT people who were involved). New, auditable controls for the system were put in place. Had this situation gone unchecked, it could have been a serious financial blow to the company.
My second example is in a different company, also international, and in a different industry. There was a program run by the IT organization over the course of a couple of years. The company spent a ‘few million dollars’ in building this new application. Being the new guy as the Interim CIO, I had the responsibility to review what had been accomplished, what the deliverables were, and a timeline for deployment. Management was asking after spending for 2 years, what/when the outcome. What I discovered was amazing. The software was riddled with bugs, documentation was lacking, redo of previous versions was rampant; there was no way this product/system was going to make it to primetime. Yet, the project had been reported ‘green’ to executive management, internal audit, and end-user management. Oh boy, now what? First on my list was to meet with the head of internal audit that I had befriended in the first week on the job. The next was to inform the executive team of the findings. Naturally, everyone was surprised as they had been given thumbs-up that all was well. It wasn’t. At my request, internal audit launched an investigation that resulted in the program being cancelled, and a huge financial write-off taken against the financials (this was a public company).
Huge help for the CIO
The point here is that having the head of internal audit being almost adjunct to the CIO or CTO is a huge help when these situations occur. It gives the CIO or CTO and external avenue to vet issues and to have an independent view as to what is really going on.
So, when internal audit comes knocking about the agenda for IT audits in the coming year, a best course of action is to actually put forward not only those systems or technologies already in place, but the planned ones as well. Make the internal audit part of your control mechanism. A really good internal audit relationship can do things like provide a proforma audit of a system prior to a formal audit, thus giving you time to fix any issues discovred. My standard has been to allow internal audit the right to audit a system 3 months after go-live. No agenda. This way, IT has a chance to fix issues and stay off the front page of the formal findings report. And staying off the front page is first and foremost and always a good thing!