• United States
Senior Editor, Network World

Auditors’ ascension

News Analysis
Jan 13, 20036 mins
Data CenterRegulationSecurity

A new law is bringing the IT security auditor out of the wiring closet and into the boardroom.

The IT auditor, whose security-related job is watching over IT systems and corporate employees for signs of trouble, was once seen as the techie office curmudgeon. But after last year’s financial accounting scandals, the IT auditor’s status is rocketing in the role as key adviser to upper management.

Usually found in the information security department, the IT auditor is being invited to spend more time with the top business management and the audit committees of the board of directors, who are anxious to be assured that things are all right.

While heightened concerns over security and terrorism accounts for some of IT auditor’s new sheen, there’s also another reason: the freshly minted law known as the Sarbanes-Oxley Act puts more pressure on upper management to vouch for “internal controls,” with specific sections related to information auditing.

The Sarbanes-Oxley Act was pushed through Congress and signed into law by President Bush in response to last year’s billion-dollar accounting scandals and bankruptcies at Enron, WorldCom and others. Now being turned into a Securities and Exchange Commission regulation, the new law affects myriad financial accounting practices. The act also requires that managers vouch for the internal controls the company places over areas that include transactions, electronic information and communications.

“The foundation of a good audit requires that you deal with these things,” says Kevin Price, CFO at Ernst & Young’s eSecurity Online division in Kansas City, Mo. “For the first time, you will be required to issue an opinion about this at the SEC. The auditor will have to make sure that management’s assertion is accurate.”

As a consequence, the Sarbanes-Oxley legislation is expected to bring the IT auditor out of the wiring closet and into the boardroom.

Auditing committees, which typically meet four times per year, are devoting an increasing amount of their time to IT auditing, according to Lawrence Harrington, vice president and chief audit executive at office-supplies retailer Staples in Framingham, Mass.

“Audit committees today are spending as much as 25% of their time on IT technology issues,” Harrington says. “The audit members are being told that information security is on the top of the list.”

Typically, IT auditors have job experience in computer and telecom systems, honing their skills in security. They establish their credentials through professional certification programs, including those from the Information Systems Audit and Control Association (ISACA).

Through ISACA, security professionals can earn the Certified Information Systems Auditor (CISA) accreditation. To date, more than 20,000 IT auditors have passed the CISA exam. Other programs include the SANS Institute’s Systems and Network Auditor credential offered under the SANS Global Information Assurance Certification program. IT auditors also might have college degrees in accounting.

Many IT auditors agree that their skills are in demand as new regulations emerge.

“For instance, there’s a new rule in the New York Stock Exchange that requires an internal audit as opposed to outsourcing the audit,” says Stephen Konopo, assistant vice president of internal audit for Mizuho Capital Markets in New York.

But beyond just new regulatory requirements, Konopo has found his company is using IT audits as a way to look for efficiencies in operations. That’s because IT auditing entails keeping track and periodically inspecting software, services and personnel for security reasons. There’s the growing presumption that the IT auditor should have a strong understanding of the organization’s business.

Many IT auditors are already well-connected in the boardroom. Jim Gager, CISA in the technology services division of Lenexa, Kan., data processor systems provider Jack Henry & Associates, says he reports to the audit committee, which is part of the board of directors.

But as IT auditors step into the boardroom more often, it’s important to learn to speak the language of management, some auditing professionals say.

“One criticism of the IT field over the years has been that they often talk above their audience,” says Staple’s Harrington. “They speak in a language that the audit committee or the business committee doesn’t understand. We fall into our own jargon. We need to speak management’s language.” That means taking the time to learn the business at hand, not just IT, but the operations, finance and marketing.

Some industries, including banking and healthcare, face IT auditing regulations that might be stricter than other sectors. In banking, for example, IT auditors must ensure their companies comply not only with newer Sarbanes-Oxley rules, but several more, including those of the Federal Financial Institutions Examination Council (FFIEC). FFIEC is a multi-agency group that’s empowered to prescribe uniform standards and inspect financial institutions as a public safeguard.

So how do IT auditors go about putting in place the internal controls for IT policy and systems use that are now highlighted in the Sarbanes-Oxley Act and that call for documentation of auditing practices?

Many IT auditors begin with the philosophy of “IT governance,” the notion espoused by ISACA that both people and machine processes must be clearly defined on paper to start. This lets management be informed of what’s occurring inside their organizations in order to back the necessary audits of Web pages, firewalls, laptops, disaster recovery, privacy safeguards, passwords, e-mail and more.

Whatever the choice, IT auditors should be aware that “the developing of policy should be at the direction of senior management,” says Paul Hugenberg, CISA, IT audit office at Sky Financial Group in Bowling Green, Ohio.

And in an era in which there still is considerable outsourcing of operations, it makes sense to include a clause in outsourcing contracts that the corporate IT auditor has the right to audit the outsourcers’ systems as well.

Auditing by the bookHere are some key references to consult when developing IT auditing policies:
CobiTPublished by the ISACA, the document known as Control Objectives for Information and Related Technology (CobiT) focuses on IT governance and developing a framework based on 37 processes that can achieve more than 300 control objectives related to system security.
British Standard 1799/ISO 17799A British standard that became an Internation Standards Organization one too, ISO 17799 — still often called BS 1799 — defines a code of practice for information security, assessing risk, selecting controls and developing guidelines for access control, systems development, business continuity, communications, personnel and compliance.
GAO Accounting and Information ManagementThe U.S. government agency, the General Accounting Office, defines practical procedures for risk assessment in the areas of personnel, facilities and equipment, applications, communications, software and operating systems.