Here Come the Auditors: Judgment Calls

Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.

November 01, 2004 — CSO — When Renato Delatore joined TD Waterhouse as vice president of information systems security three years ago, his group's relationship with the audit function was more about conflict than cooperation.

"The relationship was adversarial, and there were issues that needed resolving," Delatore recalls. He says that a first step toward improved relations was to agree to stop the confrontations. Beyond that, he saw that material change was required, or it was likely that the past difficulties would simply reoccur.

There was cause for friction. Delatore had inherited over 50 outstanding unresolved audit points, some occurring more than once. And the two groups needed almost a year, he recalls, to work through them, prioritize them and then resolve them. Some of the audit points were the result of simple misunderstandings or were no longer relevant. (And so auditors dropped them.) He says others, a quarter of the total, were of the "'You don't have a policy on this' sort of thing, and so we created policies. Other points concerned the need to separate duties." Eventually he resolved all of them.

Improving communications transformed the relationship between the two functions, and set the groundwork for future audits. Within the security function, specific people were charged with liaising with audit, instead of audit going directly to whomever they considered the appropriate person. For its part, audit was more open about its timetable. Previously, recalls Delatore, "We'd be doing a rollout, and audit would show up." Now, there's an agreed-upon rolling timetable over which security items are reviewed.

And some initiatives were truly collaborative. For example, the IT department partnered with audit on developing training courses to help auditors become more literate in information systems security. (The company even hired a consultant to run a session explaining how hackers operate.) Previously, says Delatore, audit was more prone to theoretical than practical thinking. Now, their critiques are more informed. Overall, he says, there's been a sea change in the way that the two functions work together. "We're really partners now."

There was a time when it would have seemed strange for audit and security to share a sense of partnership. That is no longer the case. As audit increasingly moves center stage, the relationship between audit and security becomes more critical. And corporations' high-profile focus on Sarbanes-Oxley compliance ratchets up the volume level on the question of the relationship further still.

Not only that: Audits inspired by Sarbanes-Oxley hit all aspects of the security profession. "It's having a major impact," says Shirley Pierini, president of ASIS International. Sarbanes-Oxley, Pierini explains, is all about enterprise risk management, and the responsibility for mitigating many of those risks falls squarely on the shoulders of the CSO. "Physical security, emergency preparedness and business resumption, investigations, executive protection, record retention and document destruction—every single one of these is impacted by Sarbanes-Oxley," she says.