Here Come the Auditors: Judgment Calls

Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.

So in running the security function, CSOs have new questions to consider: how should a CSO respond to the audit function's additional clout? Is hitching your wagon to audit a smart move? The answers (once you size up your relationship with your auditors) stress cooperation, communication and caution. Said another way: Do cooperate. Don't be a pushover.The Queries Are Coming! The Queries Are Coming! Mention the 2002 Sarbanes-Oxley Act to Matthew Speare, and the response isn't pretty. Speare recently spent months, when he was vice president and director of IT infrastructure at the Cleveland-based Ohio Savings Bank, satisfying external auditors examining the bank's security procedures and systems. (Speare recently became CISO at M&T Bank.)

Areas that once received a relatively cursory inspection are now subject to detailed examinations. Unlike previous audits at the $12 billion regional bank, the probing has extended to examining the access to individual data files, and the transactions that update those files. Who, specifically, can generate these transactions? Who can alter them? Who has access to the files? Are these the right people to have access? And what controls and procedures are in place to ensure that people can't change the output of a transaction without appropriate authorization?

Such detailed investigations aren't cheap. Ohio Savings Bank was "expecting an increase in audit fees in excess of 50 percent this year," says Speare. The costs of compliance carry a productivity impact too. "These people absorb time that we hadn't projected," he notes. "It's soaked up hundreds of hours of my people's timeabout 15 of the 90 people that I have. We hadn't anticipated it, and stuff just isn't getting done. We're falling behind on what we should be doing."

But Sarbanes-Oxley, of course, is a legal requirement. Argument is not an option. Sarbanes-Oxley audits, which came into effect in 2003, are still breaking new ground. And auditors are still relative greenhorns. Internal auditors, working to cut compliance costs, are ratcheting up their in-house efforts to pass along findings (and save time) for the external auditors. Speare is among the executives who says he expects auditors to come up with additional requirements next year.

This makes sense, of course, if you look at the risks of noncompliance with audit requirementsfor example, criminal prosecution for CEOs and CFOs who have to vouch for the quality of their financial statements under Sarbanes-Oxley.

"We're certainly seeing the audit function's prominence increasing, but if you look at executives' personal exposure, that's a pretty reasonable response," adds Patrick Heim, vice president for enterprise security at pharmaceutical and health-care company McKesson of San Francisco. Under Sarbanes-Oxley, a company's senior executives must testify, under penalty of a spell at Club Fed, that no nasties lurk in the figuresor could upset those figures with sudden changes to the business's performance or capabilities. And it's that latter requirement, of course, that exorcises CSOs. Nor is Sarbanes-Oxley solely concerned with information security. Yes, flawed information security can damage a business but so can flaws in physical security.Audit Scrutiny Not Just For Public Companies What's more, Sarbanes-Oxley compliance is extending way beyond the relatively narrow group of publicly quoted companies formally affected by its strictures. New York-based Radianz, for example, a provider of network connectivity to the financial services industry, is not bound by Sarbanes-Oxley requirements. It's 51 percent owned by Reuters, with the balance held by a France Telecom subsidiary called Equant. But even though Radianz need not comply, the company is acting as if it does, says its CSO, Lloyd Hession.