Here Come the Auditors: Judgment Calls

Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.

"People think that Sarbanes-Oxley is about public companies traded on the New York Stock Exchange. But any company with aspirations to go public, or that is likely to be acquired by another entity that is itself publicly quoted, needs to worry about Sarbanes-Oxley and be compliant with the regulations," says Hession. "For these companies, Sarbanes-Oxley is having a much bigger impact than was initially expected. Even if you're not being audited for compliance, you need to act as though you are."

Indeed, privately held financial services institution Ameriquest Mortgage of Orange, Calif., where ASIS President Pierini holds down the CSO position, also seeks compliance with Sarbanes-Oxley's requirements. "Even though we're privately held, we're working to those same guidelines as a best practice," says Pierini.

And Sarbanes-Oxley, the subject of much talk over the past year, is not the only regulation in town. Many businesses and organizations that aren't subject to Sarbanes-Oxley comply with state or federal rules that, for example, protect the privacy of a California consumer or the medical records of a health-care patient. Again, it's the auditors that come knocking on the CSO's doorno more frequently than before, perhaps, but now the door is opened with the knowledge that what's under way is no mere box-ticking exercise.

So what's a CSO to do?Strategy No. 1: Cooperate Cooperation with auditors is part of a winning strategy. "Audits are expending more of my time than they used to, but at the same time I consider auditors a partner. We have very similar charters," says McKesson's Heim. "It's definitely not an adversarial relationship. If I spend time on something, it's often because I'm leveraging their work in the first place. So whose time it is really is immaterial."

While the audit folks undeniably have their boxes to tick, some of those boxes can aid the CSO's causesuch as those pertaining to the importance accorded by the security function within a properly compliant organization. If the status of the security function within an organization appears too low for the responsibilities it carries, then it's certainly within the audit function's powers to put that right.

At the Philadelphia Stock Exchange, for example, the position of CSO Allan Pomerantz and his team was elevated as a direct result of an audit finding by regulatory authorities that recommended that security report to the Exchange's CIO, rather than its vice president of quality assurance.

Audit can also be an ally when it comes to obtaining funding for hardware or software investments, says Pomerantz. A proposed expenditure that carries Audit's blessing "is easier to gain approval for compared to one that doesn't," he says.