Here Come the Auditors: Judgment Calls

Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.

So it's appropriate to verify whether an auditor's query is appropriate. On this point, two-way dialogue is vital. Heim says, "Sometimes the analyses can be a little simplistic, and something doesn't get a tick, and you need to explain [to audit] why something isn't relevant or how the risk has been mitigated in some other way. It's all part of the negotiation process."Strategy No. 4: Teach Them SecurityHeim's mention of a back-and-forth negotiation between auditors and security executives carries with it an important conclusion: Security-savvy auditors are a must.

Communicating with auditors as part of a cooperative process is one way of educating them about the security function. Another solution, according to Radianz's Hession, is to obtain the requisite combination of skills and separation by turning security folks into auditors.

Hession says he felt so strongly about being audited by people who knew what they were looking at that he recommended the creation of a security audit function. "I don't report to the audit committee, but the head of corporate audit does," he explains. "So I took two of my most senior people and put them with the corporate audit function." The plan, he adds, is that these two individuals will then recruit a small team to complete the function.

If placing security experts into the auditing department sounds dramatic, it could go toward ensuring some expertise in a field known for turnover. Joe Koletar, a New York-based principal in the investigations and disputes practice of Ernst & Young, says that in spite of audit's fresh prominence, "internal audit shops face exactly the same issues that corporate security facesa lack of recognition and an inability to quantify its impact on the bottom line." Koletar cites a 2002 job market outlook survey by Internal Auditor Magazine, which showed that almost half the people in a typical internal audit function would have either left the company or left the function within four years. "They are a young and mobile workforce, and they tend to move on."The Need For Mission ClarityIt's good to cooperate, to communicate, to help auditors understand the security function. But while the audit and security functions may have similar risk-avoidance charters, it's important to keep in mind that they are in fact different roles with different missions.

Javed Ikbal, CISO of financial services company Omgeo of Boston, says this is a reason CSOs should avoid working too closely with auditors, for risk of creating a conflict of interest.