Here Come the Auditors: Judgment Calls

When Renato Delatore joined TD Waterhouse as vice president of information systems security three years ago, his group’s relationship with the audit function was more about conflict than cooperation.

“The relationship was adversarial, and there were issues that needed resolving,” Delatore recalls. He says that a first step toward improved relations was to agree to stop the confrontations. Beyond that, he saw that material change was required, or it was likely that the past difficulties would simply reoccur.

There was cause for friction. Delatore had inherited over 50 outstanding unresolved audit points, some occurring more than once. And the two groups needed almost a year, he recalls, to work through them, prioritize them and then resolve them. Some of the audit points were the result of simple misunderstandings or were no longer relevant. (And so auditors dropped them.) He says others, a quarter of the total, were of the “‘You don’t have a policy on this’ sort of thing, and so we created policies. Other points concerned the need to separate duties.” Eventually he resolved all of them.

Also see SAS 70 Explained

Improving communications transformed the relationship between the two functions, and set the groundwork for future audits. Within the security function, specific people were charged with liaising with audit, instead of audit going directly to whomever they considered the appropriate person. For its part, audit was more open about its timetable. Previously, recalls Delatore, “We’d be doing a rollout, and audit would show up.” Now, there’s an agreed-upon rolling timetable over which security items are reviewed.

And some initiatives were truly collaborative. For example, the IT department partnered with audit on developing training courses to help auditors become more literate in information systems security. (The company even hired a consultant to run a session explaining how hackers operate.) Previously, says Delatore, audit was more prone to theoretical than practical thinking. Now, their critiques are more informed. Overall, he says, there’s been a sea change in the way that the two functions work together. “We’re really partners now.”

There was a time when it would have seemed strange for audit and security to share a sense of partnership. That is no longer the case. As audit increasingly moves center stage, the relationship between audit and security becomes more critical. And corporations’ high-profile focus on Sarbanes-Oxley compliance ratchets up the volume level on the question of the relationship further still.

Not only that: Audits inspired by Sarbanes-Oxley hit all aspects of the security profession. “It’s having a major impact,” says Shirley Pierini, president of ASIS International. Sarbanes-Oxley, Pierini explains, is all about enterprise risk management, and the responsibility for mitigating many of those risks falls squarely on the shoulders of the CSO. “Physical security, emergency preparedness and business resumption, investigations, executive protection, record retention and document destruction—every single one of these is impacted by Sarbanes-Oxley,” she says.

So in running the security function, CSOs have new questions to consider: how should a CSO respond to the audit function’s additional clout? Is hitching your wagon to audit a smart move? The answers (once you size up your relationship with your auditors) stress cooperation, communication and caution. Said another way: Do cooperate. Don’t be a pushover.The Queries Are Coming! The Queries Are Coming! Mention the 2002 Sarbanes-Oxley Act to Matthew Speare, and the response isn’t pretty. Speare recently spent months, when he was vice president and director of IT infrastructure at the Cleveland-based Ohio Savings Bank, satisfying external auditors examining the bank’s security procedures and systems. (Speare recently became CISO at M&T Bank.)

Areas that once received a relatively cursory inspection are now subject to detailed examinations. Unlike previous audits at the $12 billion regional bank, the probing has extended to examining the access to individual data files, and the transactions that update those files. Who, specifically, can generate these transactions? Who can alter them? Who has access to the files? Are these the right people to have access? And what controls and procedures are in place to ensure that people can’t change the output of a transaction without appropriate authorization?

Such detailed investigations aren’t cheap. Ohio Savings Bank was “expecting an increase in audit fees in excess of 50 percent this year,” says Speare. The costs of compliance carry a productivity impact too. “These people absorb time that we hadn’t projected,” he notes. “It’s soaked up hundreds of hours of my people’s timeabout 15 of the 90 people that I have. We hadn’t anticipated it, and stuff just isn’t getting done. We’re falling behind on what we should be doing.”

But Sarbanes-Oxley, of course, is a legal requirement. Argument is not an option. Sarbanes-Oxley audits, which came into effect in 2003, are still breaking new ground. And auditors are still relative greenhorns. Internal auditors, working to cut compliance costs, are ratcheting up their in-house efforts to pass along findings (and save time) for the external auditors. Speare is among the executives who says he expects auditors to come up with additional requirements next year.

This makes sense, of course, if you look at the risks of noncompliance with audit requirementsfor example, criminal prosecution for CEOs and CFOs who have to vouch for the quality of their financial statements under Sarbanes-Oxley.

“We’re certainly seeing the audit function’s prominence increasing, but if you look at executives’ personal exposure, that’s a pretty reasonable response,” adds Patrick Heim, vice president for enterprise security at pharmaceutical and health-care company McKesson of San Francisco. Under Sarbanes-Oxley, a company’s senior executives must testify, under penalty of a spell at Club Fed, that no nasties lurk in the figuresor could upset those figures with sudden changes to the business’s performance or capabilities. And it’s that latter requirement, of course, that exorcises CSOs. Nor is Sarbanes-Oxley solely concerned with information security. Yes, flawed information security can damage a business but so can flaws in physical security.Audit Scrutiny Not Just For Public Companies What’s more, Sarbanes-Oxley compliance is extending way beyond the relatively narrow group of publicly quoted companies formally affected by its strictures. New York-based Radianz, for example, a provider of network connectivity to the financial services industry, is not bound by Sarbanes-Oxley requirements. It’s 51 percent owned by Reuters, with the balance held by a France Telecom subsidiary called Equant. But even though Radianz need not comply, the company is acting as if it does, says its CSO, Lloyd Hession.

“People think that Sarbanes-Oxley is about public companies traded on the New York Stock Exchange. But any company with aspirations to go public, or that is likely to be acquired by another entity that is itself publicly quoted, needs to worry about Sarbanes-Oxley and be compliant with the regulations,” says Hession. “For these companies, Sarbanes-Oxley is having a much bigger impact than was initially expected. Even if you’re not being audited for compliance, you need to act as though you are.”

Indeed, privately held financial services institution Ameriquest Mortgage of Orange, Calif., where ASIS President Pierini holds down the CSO position, also seeks compliance with Sarbanes-Oxley’s requirements. “Even though we’re privately held, we’re working to those same guidelines as a best practice,” says Pierini.

And Sarbanes-Oxley, the subject of much talk over the past year, is not the only regulation in town. Many businesses and organizations that aren’t subject to Sarbanes-Oxley comply with state or federal rules that, for example, protect the privacy of a California consumer or the medical records of a health-care patient. Again, it’s the auditors that come knocking on the CSO’s doorno more frequently than before, perhaps, but now the door is opened with the knowledge that what’s under way is no mere box-ticking exercise.

So what’s a CSO to do?Strategy No. 1: Cooperate Cooperation with auditors is part of a winning strategy. “Audits are expending more of my time than they used to, but at the same time I consider auditors a partner. We have very similar charters,” says McKesson’s Heim. “It’s definitely not an adversarial relationship. If I spend time on something, it’s often because I’m leveraging their work in the first place. So whose time it is really is immaterial.”

While the audit folks undeniably have their boxes to tick, some of those boxes can aid the CSO’s causesuch as those pertaining to the importance accorded by the security function within a properly compliant organization. If the status of the security function within an organization appears too low for the responsibilities it carries, then it’s certainly within the audit function’s powers to put that right.

At the Philadelphia Stock Exchange, for example, the position of CSO Allan Pomerantz and his team was elevated as a direct result of an audit finding by regulatory authorities that recommended that security report to the Exchange’s CIO, rather than its vice president of quality assurance.

Audit can also be an ally when it comes to obtaining funding for hardware or software investments, says Pomerantz. A proposed expenditure that carries Audit’s blessing “is easier to gain approval for compared to one that doesn’t,” he says.

What’s more, he adds, proactive cooperation (as opposed to begrudging compliance) is a smart move in terms of minimizing the adverse impact of any security demerit that Audit identifies. There’s always a question of how much information to volunteer, says Pomerantz. “We’ve always found that the best policy is to be open and honest. These guys aren’t dumband if you’ve got an exposure, they are going to find it. The relationship is going to get much more adversarial if they write it up as a problem that they’ve found and that you’ve denied, and that now you’re going to have to fix it.”Strategy No. 2: Document EverythingAuditors love paperwork, and CSOs must acquire the taste too.

“In the Sarbanes-Oxley environment, it’s more important than ever before for CSOs to pay attention to detail and to document that detail,” says Pierini.

In other words, the audit function can’t audit something that is in people’s heads, or something that people say they would do in a specific set of circumstances; instead, they want to audit plans and procedures.

“If, for example, there’s a threat to the company, or to an employee, it’s important to document both the threat and the responseand to use the response to develop and build upon contingency plans,” Pierini advises. “If someone is threatening a branch [office], make sure that you have a documented set of policies and procedures to cover every eventuality, together with set escalation points.”

Don’t forget, too, that audit can be used after the event, as well as before it. So if you have plans and procedures, it’s important to follow them and to make sure that others follow them. “If something happened and audit said, Why did you call in an unarmed security guard rather than an armed security guard?’ then you need to be able to answer that question.”Strategy No. 3: Trust But VerifyFor the security-audit relationship to work properly, there needs to be cooperation and trust. But CSOs also need to exercise an essential element of judgment. It’s one thing for audit to identify an issue; it’s quite another for there to be a significant or unacceptable risk attached to the issue.

“Security decisions should be made on the basis of probabilities and risks, and investments made to minimize those risks,” says Heim, of McKesson. “But meeting compliance requirements also involves making investments. And those investments may not map onto where the biggest risks lie.” E-mail encryption is a case in point, he says. “There really aren’t examples of people intercepting e-mail on the Internet, but huge amounts of money are still being spent guarding against it.”

So it’s appropriate to verify whether an auditor’s query is appropriate. On this point, two-way dialogue is vital. Heim says, “Sometimes the analyses can be a little simplistic, and something doesn’t get a tick, and you need to explain [to audit] why something isn’t relevant or how the risk has been mitigated in some other way. It’s all part of the negotiation process.”Strategy No. 4: Teach Them SecurityHeim’s mention of a back-and-forth negotiation between auditors and security executives carries with it an important conclusion: Security-savvy auditors are a must.

Communicating with auditors as part of a cooperative process is one way of educating them about the security function. Another solution, according to Radianz’s Hession, is to obtain the requisite combination of skills and separation by turning security folks into auditors.

Hession says he felt so strongly about being audited by people who knew what they were looking at that he recommended the creation of a security audit function. “I don’t report to the audit committee, but the head of corporate audit does,” he explains. “So I took two of my most senior people and put them with the corporate audit function.” The plan, he adds, is that these two individuals will then recruit a small team to complete the function.

If placing security experts into the auditing department sounds dramatic, it could go toward ensuring some expertise in a field known for turnover. Joe Koletar, a New York-based principal in the investigations and disputes practice of Ernst & Young, says that in spite of audit’s fresh prominence, “internal audit shops face exactly the same issues that corporate security facesa lack of recognition and an inability to quantify its impact on the bottom line.” Koletar cites a 2002 job market outlook survey by Internal Auditor Magazine, which showed that almost half the people in a typical internal audit function would have either left the company or left the function within four years. “They are a young and mobile workforce, and they tend to move on.”The Need For Mission ClarityIt’s good to cooperate, to communicate, to help auditors understand the security function. But while the audit and security functions may have similar risk-avoidance charters, it’s important to keep in mind that they are in fact different roles with different missions.

Javed Ikbal, CISO of financial services company Omgeo of Boston, says this is a reason CSOs should avoid working too closely with auditors, for risk of creating a conflict of interest.

“Audit and infosec don’t see thingsor thinkin the same way,” Ikbal says. “A fundamental difference is responsibility. Audit’s role begins and ends with finding gaps and following those up until either they are closed, or management accepts the risks. Infosec does exactly the same thing, but they are the ones who close the gaps and get audited on the follow-up as well.”

At the end of the day, Koletar says he is an enthusiastic advocate of the principle of audit and security working closely together. But he doesn’t want to see CSOs overestimate the audit function’s strength.

It seems even the auditors want to retain some tension in the relationship.