City Intelligence
Monday, June 15, 2009
Keeping Internal Audit IT’s Best Friend
Many technology leaders fail to realize that Internal Audit is Information Technology’s best friend in the corporation. Internal Audit is highly effective at promoting IT’s successes, adding emphasis to IT’s requests for funding, ensuring a record of compliance, and providing inputs for future planning. With these potential benefits it is essential that IT cultivate the friendship with internal audit and avoid creating an adversarial relationship.
In the corporate world it is challenging for a support organization such as Information Technology to receive the kind of recognition that comes easily to departments which exceed sales targets, which produce record numbers of widgets, or which bring on board important new customers. While smoking an internal audit will never achieve the same level of recognition it can produce a steady record of success and help instill confidence in the organization. Those other departments also find it easy to justify their expenditures – hire 4 sales people and achieve five million in sales, or spend $2 M on a marketing campaign and increase sales by 20%. IT expenditures are often much more challenging to justify. How do you quantify the returns of a backbone upgrade? Or new firewalls? The easy way is with a report from internal audit.
When external auditors or accreditation bodies come around, it’s almost guaranteed that something will go wrong - a report will be missing, or one of the required checks will not be performed. If this is all there is to the story, then it isn’t going to be pretty on the report. But, on the other hand, if Internal Audit records show a history of the action, it’s only an occasional incident and the effect on the final report won’t be nearly as severe.
So with every thing to gain, how do we keep internal audit in our corner? The keys are: be open and honest with the audit team; negotiate the timing and scope of internal audits to expand it to cover your concerns; create an atmosphere with your team that encourages good relations with the internal auditors; and seek rapid feedback to prevent surprises.
Being open and honest helps prevent an adversarial relationship from developing. It keeps the internal auditor from being suspicious and starting to hunt for issues.
Negotiating the timing and scope ensures that audits are happening when you want them, and when they will provide the least stress, and therefore the greatest cooperation with the audit team. In addition, negotiating the scope allows the opportunity to expand coverage to areas that you are concerned about. The statement you make by saying “I suspect there are some issues in this area, let’s go find them” goes a long way to establishing IT as a team player in the company and one who is more concerned about getting things right than covering their hides.
Finally, good relations and rapid feedback work to help keep down surprises. Internal audit has no intention of creating any more surprises than you do. Surprises make them look suspicious to others in the company as well, and surprises on an external audit make them look like they are not doing their job. External audits are always going to find something to write about, but if that is something that IT and Internal Audit have already presented the impact is minimized. And if it is something that has been specifically left unfunded, then the issue isn’t left with IT and internal audit.
In the corporate world it is challenging for a support organization such as Information Technology to receive the kind of recognition that comes easily to departments which exceed sales targets, which produce record numbers of widgets, or which bring on board important new customers. While smoking an internal audit will never achieve the same level of recognition it can produce a steady record of success and help instill confidence in the organization. Those other departments also find it easy to justify their expenditures – hire 4 sales people and achieve five million in sales, or spend $2 M on a marketing campaign and increase sales by 20%. IT expenditures are often much more challenging to justify. How do you quantify the returns of a backbone upgrade? Or new firewalls? The easy way is with a report from internal audit.
When external auditors or accreditation bodies come around, it’s almost guaranteed that something will go wrong - a report will be missing, or one of the required checks will not be performed. If this is all there is to the story, then it isn’t going to be pretty on the report. But, on the other hand, if Internal Audit records show a history of the action, it’s only an occasional incident and the effect on the final report won’t be nearly as severe.
So with every thing to gain, how do we keep internal audit in our corner? The keys are: be open and honest with the audit team; negotiate the timing and scope of internal audits to expand it to cover your concerns; create an atmosphere with your team that encourages good relations with the internal auditors; and seek rapid feedback to prevent surprises.
Being open and honest helps prevent an adversarial relationship from developing. It keeps the internal auditor from being suspicious and starting to hunt for issues.
Negotiating the timing and scope ensures that audits are happening when you want them, and when they will provide the least stress, and therefore the greatest cooperation with the audit team. In addition, negotiating the scope allows the opportunity to expand coverage to areas that you are concerned about. The statement you make by saying “I suspect there are some issues in this area, let’s go find them” goes a long way to establishing IT as a team player in the company and one who is more concerned about getting things right than covering their hides.
Finally, good relations and rapid feedback work to help keep down surprises. Internal audit has no intention of creating any more surprises than you do. Surprises make them look suspicious to others in the company as well, and surprises on an external audit make them look like they are not doing their job. External audits are always going to find something to write about, but if that is something that IT and Internal Audit have already presented the impact is minimized. And if it is something that has been specifically left unfunded, then the issue isn’t left with IT and internal audit.
Labels: audit, internal audit, IT audit, Management
Archives
Subscribe to Posts [Atom]