When Renato Delatore joined TD Waterhouse Group Inc. as vice president of information systems security three years ago, his group's relationship with the audit function was more about conflict than cooperation.
"The relationship was adversarial, and there were issues that needed resolving," Delatore recalls. He says that a first step toward improved relations was to agree to stop the confrontations. Beyond that, he saw that material change was required, or it was likely that the past difficulties would simply reoccur.
There was cause for friction. Delatore had inherited over 50 outstanding unresolved audit points, some occurring more than once. And the two groups needed almost a year, he recalls, to work through them, prioritize them and then resolve them. Some of the audit points were the result of simple misunderstandings or were no longer relevant. (And so auditors dropped them.) Others -- a quarter of the total -- were, he says, of the "'You don't have a policy on this' sort of thing, and so we created policies. Other points concerned the need to separate duties." Eventually he resolved all of them.
Improving communications transformed the relationship between the two functions, and set the groundwork for future audits. Within the security function, specific people were charged with liaising with audit, instead of audit going directly to whomever they considered the appropriate person. For its part, audit was more open about its timetable. Previously, recalls Delatore, "We'd be doing a rollout, and audit would show up." Now, there's an agreed-upon rolling timetable over which security items are reviewed.
And some initiatives were truly collaborative. For example, the IT department partnered with audit on developing training courses to help auditors become more literate in information systems security. (The company even hired a consultant to run a session explaining how hackers operate.) Previously, says Delatore, audit was more prone to theoretical than practical thinking. Now, their critiques are more informed. Overall, he says, there's been a sea change in the way that the two functions work together. "We're really partners now."
There was a time when it would have seemed strange for audit and security to share a sense of partnership. That is no longer the case. As audit increasingly moves center stage, the relationship between audit and security becomes more critical. And corporations' high-profile focus on Sarbanes-Oxley compliance ratchets up the volume level on the question of the relationship further still.
Not only that: Audits inspired by Sarbanes-Oxley hit all aspects of the security profession. "It's having a major impact," says Shirley Pierini, president of American Society For Industrial Security Inc. (ASIS International). Sarbanes-Oxley, Pierini explains, is all about enterprise risk management, and the responsibility for mitigating many of those risks falls squarely on the shoulders of the CSO. "Physical security, emergency preparedness and business resumption, investigations, executive protection, record retention and document destruction -- every single one of these is impacted by Sarbanes-Oxley," she says.
So in running the security function, CSOs have new questions to consider: how should a CSO respond to the audit function's additional clout? Is hitching your wagon to audit a smart move? The answers (once you size up your relationship with your auditors) stress cooperation, communication and caution. Said another way: Do cooperate. Don't be a pushover.
The queries are coming! The queries are coming!
Mention the 2002 Sarbanes-Oxley Act to Matthew Speare, and the response isn't pretty. Speare recently spent months, when he was vice president and director of IT infrastructure at the Cleveland-based Ohio Savings Bank FSB, satisfying external auditors examining the bank's security procedures and systems. (Speare recently became CISO at M&T Bank Corp.)
Areas that once received a relatively cursory inspection are now subject to detailed examinations. Unlike previous audits at the US$12 billion regional bank, the probing has extended to examining the access to individual data files, and the transactions that update those files. Who, specifically, can generate these transactions? Who can alter them? Who has access to the files? Are these the right people to have access? And what controls and procedures are in place to ensure that people can't change the output of a transaction without appropriate authorization?
Such detailed investigations aren't cheap. Ohio Savings Bank was "expecting an increase in audit fees in excess of 50 percent this year," says Speare. The costs of compliance carry a productivity impact too. "These people absorb time that we hadn't projected," he notes. "It's soaked up hundreds of hours of my people's time -- about 15 of the 90 people that I have. We hadn't anticipated it, and stuff just isn't getting done. We're falling behind on what we should be doing."
But Sarbanes-Oxley, of course, is a legal requirement. Argument is not an option. Sarbanes-Oxley audits, which came into effect in 2003, are still breaking new ground. And auditors are still relative greenhorns. Internal auditors, working to cut compliance costs, are ratcheting up their in-house efforts to pass along findings (and save time) for the external auditors. Speare is among the executives who says he expects auditors to come up with additional requirements next year.
This makes sense, of course, if you look at the risks of noncompliance with audit requirements -- for example, criminal prosecution for CEOs and CFOs who have to vouch for the quality of their financial statements under Sarbanes-Oxley.
"We're certainly seeing the audit function's prominence increasing, but if you look at executives' personal exposure, that's a pretty reasonable response," adds Patrick Heim, vice president for enterprise security at pharmaceutical and health-care company McKesson of San Francisco. Under Sarbanes-Oxley, a company's senior executives must testify, under penalty of a spell at Club Fed, that no nasties lurk in the figures -- or could upset those figures with sudden changes to the business's performance or capabilities. And it's that latter requirement, of course, that exorcises CSOs. Nor is Sarbanes-Oxley solely concerned with information security. Yes, flawed information security can damage a business but so can flaws in physical security.
Audit scrutiny not just for public companies
What's more, Sarbanes-Oxley compliance is extending way beyond the relatively narrow group of publicly quoted companies formally affected by its strictures. New York-based Radianz, for example, a provider of network connectivity to the financial services industry, is not bound by Sarbanes-Oxley requirements. It's 51 percent owned by Reuters Group PLC, with the balance held by a France Telecom SA subsidiary called Equant NV. But even though Radianz need not comply, the company is acting as if it does, says its CSO, Lloyd Hession.
"People think that Sarbanes-Oxley is about public companies traded on the New York Stock Exchange. But any company with aspirations to go public, or that is likely to be acquired by another entity that is itself publicly quoted, needs to worry about Sarbanes-Oxley and be compliant with the regulations," says Hession. "For these companies, Sarbanes-Oxley is having a much bigger impact than was initially expected. Even if you're not being audited for compliance, you need to act as though you are."
Indeed, privately held financial services institution Ameriquest Mortgage Co. of Orange, Calif., where ASIS President Pierini holds down the CSO position, also seeks compliance with Sarbanes-Oxley's requirements. "Even though we're privately held, we're working to those same guidelines as a best practice," says Pierini.
And Sarbanes-Oxley, the subject of much talk over the past year, is not the only regulation in town. Many businesses and organizations that aren't subject to Sarbanes-Oxley comply with state or federal rules that, for example, protect the privacy of a California consumer or the medical records of a health-care patient. Again, it's the auditors that come knocking on the CSO's door -- no more frequently than before, perhaps, but now the door is opened with the knowledge that what's under way is no mere box-ticking exercise.
So what's a CSO to do?
Strategy No. 1: Cooperate
Cooperation with auditors is part of a winning strategy. "Audits are expending more of my time than they used to, but at the same time I consider auditors a partner. We have very similar charters," says McKesson's Heim. "It's definitely not an adversarial relationship. If I spend time on something, it's often because I'm leveraging their work in the first place. So whose time it is really is immaterial."
While the audit folks undeniably have their boxes to tick, some of those boxes can aid the CSO's cause -- such as those pertaining to the importance accorded by the security function within a properly compliant organization. If the status of the security function within an organization appears too low for the responsibilities it carries, then it's certainly within the audit function's powers to put that right.
At the Philadelphia Stock Exchange Inc., for example, the position of CSO Allan Pomerantz and his team was elevated as a direct result of an audit finding by regulatory authorities that recommended that security report to the Exchange's CIO, rather than its vice president of quality assurance.
Audit can also be an ally when it comes to obtaining funding for hardware or software investments, says Pomerantz. A proposed expenditure that carries Audit's blessing "is easier to gain approval for compared to one that doesn't," he says.
What's more, he adds, proactive cooperation (as opposed to begrudging compliance) is a smart move in terms of minimizing the adverse impact of any security demerit that Audit identifies. There's always a question of how much information to volunteer, says Pomerantz. "We've always found that the best policy is to be open and honest. These guys aren't dumb -- and if you've got an exposure, they are going to find it. The relationship is going to get much more adversarial if they write it up as a problem that they've found and that you've denied, and that now you're going to have to fix it."
Strategy No. 2: Document everything
Auditors love paperwork, and CSOs must acquire the taste too.
"In the Sarbanes-Oxley environment, it's more important than ever before for CSOs to pay attention to detail and to document that detail," says Pierini.
In other words, the audit function can't audit something that is in people's heads, or something that people say they would do in a specific set of circumstances; instead, they want to audit plans and procedures.
"If, for example, there's a threat to the company, or to an employee, it's important to document both the threat and the response -- and to use the response to develop and build upon contingency plans," Pierini advises. "If someone is threatening a branch (office), make sure that you have a documented set of policies and procedures to cover every eventuality, together with set escalation points."
Don't forget, too, that audit can be used after the event, as well as before it. So if you have plans and procedures, it's important to follow them and to make sure that others follow them. "If something happened and audit said, 'Why did you call in an unarmed security guard rather than an armed security guard?' then you need to be able to answer that question."
Strategy No. 3: Trust but verify
For the security-audit relationship to work properly, there needs to be cooperation and trust. But CSOs also need to exercise an essential element of judgment. It's one thing for audit to identify an issue; it's quite another for there to be a significant or unacceptable risk attached to the issue.
"Security decisions should be made on the basis of probabilities and risks, and investments made to minimize those risks," says Heim, of McKesson. "But meeting compliance requirements also involves making investments. And those investments may not map onto where the biggest risks lie." E-mail encryption is a case in point, he says. "There really aren't examples of people intercepting e-mail on the Internet, but huge amounts of money are still being spent guarding against it."
So it's appropriate to verify whether an auditor's query is appropriate. On this point, two-way dialogue is vital. Heim says, "Sometimes the analyses can be a little simplistic, and something doesn't get a tick, and you need to explain (to audit) why something isn't relevant or how the risk has been mitigated in some other way. It's all part of the negotiation process."
Strategy No. 4: Teach them security
Heim's mention of a back-and-forth negotiation between auditors and security executives carries with it an important conclusion: Security-savvy auditors are a must.
Communicating with auditors as part of a cooperative process is one way of educating them about the security function. Another solution, according to Radianz's Hession, is to obtain the requisite combination of skills and separation by turning security folks into auditors.
Hession says he felt so strongly about being audited by people who knew what they were looking at that he recommended the creation of a security audit function. "I don't report to the audit committee, but the head of corporate audit does," he explains. "So I took two of my most senior people and put them with the corporate audit function." The plan, he adds, is that these two individuals will then recruit a small team to complete the function.
If placing security experts into the auditing department sounds dramatic, it could go toward ensuring some expertise in a field known for turnover. Joe Koletar, a New York-based principal in the investigations and disputes practice of Ernst & Young International, says that in spite of audit's fresh prominence, "internal audit shops face exactly the same issues that corporate security faces -- a lack of recognition and an inability to quantify its impact on the bottom line." Koletar cites a 2002 job market outlook survey by Internal Auditor Magazine, which showed that almost half the people in a typical internal audit function would have either left the company or left the function within four years. "They are a young and mobile workforce, and they tend to move on."
The need for mission clarity
It's good to cooperate, to communicate, to help auditors understand the security function. But while the audit and security functions may have similar risk-avoidance charters, it's important to keep in mind that they are in fact different roles with different missions.
Javed Ikbal, CISO of financial services company Omgeo LLC of Boston, says this is a reason CSOs should avoid working too closely with auditors, for risk of creating a conflict of interest.
"Audit and infosec don't see things -- or think -- in the same way," Ikbal says. "A fundamental difference is responsibility. Audit's role begins and ends with finding gaps and following those up until either they are closed, or management accepts the risks. Infosec does exactly the same thing, but they are the ones who close the gaps and get audited on the follow-up as well."
At the end of the day, Koletar says he is an enthusiastic advocate of the principle of audit and security working closely together. But he doesn't want to see CSOs overestimate the audit function's strength.
It seems even the auditors want to retain some tension in the relationship.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.