Because IT support is integral to almost all financial and nonfinancial activities, the guys in the green eyeshades are now gunning for the IT group. Prepare to answer more questions in more detail than ever before.
"The auditors are coming!" In the same vein as "the steering committee is meeting in two days time", the words are likely to cause anything from mild anxiety to outright panic. After all, no one particularly wants to be audited, and IT people in general have never been very fond of auditors. As the old joke goes: "Auditors go onto the battlefield after the battle to shoot the survivors."
Indeed, going back to the 1980s and earlier when systems, especially packaged ones, were inherently unstable, over-stretched maintenance programmers constantly had to tweak applications and manually override erroneous data caused by software bugs and system crashes. Such practices were necessary to keep the business functioning, but of course it was not hard for backroom auditors, buffered from such realities, to find fault with IT as a result.
Even now, as Steve Withnall, Spherion's group IT director Asia Pacific, puts it, the first thing about an audit is to expect the auditors to find something remiss. "They're very uncomfortable if they don't, and I would really like to meet the person who has the perfect IT shop," Withnall says.
At the same time, in these cash strapped days CIOs can turn auditors' findings to their advantage in their dealings with the board and senior management, and even earn some kudos along the way. "IT risk management [for example] is not well appreciated by business. So the auditors can be your friends and help you bring things to senior management attention and get the necessary priority for them. Sometimes the auditors will support you for things you've been trying to get done anyway, such as funding for IT security," says Hemant Kogekar, general manager application services, Suncorp.
During his career Kogekar has dealt with internal auditors, external auditors (in his case PricewaterhouseCoopers) and, while he was head of technology at Citibank in Australia, regulatory auditors from the US Federal Reserve. The purpose of an IT audit, Kogekar says, is to ensure compliance against the company's policies, as well as to ensure the adequacy of controls and governance in how projects are being managed. He accepts auditing as a necessary practice, and where the auditors are giving you the benefit of their knowledge he says it can even be quite enjoyable and throw up a few pleasant surprises. However, he admits too that it is not something he readily looks forward to and that it "can be a pain in the neck".
"The audit process can be positive or negative depending on how the auditors work with you, and whether it's a partnership or not," Kogekar says. "There is still some hostility [between CIOs and auditors]. Some individuals are too purist or nit-picking and take a view that any risk is a bad risk as opposed to it being a justified risk for the business.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.