Questionable Conclusions - audit report

Internal Auditor, Oct, 2001 by Norman Marks

The CIO and auditor clash over the fairness and objectivity of the audit report.

LOSING MEETINGS WERE becoming almost routine for John, the senior information technology (IT) auditor at TBG Inc. As he prepared to enter the conference room, he reflected on the just-concluded data security audit of Imagine, a subsidiary of TBG and one of its five major business units.

Like TBG's other holdings, Imagine operated independently. TBG had security guidelines, but each business unit was free to choose its own software and adopt its own standards. TBG's chief executive officer was always ready to acquire new businesses and spin off others. Imagine was a fairly new acquisition with a new management team. One of the newer team members, Mark, was the chief information officer (CIO) and would be the principal auditee -- or customer, as John reminded himself that the term "auditee" was no longer politically correct - in the dosing meeting John was about to attend.

Mark was the former head of TBG's IT audit group. In fact, he had approved John's hiring just a year ago. Mark had led the due diligence review of Imagine and reported not only that the security in place was not up to TBG's standards but that the systems were not sufficient to meet TBG's growth expectations. Because Mark did such a sound job of identifying the problems, he was given the opportunity to correct them as 010. Before taking the position, he obtained approval to increase the IT budget, both expense and capital, so he could fund the new systems and hire seasoned security professionals.

Once Mark had been on the job for a year, he requested a data security audit. As he told the IT audit manager, "I think we are on the right track, although we still have a long way to go. But I am too dose to the situation to be objective, plus I need to focus on our new ERP system project. So, give data security a thorough review and let me have your opinion." The IT audit manager had selected John to lead the audit because of his strong technical background.

The data security audit identified numerous issues, and John expected Mark to be pleased. The assessment (audit opinion) in the draft John sent Mark before the dosing meeting indicated that strong progress had been made and described the data security staff as highly competent. But it also identified significant security gaps that remained. In John's opinion, the security weaknesses were severe enough to warrant discussion with senior TBG management and possibly the audit committee.

As John walked into the conference room with his audit team, he felt the air around him chill. Then he saw Mark. No chill there; the man was red from head to toe. Even before John was settled in his seat, Mark was leaning forward and saying, "John, this is not at all what I expected from you! This report is unfair and I have significant problems with it.

"First, all the so-called 'findings' in your report are listed as high-priority projects in the security project list that we gave you on your first day. Yet, you report them as findings, implying that we didn't know about them. Second, you recommend that we complete all these projects by the end of next quarter when you know we simply don't have the staff or budget. Third, when my data security manager told you the timetable in the project list was the best he could do with the available resources, you agreed. You told him you would give the projects the same priority if you were in his shoes, suggested he needed more staff, but refused to recommend to TBG management that more staff be hired. You told him that hiring more staff should be in the management response.

"Mark, it looks as if you are trying to make a name for yourself at my expense. I know you are fairly new. I remember your hiring interview. Perhaps the new IT audit manager is telling you that it is internal auditing's job to report the issues and it's up to management to bring up business priorities, budget, and staffing. Whatever is behind this," Mark continued, shaking the draft report, "I don't like it. If you persist with these damning comments, I will respond strongly. Otherwise, top management and the audit committee will misunderstand, and my future at TBG will be on shaky ground."

John was stunned by these words from a manager he respected. He responded weakly, "Mark, I understand you are upset by the way the report is worded. You feel it doesn't reflect the good work that has been done and the plans in place to bring security up to standard. Let me review the draft with my boss and get back to you."

If you were John's boss, what would you recommend he do? Here's how three internal audit experts would respond.

ROD WINTERS

Senior Director, Internal Audit Services, Microsoft Corp.

In crafting possible strategies for John to follow, it helps to consider the underlying factors that contributed to this outcome. Take, for example, the incompatible objectives of John's various stakeholders. Mark wants fair reporting of the progress he's made and the constraints he's working under, and he doesn't want to look inadequate in the eyes of TBG's top management and audit committee. TBG's management and audit committee, on the other hand, want fill and objective reporting on all serious matters identified during an audit. Such incompatible objectives are not uncommon in our business and must be effectively managed for an internal auditor to be successful.