Oh I See! Getting CIOs to view their jobs from a different angle

Jul 19 2011   8:13AM GMT

Surviving audits



Posted by: Arun Gupta
Tags:
Audit and the CIO
BPM
CIO as business champion
Compliance and the CIO
GRC
Internal Audit
Process discipline

Once upon a time (actually not too long ago) a company and its audit firm lost their marbles indulging in innovative accounting and logic belying practices. The event resulted in the former shutting down and the latter being dismantled. Hapless citizens and investors who put their faith in these lost their financial safety nets and were left poorer. The aftershocks felt by the rest of the companies created an industry around consulting services. SOX became a bad word for all CXOs and everyone dreaded facing audits. Compliance gained prominence and everything else was subservient to it.

IT being the foundation of processes and information enabling the enterprise came under the scanner; it was not enough to demonstrate that data integrity and consistency is maintained, it was also important to provide evidence that others in the organization did not violate process that could result in potential loss of control. Thus as the custodian of the physical information assets and the administrator of the logical processes, the IT organization had to fend off auditors of all types at unnerving frequencies.

The FUD factor

Consultants thrived on FUD (Fear, Uncertainty, and Doubt) factor as non-compliance had severe ramifications for the CIO, CFO, COO, and the CEO. Perceptions of risk heightened the tension as any risk classified as high needed immediate attention. Tolerance levels of Boards tended to zero and Risk Committees hounded the functional heads to comply by the written word, who, in turn, turned to the CIO to address the sane and inane collectively.

Whether it is internal, statutory, or third party audit, the basic intent is to review process execution consistently against good practice and compliance to stated policy. Additional frameworks on quality, process maturity, security, and others provide the enterprise incremental value over competitors. Policy, once stated, requires alignment with the real world to ensure relevance; thus, periodic review is critical. When regulatory restrictions impose process change(s) like in case of SOX or PCI-DSS or HIPAA, the enterprise has a limited choice but to comply. Some industries are more regulated than others; some companies pride themselves on their GRC frameworks, the rest follow the path of least resistance.

Options for CIOs

So what are the strategies the CIO can adopt to ensure that s/he does not get beaten up at every audit? CIOs should partner with their Internal Audit teams to work with each functional head and process owner to review and validate not just the process, but also the management of exceptions. If Internal Audit is unable to provide the necessary attention, seek external help; but do not ignore it. S/he should create clear accountability and transparency of every task across the cross-functional teams involved in the execution. It is important to note that people are the weakest link of any process discipline. Internal process champions or BPM experts are invaluable in the quest towards excellence.

Compliance is non-negotiable; our shareholders and regulators expect every part of the enterprise to conform to the laid down policies and principles. Good corporate governance expects no exceptions; despite all the controls we still come across black swans that disrupt the equilibrium and raise the difficulty level. Unfortunately, the enterprise CXOs and the CIO have no choice but to run faster to stay in the same place.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: