control, and governance
Inadequate segregation of duties in the IT department prompts a tense meeting between the audit executive and chief information officer.
Dave is the chief audit executive (CAE) of Chem-R-Us (CHRU), a leading provider of services to the oil and chemical manufacturing industries. CHRU has annual revenues approaching US $1 billion and is traded on the New York Stock Exchange. The company maintains offices throughout the United States, with a headquarters facility in Los Angeles.
Since the recent economic downturn, CHRU has shrunk its IT workforce through attrition, choosing not to backfill positions that were vacated due to voluntary separation or job transfers. The departing employees' workload was generally reassigned among remaining employees. As a result, numerous tasks related to the U.S. Sarbanes-Oxley Act of 2002, as well as other compliance duties, recently changed hands at the firm. To make matters worse, certain control processes that relied on segregation of duties are now consolidated among the same employees.
As Dave returns to his office from a difficult meeting with Cynthia, CHRU's chief information officer (CIO), he sits down heavily on his chair. Dave had requested the meeting after three of Cynthia's departments failed recent audits. Plus, the external auditors had begun asking Dave if he was aware of control deficiencies in the IT function.
When confronted with the evidence of a deteriorating control environment, Cynthia told Dave that the cost of maintaining appropriate control segregation was excessive and outweighed the potential benefits. "Quite frankly," she said, "in this climate, our focus is on streamlining and cost-cutting. And I am sure our stockholders would agree."
Dave is surprised by Cynthia's cavalier attitude, and he is unsure whether to try working directly with her or to address the situation with the audit committee. He also doesn't know if other executive managers share his concerns, or if the CEO and chief financial officer (CFO) would support him in opposing IT's lax approach to controls.
What are Dave's options for handling this situation? What could he have said to Cynthia to help her understand the need for adequate controls, regardless of economic conditions? How can Dave turn this negative experience into a positive initiative?
Cost-benefit analysis is a well-established decision-making tool that is certainly relevant in challenging economic times. Dave should help Cynthia realize that her analysis may not have taken into account costs beyond those directly attributable to the IT controls. For instance, the CIO may not have considered the potential impact on the company's stock price in the event the auditors find a material weakness in CHRU's internal controls. Moreover, if the IT control deficiencies identified by the auditors contribute to a material weakness, a fraud, or a data security breach — all possibilities when important IT controls fail — the management team may suffer consequences.
Dave should ensure that IT controls tested for Sarbanes-Oxley and other compliance purposes are the right controls — those that truly matter to the performance of the business and to sound internal control over financial reporting. Once management and the auditors agree that the identified controls are key, Dave should have a solid foundation for ensuring the organization pays appropriate attention to IT controls. By working with the business to rationalize key controls and by testing these controls efficiently across multiple compliance requirements, Dave can decrease compliance costs while still ensuring a sound control environment. These efficiencies should reduce the compliance burden on the smaller IT staff, allowing the department to concentrate on critical functions and duties. Moreover, the identification of key controls should lower costs by reducing the amount of external auditor time required to perform control tests. Given Cynthia's cost-consciousness, and Dave's reminder of the larger scale costs of control failures, the CIO should appreciate the value of maintaining strong IT controls, especially in an economic downturn.
Finally, given its responsibility for oversight of both external and internal auditing, CHRU's audit committee will eventually be informed of the auditors' views on the IT controls. The committee will want to ensure that management is aware of the control deficiencies and that it's making appropriate progress toward correcting them. From a practical perspective, it would behoove Cynthia to approach the IT control deficiencies in a collaborative manner rather than confrontationally.
While Dave's specific situation may be somewhat unique, most CAEs have likely had similar conversations within their organization during either the current downturn or other periods of economic adversity. Dave should demonstrate appropriate leadership by taking several proactive steps to address the IT concerns.
First, he should meet with the internal audit teams that participated on audits of Cynthia's departments — those with positive outcomes, as well as the three failures. During the meetings Dave should make sure he fully understands these failures, and he should consider their implications for Sarbanes-Oxley controls and other compliance-related tasks. Next, he should discuss the findings with each of the IT department leaders to understand their perspective on the reduced workforce, reassignment of control responsibilities, and segregation of duties conflicts. Dave should also explore changes made within the IT organization during the past few years and consider ways to mitigate the segregation of duties issues.
Once Dave gains a better understanding of the audit results and the IT function's current operations, he should meet with Cynthia again. He should explain that while maintaining an effective control environment is important during good times, it is even more crucial during times of financial stress. When the business environment is difficult and employees are stretched thin, companies cannot afford a significant failure — especially one with widespread IT ramifications. CHRU stockholders may appreciate management's control on costs, but not if it comes at the risk of a significant IT failure.
Dave should also discuss the IT function's current operations, as well as options for improving the control environment — particularly its segregation of duties. For example, he can advise Cynthia on how to shift some control responsibilities to other IT employees in an effective and efficient manner, without impacting overall head count. Dave can demonstrate his desire to partner effectively with the CIO by offering sound advice and recommendations to reduce the risk of control failures.
This situation provides Dave an opportunity to facilitate positive change for a key client, and the company overall. He should thank Cynthia for her frank comments, explain that he empathizes with her situation, and demonstrate his willingness to help improve her department's internal controls despite the organization's budget constraints.
Dave must share his assessment of the situation with Cynthia and explain that, as CAE, he is responsible for alerting executive management and the audit committee to any areas that expose the company to excessive risks. He should remind her that compliance requirements and IT risks do not diminish when the economy takes a downturn — in fact, the risks may increase. Dave should also politely remind Cynthia that, if the external auditors identify control deficiencies as either significant or as material weaknesses for Sarbanes-Oxley purposes, he may eventually find out whether executive management shares the same increased risk appetite.
Rather than dwell on potentially negative occurrences such as a control breakdown or an inquisition by upper management, Dave should encourage Cynthia to see this situation as an opportunity to reexamine the audit findings and noted deficiencies. Working together, their respective teams can re-assess the risks identified and determine how to mitigate them in a cost-effective manner. Dave should also offer to support Cynthia in the event that risk mitigation requires additional resources and funding.
Because of the IT department's reduced size, Cynthia may be able to use alternative approaches to maintaining solid internal controls. Moving toward a least privilege-based access policy, for example, may remove high-level access from enough individuals to eliminate or limit segregation of duties conflicts. In addition,
implementing monitoring controls might sufficiently mitigate the risks identified in recent audit findings, including unapproved, untested, or unintended code entering the production environment.
All IT shops, regardless of size or economic conditions, should maintain a solid internal control framework evaluated against the service levels expected by their clients. A solid framework exists to give the CIO comfort that he or she can meet not only the fundamental client expectation of providing systems availability, but also the less explicit expectation of maintaining data integrity. Dave should emphasize that a framework is important to achieving the IT department's objectives — including cost effectiveness.
How would you handle this scenario? Continue the discussion by sharing your comments below.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.