You Bought It, Now Audit

(continued)

"As with a financial audit, always think of who the audit audience is," says Rozek. "Make sure the report has insights that executive management will understand, and also give sufficient information from a process-control and technology-control perspective."

Experts say CFOs should be copied on most or all IT-audit reports. "The CFO should absolutely rely on IT audits that affect the programs or operations for which they are responsible to provide assurance that the proper data security and controls" are in place, says Paul Hoshall, principal of Hoshall Associates, an IT-audit training and consulting firm in Fairfax, Virginia. "Without audits, I don't know how you can do this."

Michael Cangemi, president and CEO (and former CFO) of consumer leather goods designer Etienne Aigner Group in Edison, New Jersey, agrees that finance chiefs should push for IT audits and always be briefed on their findings. "When you do audits, you gain a basic control over the entire IT environment and systems. What better way is there for a CFO to verify that the company's investment in IT is working the way the board and management expect it to?" asks Cangemi.

Cangemi has a special appreciation for the audit function. He began his career in the 1970s working in IT auditing before advancing to high-level positions in finance, and authored the book Managing the Audit Function (Wiley & Sons), a new edition of which came out in 2003.

Etienne Aigner relies on an auditing firm to examine its critical business systems, such as those used for an electronic trading network with major retailers, a sales force automation program, and its growing Internet business. Cangemi says the audits make sure that systems are meeting standards for performance.

At J.C. Penney, the internal auditing department, which includes an IT auditing group, reports to the executive vice president, secretary, and general counsel, and works closely with the CFO and other members of senior management to develop annual audit plans and coordinate audits of key areas within the organization. The IT audit group audits such areas as telecommunications systems, business applications, network architecture, data-center operations, change management, disaster recovery/business continuity, electronic commerce, information security, and database security. And, of course, Sarbanes-Oxley.

IT audits do more than provide peace of mind or point out room for improvement: they can also zero in on potentially serious problems. The 15-member IT audit team at Depository Trust & Clearing Corp., for example, might conduct a weekend test of a backup system to simulate an abrupt shutdown, to ensure that it switches operations to an alternate site within seconds, as it is supposed to do. Since auditors look at communications and overall responsibilities across functional departments, they help pinpoint any breakdowns that could have an adverse impact on the organization, according to senior IT auditor Fredric Greene.

How frequently IT audits should be conducted depends on the type of audit and the individual needs of the organization, says Fred Heller, an IT-audit expert at Jefferson Wells. Certain IT assets, such as key business systems and applications, should be audited at least once a year. Others, such as data centers, can be audited every three years or so. "Companies can do multiple audits at the same time or on a cycle basis," says Heller. "Sometimes they need to do specific audits [at a certain time] because of a high risk, and the next year they have a different cycle."

A growing number of companies are conducting audits of extensive IT projects — such as an infrastructure overhaul or a rollout of mobile computing devices — to ensure that initiatives are running on time and on budget. "An IT audit can provide an assessment of how a project is being managed, how the systems and applications are working, and whether you can move to the next phase," says Heller. Many involved in IT audits stress that they are now a fundamental part of overall IT management.