Bart Perkins: Avoiding IT audit nightmares

No organization wants its problems announced to the whole world. In IT, when something goes wrong, our inclination is to tell the internal people who need to know while at the same time communicating our plan to resolve the problem. But such discretion is no longer viable. Because of regulations under the Sarbanes-Oxley Act, IT problems are now appearing in 10-Ks, as " material weaknesses." That phrase could indicate that enterprise financial data is inaccurate. Yikes!

The Federal Home Loan Mortgage Corp. (Freddie Mac) encountered this nightmare in its 2011 and 2012 10-Ks. Auditors stated that material weaknesses existed in Freddie Mac's internal financial reporting controls. The 2011 10-K acknowledged the weaknesses, asserting that they resulted from the conservatorship imposed during the financial crisis. The 2012 10-K stated that the 2011 problems were "related to our inability to effectively manage information technology changes and maintain adequate controls over information security monitoring, which resulted from increased levels of employee turnover."

Such public confessions attract unwanted scrutiny from executive management and the board. Their concern is well founded. Freddie Mac's 10-K filings contributed to a free fall of its stock.

Freddie Mac's IT challenges are hardly unique. In its 2012 10-K, it stated, "Our core systems and technical architecture include many legacy systems and applications that lack scalability and flexibility." Later, Freddie Mac added that its accounting systems "lack sufficient flexibility" and went on to explain that "this requires us to rely more extensively on spreadsheets and other end-user computing systems."

If any of this sounds familiar, start addressing the issues now to prevent being cited in a future 10-K. Here are some ways to do that:

Take audits seriously. Annual audits assess incident management, change management, availability management and other internal IT controls, resulting in a list of "findings." But auditors often fail to assign relative importance to those findings, leaving IT to set priorities. Because fixing audit-related issues generally receives far less emphasis than other projects, the same issues might remain on the list for years. This is a mistake. Change your attitude, and consider the audit an opportunity to determine how well IT functions and supports the enterprise.

Develop an "insurance" business case. One thing that puts projects that address audit findings on the back burner is that they don't directly affect profits. That makes them unsuitable to a traditional business case structure. You need to make an "insurance" business case, arguing that an investment is warranted because the impact of a potential event is so catastrophic. This approach, commonly used for SOX compliance and business continuity plans, can be used to justify funding necessary to address known IT weaknesses.

Reinforce IT's operational importance. Most executives and board members know that financial, HR and other operational systems depend on IT. But those systems aren't sexy, and they aren't market differentiators, so they tend to be taken for granted. Big mistake. When roads and bridges deteriorate, transportation slows. Similarly, crumbling operational systems slow the enterprise's ability to do business on a day-to-day basis.

IT material weaknesses in a 10-K paint a bull's-eye on the CIO's forehead. Top management might even decide it's easier to outsource IT than to fix it. Not good. Identify and correct IT issues before they land in the public eye. Or start updating your resume.

Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners, which helps organizations invest well in IT. Contact him at BartPerkins@LeveragePartners.com.

Read more about data center in Computerworld's Data Center Topic Center.

This story, "Bart Perkins: Avoiding IT audit nightmares" was originally published by Computerworld.

Top 10 Hot Internet of Things Startups
Join the discussion
Be the first to comment on this article. Our Commenting Policies