FRAMINGHAM (07/17/2000) - Information technology auditors don't like to think of themselves as cops, but they do monitor IT projects for delays, mistakes, undue risks and other costly and embarrassing problems. Often coming from corporate auditing backgrounds, IT auditors have to evaluate two areas: project progress and political winds. It's an IT auditor who must tell a powerful CIO what's gone wrong under his command and then break the bad news to senior management.
Even aside from those delicate political issues, the IT auditor's job is getting harder. That's because the pace of IT deployment has picked up as companies work to roll out Internet projects in Internet time.
"Being an IT auditor is a thankless job," says Bruce Webster, a director at PricewaterhouseCoopers LLP in Washington.
If the auditor doesn't find any problems, people question his effectiveness, Webster says. "If you do find problems, the people in charge of the project argue against you," he says. "The only way you are proven right is if a project fails."
That's a lot of guff to take for middling salaries. The average staff-level IT auditor earns $42,000 to $45,000 per year, while an IT audit manager makes $70,000 to $75,000, according to a recent poll of 1,220 members of the Information Systems Audit and Control Association (ISACA), a trade group in Rolling Meadows, Ill.
IT auditors generally find more respect at financial services firms than at firms in other industries, notes Mark Keil, an associate professor of IS at Georgia State University in Atlanta.
Banks, insurers and other financial firms are most receptive to auditing because of the exacting nature of their business, Keil says.
To increase the visibility of IT auditors among corporate management, ISACA launched an offshoot group called the IT Governance Institute (www.itgovernance.org) in May. The idea is to encourage the business side of the company to work more closely with technology managers. That includes building a higher profile for IT auditors, an ISACA spokeswoman says.
IT auditing has been a quiet career niche, often separate from overall corporate auditing, she says. "But that has to change if businesses - especially when they rely so heavily on technology - are to be successful," she says.
Through her own trial and error, Shelly Hogan has discovered that it's best for IT auditors to get involved at the start of a project and help guide it to a successful finish, rather than come in after its rollout to assess the damage.
Plus, problems that are spotted sooner are typically cheaper to fix.
That kind of proactive approach might sound like common sense, but it was initially hard to enact because of mistrust between the IT and auditing staffs, says Hogan, who until last month was an IT auditor at American United Life Insurance Co. in Indianapolis.
"Not being on the best side of IS professionals, they don't want to give you a lot of information about what they're doing and how they're doing it," she says.
But Hogan pressed on by regularly attending IT planning meetings and working to convince technologists that she was there to help them succeed.
An e-commerce project last year was a breakthrough, she says. During development, auditors discovered that some basic security policies weren't being followed. For example, there was no time-out to log off users after 10 minutes of inactivity, she says.
By catching the deficiencies early, auditors saved the team from having to go back and correct them at rollout - a harried time when no one wants to be told to start anything over. Beinginvolved up front works best for both sides, Hogan says. "It's more of a partnership, rather than catching them inthe act of doing something incorrectly."
One of the keys to overcoming thedivide between IT and auditors is to educate the IT department about what an auditor's goals are in monitoring their work, says Greg Grocholski, one of 13 IT auditors at The Dow Chemical Co. in Midland, Mich.
Next, IT auditors must know the technology at all costs. IT experts don't want to be audited by people of lesser expertise, he says.
"If you're still viewed as the police, then you've done a poor job at marketing and informing others in the company about your mission," he says.
It's a never-ending process, though. In early 1998, after eight years in IT auditing at Dow Chemical, Grocholski encountered IT managers who questioned why auditors should be involved in the company's year 2000 remediation project.
"They thought of us as technical auditors, not business auditors," Grocholski says.
It wasn't until after he had created and distributed a detailed plan for how his team would help Dow Chemical's Y2k efforts that the IT group agreed to work with the audit department, he says.
Company culture can also inhibit auditors from reporting serious dangers.
"Large IT projects tend to be associated with bonuses and promotions that people don't want jeopardized," says Webster.
He recalls a Fortune 100 financial services firm on the East Coast where the IT department used to boast that it was never late or over budget because it would redefine project parameters to meet whatever deadline was set. Then it would immediately start a follow-up project "to get the thing actually working," Webster says.
Some IT departments try to avoid formal audits with self-policing. The Earthgrains Co., a food distributor in St. Louis, does that, and it teaches IT managers to give a firm "no" when too many user requests will delay an application development project, says Stephen Brazile, Earthgrains' CIO.
The company has no internal IT auditors but relies on external monitoring from its accounting firm, PricewaterhouseCoopers. "If we don't finish on time, it's tough. You get a lot of questions from executive management," Brazile says.
At least 75% of Earthgrains' IT projects are on time and on budget, he says.
International Truck and Engine Corp. in Chicago doesn't have internal auditors, either. Art Data, vice president of IT, tries to keep the success rate for IT projects high by keeping them small. "The smaller we can keep [IT projects], the more chance you have to keep them on time and on budget. The bigger ones, we don't do as good a job," Data says.
Fifty percent to 75% of International Truck's IT projects are completed on time and on budget, he says.
Yet having an IT department monitor itself creates a conflict of interest, experts agree, because the work isn't done objectively with metrics that are independently verified. As Webster puts it, "You don't ask the software engineer How much do you think you have left? How good a job are you doing?' "Standing togetherEven if they're viewed warily, many IT auditors feel a kinship with the people they watch. They have a lot in common.
Pressure to do business on the Internet, for example, has forced IT organizations - and auditors - to work faster and learn about new technologies at a much quicker rate, says Jill Joseph, an IT auditor at Blue Cross/ Blue Shield of Louisiana in Baton Rouge. Furthermore, Joseph says, online systems projects introduce many new areas for IT auditors to police, such as cybercrime and hacking.
"There's a whole set of different exposures out there," she says. "We have that learning curve to overcome, just like the IT folks."