In the last deTECH newsletter (blog) we addressed two key relationships, in-house System Administrators and third party IT Vendors, and a few of the incentives and associated risks driving their suggestions. This week we will address two more: Consultants and IT Auditors.
Consultants (non-IT Auditors)
For purposes of this newsletter, I am defining “consultants” as people or businesses hired for a predetermined period to accomplish a specified goal. Maybe they are hired to evaluate the current status of your IT department and provide feedback on how to improve efficiency. Or perhaps they are charged with evaluating several different proposals for services. I’m talking about “Bob and Bob” from Office Space.
Scope of Success
If a business is already to the point of hiring a consultant, they probably have a goal in mind. The consultant and business will agree to a Scope of Work (SOW) before the engagement begins. The SOW should be the driving factor behind the engagement and the measure of success. Therefore having a properly defined SOW is critical to successful engagement with a consultant.
When a consultant is engaged, it will be for the period of time until the SOW is accomplished. The finite period could encourage the consultant to complete the work without keeping the long term vision of the business in mind. Objectivity is valuable in a consulting relationship, but if a consultant does not work to understand the culture or identity of the business, the results may not be favorable.
Nothing is sacred in the newsletter/blog world. As you evaluate IT stakeholders and providers, you should include your IT Auditor in the analysis. Let me be honest; your IT Auditor is always right and you should listen to what they suggest, no questions asked. Just Kidding. Snark aside, there are definitely some considerations when evaluating advice from your IT Auditor.
Scope of Success
In most circumstances, the IT Audit works for the audit committee, internal audit department, or a combination thereof. Usually their scope of success is to 1) identify risks in the IT system and the supporting internal control structure and 2) provide suggestions to correct or mitigate the risk. Much like a consultant, an IT Auditor works within the structure of an engagement letter (an auditor’s version of Scope of Work), so completing procedures outlined in the engagement letter and providing accurate feedback will be considered a success.
IT Auditors usually have either an audit background, typically from the accounting profession, or a technical background where they were previously a system administrator or networking professional. Both backgrounds can be valuable as an auditor. Auditors from an accounting background will have the expertise to following a business process, identify where a risk exists, and identify or design controls to mitigate the risk. Auditors with a technical background will be successful with examining specific configurations and recommending changes.
As we noted above, an IT Auditor’s goal is to accurately report findings and reduce risk. Risk reduction may be a costly process and create additional overhead in resources, personnel and time. Before blindly implementation a suggestion from an IT Auditor, management should carefully consider the real risk and additional overhead, and make a determination if the cost is worth the benefit.
Another risk with IT Auditors is the propensity for “check box auditing”. The perennial goal of increasing efficiency can easily lead auditors to create checkboxes and bullet point lists to complete an audit. Although in some circumstances this may be reasonable (like physical security observations), relying on check box audit programs will not effectively account for variables in the specific business like number of IT staff, depth of knowledge of employees, risk level of data, etc. In addition, check box auditing does not consider compensating controls in an IT environment. If the check box is “no”, the finding is issued. This type of audit generally accepts the bare minimum, meaning as long as the auditor can check the box, it is good enough.
Many other relationships exist that can be evaluated. Your peers, regulatory agencies, end users within your organization all can provide valuable information. We hope the next time your business is approached with an IT change that you use all of the resources at your disposal, examine the responses, consider their incentives, and make an informed decision.