Job: Chief IT auditor
Employer: Portland General Electric Co., Portland, Ore.
Years in current specialty: 20
How long have you been in IT? Prior to becoming an IT auditor, I held various positions in IT over 13 years, from programmer to systems programmer, with my last position being a data center manager. I was fortunate to receive a broad exposure in my early years.
What is the most important contribution you make, and how do you make it? There are two areas where I think I contribute. The first is through formal audits. I test and give my opinions on the state of internal controls and then produce a formal report that shares this information -- including improvements that can or should be made -- with the rest of the company.
The second is through informal consulting. I may stand in a hallway, sit in a cubicle or simply respond to an e-mail with a casual evaluation or an answer to a question. An example of a question would be, "We're thinking of consolidating our 100 Unix boxes down to 10. What do you think the risks might be?" or, "What resources do you have that will help us to develop a penetration-test charter?" We talk about whatever they are concerned about or want to know. Both aspects of the job are important.
What is an internal control? An internal control is any and all the means -- tangible and intangible -- that can be used to ensure that established objectives are met. This will also include an organization's procedures that increase its efficiency and ensure that its policies are implemented and that its assets are safeguarded. For IT, the main controls that any organization needs to be concerned with -- at a minimum -- are for access security, problem and incident reporting, change management and application development.
What is the most important IT skill or aptitude you need to do your job? To do it well, I need to understand how technology works, how technology people view their jobs and how IT fits into the organizational picture. That gives me the broader viewpoint I need to suggest improvements. I don't need to know how to do the technical jobs, but I need to understand how they fit into the overall scheme of things. Another aptitude that auditors need is curiosity and persistence. We need to be able to continue to ask questions until we're satisfied with the answer. Persistence is not aggressive and pushy but more along the lines of determined and consistent.
What is the most important soft skill or personality characteristic you need to do your job? Communication skills are critical. It's the people skills and the ability to get along with others -- to talk to them at their level (either higher or lower than my own) -- that makes them comfortable to talk with me. I could just look at data and procedures and form an opinion, but it would be shallow at best. IT people really hold the key to a well-run IT organization, and the auditor's ability to get them to talk about their jobs is vital in gaining an understanding of what is really happening. I think that an important personality characteristic is to be approachable. No one wants to talk to someone they find scary or untrustworthy. Being approachable must also imply that you have integrity and [can be trusted with] what they want to say to you.
What is the biggest misconception about what you do? That I am somehow the organizational police looking only for violations (internal control concerns) and then enjoying handing out organizational tickets (audit findings). That's a harsh viewpoint that the profession has tried to step away from for a very long time. We're mostly succeeding, but we have not yet arrived at audit Valhalla.
What do you like best about your job? I have been fortunate to not be limited to IT audit but also perform operational and financial audits. I thoroughly enjoy being free and able to see the entire company and all of its operations. This gives me a broader perspective than if I were just limited to IT alone. That's what I like the most.
What do you like least? I do not enjoy delivering bad news, because sometimes people like to shoot the messenger. Fortunately, this has happened very rarely in my career.
What should other IT people know about your role? That I really am on their side and not an antagonist to their work. I view my role as an objective partner who has others' interests at heart. I really do want to see them succeed, and if I can help them succeed in their control responsibilities, then I have done my job and can go home satisfied at the end of the day. It's all about them and not about me.
What should business people know about your role? Pretty much the same as the IT people. In fact, I don't separate IT people from business people. They have differing specialties and tasks but should be trying to achieve the same goals.
What would enable you to do your job better? If auditors don't have the right tools to make their jobs efficient and effective, then it is always an uphill climb to get the job done well. Important tools are those for data mining, electronic working papers, and centralized issue tracking and repositories, to name three. Adequate training is always important and should be a balanced mix of technical and soft-skills education. The IT auditor should also try to get broader exposure to other areas of the business and of the audit process, for example, by learning how to do financial audits. The effect of a broader exposure is a greater understanding of the entire business process, and as a result, it makes them more effective in suggesting improvements at the department level.
If you were not an IT auditor, what would you be? That's a tough question. If I were financially able to not work, I'd be volunteering somewhere for some cause. Outside of that, being an auditor has been very good to me, and I'll probably finish my career as one unless there's an ideal job within IT that has my name on it.
How does the future look for your role? The future looks bright. Most organizations can't live without technology and, as a result, must have adequate technology controls in place to ensure the achievement of their business goals. Unless the business community goes back to quill and parchment and the running courier, there will always be a place for the IT auditor.