Muddled Organization

It was the end of the day when I finally met with the director of internal audit. By then, I had more questions than answers. But if one of those questions was whether this job would work out for me, it was pretty much answered when he said, "I have met with several people who have as many acronyms after their name as you do, but they are just going to do what I tell them to do." I just had to laugh and say, "That has never been me. I'm kind of opinionated."

He must have realized that I was concerned about reporting to internal audit, and our discussion led me to draw an organizational chart on a sheet of paper. On my chart, IT was separate from internal audit and from what I called "business controls." Under that heading were information security, disaster recovery and business continuity. Each of these three disciplines reported to a separate C-level executive, with IT reporting to the CIO, internal audit to the chief financial officer or CEO, and business controls to either the chief operating officer or CSO. This avoids the problem of the fox guarding the henhouse.

But my ideal organization is likely to be adopted about the time that I begin collecting royalties from my Harry Potter-style movie franchise. The bottom line is that most organizations, and certainly this one, don't understand the magnitude of the tasks they want these disciplines to undertake, and they aren't yet willing to properly staff for it all.

As we ran out of time, the internal audit director asked whether I would meet with him again so that he could convince me that the position could flourish under his department, given a chance and the right leader.