You Bought It, Now Audit

These days, audits are rarely a source of solace, but finance executives who find IT daunting may actually be relieved to know that IT audits are suddenly in vogue, and provide exactly the sort of big-picture view that most CFOs need. IT audits are not, as you may have guessed, a matter of pure accounting. The term covers a lot of ground, but in general it can be thought of as the processes by which organizations evaluate virtually any aspect of their technology controls, capabilities, and performance. While IT audits have been conducted by some companies for years, they're moving into the mainstream as regulatory compliance, risk management, and information security become higher corporate priorities.

If done properly, experts say, IT audits not only reveal weaknesses in compliance, security, and other areas but also help companies save money by finding ways to use IT hardware and software more efficiently and get a better handle on technology assets. Organizations can use IT audits to ensure that their technology initiatives are in sync with business goals and practices.

"These audits provide our CIO with an independent and objective review of his areas to ensure data resources are protected, appropriate internal controls are in place, systems are designed and developed to meet our business needs, and internal system resources are used effectively and efficiently," says Ken Askelson, IT audit manager at retailer J.C. Penney Co. in Plano, Texas.

There are many types of IT audits that cover a broad range of technologies and processes. One type assesses IT governance, determining how well the IT department is managed and staffed, and how efficiently it supports business operations. Information-security audits examine security policies and such technologies as firewalls, as well as analyze the integrity of networks, databases, operating systems, Web servers, and applications.

Audits can focus on such major IT assets as ERP systems or on individual applications like payroll and accounts payable. Some audits evaluate the effectiveness of business-continuity and disaster-recovery programs, and others make sure that organizations have adequate and up-to-date software licensing in place. Still others are dedicated to ensuring that organizations are in compliance with such regulations as the Sarbanes-Oxley Act of 2002 and the Health Insurance Portability and Accountability Act.

IT audits frequently begin with a risk assessment, in which an organization obtains an overview of the major systems and applications used to support critical business processes. The intent is to identify existing or potential areas of risk that should be addressed in future IT audits, says Paul Rozek, director of technology services at Jefferson Wells International, a Brookfield, Wisconsin, consulting firm that has seen its IT-audit work increase by 40 percent between 2002 and 2003. Organizations can then prioritize the audits based on the level of risk. That initial assessment can also give executives a good sense of the systems the organization has in place, and whether the company has sufficient expertise and staff resources to conduct subsequent, more-focused audits. If not, the organization will have to consider getting help from an outside expert (see "Deciding Who Does What," at the end of this article).

The actual audits of individual aspects of IT, which can last a few weeks or several months, involve testing the technologies and controls that are in place, to make sure they are meeting corporate expectations. Once audits are complete, reports are sent to the appropriate managers so they can address specific needs.

For example, an information-security audit report would go to the CIO or other senior IT executive, as well as to the chief information security executive. Rozek says many IT-audit reports include an executive summary for higher-level officers and more detailed information for the people who will actually be putting necessary fixes in place.

"As with a financial audit, always think of who the audit audience is," says Rozek. "Make sure the report has insights that executive management will understand, and also give sufficient information from a process-control and technology-control perspective."

Experts say CFOs should be copied on most or all IT-audit reports. "The CFO should absolutely rely on IT audits that affect the programs or operations for which they are responsible to provide assurance that the proper data security and controls" are in place, says Paul Hoshall, principal of Hoshall Associates, an IT-audit training and consulting firm in Fairfax, Virginia. "Without audits, I don't know how you can do this."

Michael Cangemi, president and CEO (and former CFO) of consumer leather goods designer Etienne Aigner Group in Edison, New Jersey, agrees that finance chiefs should push for IT audits and always be briefed on their findings. "When you do audits, you gain a basic control over the entire IT environment and systems. What better way is there for a CFO to verify that the company's investment in IT is working the way the board and management expect it to?" asks Cangemi.

Cangemi has a special appreciation for the audit function. He began his career in the 1970s working in IT auditing before advancing to high-level positions in finance, and authored the book Managing the Audit Function (Wiley & Sons), a new edition of which came out in 2003.

Etienne Aigner relies on an auditing firm to examine its critical business systems, such as those used for an electronic trading network with major retailers, a sales force automation program, and its growing Internet business. Cangemi says the audits make sure that systems are meeting standards for performance.

At J.C. Penney, the internal auditing department, which includes an IT auditing group, reports to the executive vice president, secretary, and general counsel, and works closely with the CFO and other members of senior management to develop annual audit plans and coordinate audits of key areas within the organization. The IT audit group audits such areas as telecommunications systems, business applications, network architecture, data-center operations, change management, disaster recovery/business continuity, electronic commerce, information security, and database security. And, of course, Sarbanes-Oxley.

IT audits do more than provide peace of mind or point out room for improvement: they can also zero in on potentially serious problems. The 15-member IT audit team at Depository Trust & Clearing Corp., for example, might conduct a weekend test of a backup system to simulate an abrupt shutdown, to ensure that it switches operations to an alternate site within seconds, as it is supposed to do. Since auditors look at communications and overall responsibilities across functional departments, they help pinpoint any breakdowns that could have an adverse impact on the organization, according to senior IT auditor Fredric Greene.

How frequently IT audits should be conducted depends on the type of audit and the individual needs of the organization, says Fred Heller, an IT-audit expert at Jefferson Wells. Certain IT assets, such as key business systems and applications, should be audited at least once a year. Others, such as data centers, can be audited every three years or so. "Companies can do multiple audits at the same time or on a cycle basis," says Heller. "Sometimes they need to do specific audits [at a certain time] because of a high risk, and the next year they have a different cycle."

A growing number of companies are conducting audits of extensive IT projects — such as an infrastructure overhaul or a rollout of mobile computing devices — to ensure that initiatives are running on time and on budget. "An IT audit can provide an assessment of how a project is being managed, how the systems and applications are working, and whether you can move to the next phase," says Heller. Many involved in IT audits stress that they are now a fundamental part of overall IT management.

Deciding Who Does What

There's no shortage of companies that provide IT-auditing services, from traditional accounting firms to small, specialized consultancies.

Small and midsize companies are more likely to hire out IT-auditing jobs than larger organizations because they lack internal expertise or resources, experts say. Larger organizations often have an internal auditing staff, equipped with the know-how to conduct a range of audits. But staff reductions, and increasingly complex and rapidly changing technologies, have forced even bigger companies to look outside for help in certain areas, says Paul Hoshall, principal of Hoshall Associates, an IT-audit training and consulting firm in Fairfax, Virginia.

Some companies mix and match, doing their own IT audits while occasionally turning to service providers for help. Financial-services firm Fidelity Investments in Boston conducts audits of IT-management processes, general controls, infrastructure, and applications.

"If the internal audit staff is properly objective, has management's support, is adequately resourced, and has the requisite technology and audit skills, I think they are better positioned to do the work" than an outside firm, says Jay Stott, vice president of IT audit at Fidelity. "They usually will have greater knowledge of the business, organization, and operating environment, and therefore are better able to evaluate the full range of risks and controls that are important to the organization."

In some situations, Stott says, specialized technology knowledge that's beyond the staff's capability is needed. For example, Fidelity used a networking specialist to audit its voice networks when it lacked internal expertise.

Sometimes companies gain knowledge from service providers that they can use later on. Retailer J.C. Penney Co. does most of its own audits, but several years ago it "co-sourced" an audit of its ERP system. Based on what it learned, it now handles that job itself. —B.V.

Peering Inside the Box

When it comes to conducting IT audits, organizations can turn to a familiar resource for help: IT. There are dozens of software products on the market that provide all kinds of help with the auditing process. A quick sampling of functions addressed by these tools includes risk analysis and simulation, remote network auditing, audit planning and budgeting, databases for audit findings, customized reports and graphs, work-tracking systems, data mining and analysis, computer forensics, asset and software management, business intelligence, inventory management, configuration management, and security.

Paul Hoshall, principal of Hoshall Associates, an IT-audit training firm in Fairfax, Virginia, says the number of available tools has grown in part because in many cases, auditors have had to do more work with fewer people on staff, and more and more audit information resides exclusively within the computer. "We're also dealing with a significantly changing [IT] environment," including bigger and more-complex infrastructures, says Hoshall. "A lot of things occur inside the box, and we need to reach inside the computers and networks to find out what's going on." But fully automated audits are unlikely, because the final step in any audit is the exercise of human judgment as to what to do next.
 

Motorola Enters BPL Business

Motorola unveiled an offering that mates its Canopy wireless broadband offering with in-building delivery of broadband over powerlines (BPL) using the HomePlug standard.

Motorola's offering, called Powerline LV (the LV stands for low voltage, to create a distinction between in-building BPL and the use of high-voltage electric distribution lines to carry broadband), requires only three pieces of gear to connect a user to broadband. The first is the new Powerline LV access point cluster, an integrated antenna and bridge router, and a HomePlug-compliant modem. Motorola argues that by delivering broadband over RF using its Canopy wireless system - which these days it describes as "WiMAX-like" - it avoids high frequency interference issues revolving around delivery of broadband over the power lines that feed to a home.

Chris Banakis, Motorola's vice president and director of Enterprise Utilities Solutions, contends "Powerline LV combines the best of both worlds - proved technology (Canopy) with a commercially effective BPL system." He notes Canopy has been deployed at 15,000 sites in 85 countries.

In addition to dishing up broadband to end users, Motorola says the system also supports such applications as automatic reader metering, substation monitoring, and supervisory control and data (SCADA) applications. "On top of offering significant business expansion opportunities for utilities, Powerline LV supports many of today's core utility applications, making the solution's value proposition even stronger," continues Banakis.

A key marketing channel for the new Motorola offering are utility providers in areas that are "underserved" by broadband access, the company says. Motorola's initial customer is Broad River Electric, a 25,000-customer rural utility in upstate South Carolina.

FCC Denies SBC Petition

Federal regulators on Thursday denied a petition by SBC Communications Inc. that requested deregulation of Internet Protocol services.

The FCC said the forbearance petition filed by the second-largest local phone company was vague and requested exemption from requirements the regulatory agency had not yet decided whether even applied to the services in question.

The commission is examining in a broad rulemaking the extent to which rules should apply to IP services.

“Although by today’s action we deny SBC’s forbearance petition on procedural grounds, I believe that the issues presented by this petition are important ones that require the commission’s attention,” FCC Chairman Kevin Martin said in a statement.

SBC filed the forbearance petition Feb. 5, 2004, and today was the statutory deadline for the FCC to take action. Otherwise, the request would have been granted under the law unless San Antonio, Texas-based SBC had withdrawn the petition.

Earthlink Inc. and MCI Inc. were among those entities that asked the FCC to deny the petition, which requested forbearance of “IP platform services” from Title II common carrier regulations under the Telecommunications Act of 1996.

Title II regulations cover dozens of provisions, including a requirement that incumbents such as SBC provide underlying network access to unaffiliated Internet service providers like Atlanta-based Earthlink. The rules do not apply to TV services, which SBC plans to offer to millions of homes over networks the company is spending billions to construct.

In a positive sign for SBC, Martin indicated the agency is on a path to deregulating new services.

Equipment Leasing Can Support Your Growth

Equipment leasing can provide your company with several benefits. These benefits are important as you continue to execute growth plans and strategies that improve your company’s profitability and sustainability. 

• Personal & Timely Service
  
• Complete Confidentiality
  
• Custom Programs

To assist our preferred clients TSG is providing a valuable reference that can be used this year for your equipment leasing programs.

Simply call an WFS associate to discuss your equipment and real estate needs

Mention that Total Solutions Group referred you and receive the following benefits!!

• Deferred payments for 2 months (up to December 2005)
• No initial lease processing fee

Establish your Wirt credit line for future leases and opportunity based transactions

Call now at 1.800.777.9478 to schedule a no obligation conference call assessment or a personal visit by a WFS Associate.

Notes: Benefit is based on approved credit transactions. WFS reserves the right to approve all transactions. Deferred payment benefit applicable to transactions of $10,000 or more. Offer expires on December 31, 2005.

Join our growing list of clients in 2005!
Finally, A consulting firm that pays for itself!

The hospitality industry had better be prepared: Traveling businesspeople will soon have little need for their room phones. One of the first major applications for voice over IP in the business world is to enable road warriors to more easily and cheaply communicate and work when traveling.

"It's a whole new way of doing things," said Michael Burrell, senior manager in the voice and video solutions group at Equant. "Businesses can support a mobile work force more efficiently and cost-effectively. You can put a softphone on traveling workers' laptops, and they can turn their hotel room into an office."

In addition to avoiding expensive hotel phones, a VoIP service links the traveling employee to all the corporate and customer information needed to work as if one were sitting at one's desk.

"I can work on the road as effectively, using my softphone on the laptop [the same] as my regular phone on my desk," said Jay Kauser, NEC's general manager of product management. "We provide a Communication Portal that is taking care of not only a mobile user but enterprise in-house back office needs so that your PC desktop and your communication needs are tied together in one easy portal."

Thus the primary goal of VoIP in the enterprise has very quickly shifted from how to save money on communications costs to how to increase worker productivity.

In addition to the industry's leaders in IP PBXs, Avaya and Cisco Systems, and telecom network gear makers such as Alcatel, Lucent Technologies, Nortel Networks and Siemens, a number of newer players are springing into the market to develop middleware and software platforms that help businesses incorporate VoIP flexibility and functionality into their communications systems and business processes to make those productivity leaps.

One such company, LignUp, provides a communications platform that incorporates softswitching, a media server and a service creation environment, along with pre-integrated applications and a development tool for building more apps. The company is working with service providers that are more interested in becoming what was once known as ASPs, or application service providers. One of them, CanyonBridge, used LignUp's platform to create cbForce, an integration of Microsoft Exchange with salesforce.com that uses VoIP technology to make the sales process much more efficient.

"This is just the first blush of this," said Kevin Nethercott, president and chief operating officer of LignUp. "Every name in the database becomes an object; every object has a phone number associated with it. Whether on the road or at their offices, salespeople can click to call customers from within the address book, calendar or even an e-mail. The calls are logged into the customer's record, and you can view a customer profile, enter notes about the call, record the call, transfer it and keep all that in the call history. The customer record can be viewed automatically when calls come in. It makes a salesperson more effective because all the information is right there."

Another firm, LiteScape, integrates voice systems with desktops and wireless devices. This includes a familiar user interface such as Lotus Notes or Microsoft Outlook that's combined with new functionality that can be displayed as soft keys on a VoIP phone, said Farzad Naimi, CEO, president and founder of the company, whose system works with both Cisco and Avaya VoIP premises gear.

Banks are using this technology for automating customer self-service and collaboration among branches, he said. "On the same platform, we have identified niche markets - we call them self-service points. We have not only a VoIP screen, but you would attach a card reader or [radio frequency ID] so that authorization of the personalized services could be provided. The card readers would be all over the bank, and somebody comes in, swipes the card and puts in the PIN, and it immediately provides you other services like brokerage or loans."

Charles County, Md., schools are using the system in every classroom, Naimi added. "Teachers can use it to automatically send notification home, as well as automate tasks such as attendance."

Traxi Technologies integrates enterprise apps with a VoIP-based enterprise phone system via its Volcrum Voice platform, allowing enterprises to use screen pops, call recording, text-to-speech and interactive voice response technology simply and easily as part of their call centers.

"When a call comes in with the caller ID, you can pop a button to pull up customer information, pop another button to record the call," said Louis Person, Traxi president. "We integrate with Microsoft CRM, and that creates a record for every call."

Metreos provides both an open communications environment and an application development tool that is being used by companies, such as Lehman Brothers, that want to go beyond VoIP toll savings to new functions and productivity, said CEO Joel Fontenot.

"Today, because of the complexity of telephony protocols, ready-to-use code, threats to dial-tone reliability and the unique requirements of voice apps, no one did much to PBXs in the past," he said. "Now, with VoIP, you have open APIs in the data world. But you still have to take the lifecycle approach to voice applications. How do we build, deploy, manage, update for changing protocols? Our platform solves all these issues."

Lehman Brothers uses the system for find-me, follow-me service, more efficient Web-based broadcast messaging and the addition of presence to its Instant Messaging capability, but the company also has developed a custom app that allows its analysts to deliver information to customers more quickly over a Web-enabled system with voice recording that frees their time while still giving customers a personal touch.

Presence itself is a major force with VoIP enterprise apps. At Nortel, which not only sells VoIP gear but uses it to connect 22,000 employees, interaction is more efficient when employees know in advance the current status of fellow workers.

"It's not just having the information, it's how you use it," said Ingrid Tremblay, senior manager product marketing for multimedia at Nortel. "In the past, I would have called a colleague and gone to voice mail if that person was on the phone. Now I can look on my dashboard, check my friend's list and see if that person is on the phone, and if they are, I'll use an IM to invoke a response. It makes better use of everyone's time."

It's also possible to note when someone is on a cell phone - which means they are out of the building, she said. The ability to note presence can ultimately incorporate badge readers so that the desktop dashboard would indicate an individual's precise location within a building, making it possible to track key personnel, such as doctors within a hospital, she said.

VoIP is moving into the call center environment, but it is also enabling technology once reserved for call centers to move into other environments as well.

Witness Systems has been providing the technology that allows call centers to easily record incoming calls for review, for liability/verification purposes and for staff evaluation and training, said Nancy Treaster, senior vice president of marketing. Now, one-third of its customers are enterprises, not call centers.

The VoIP-enabled system lets individuals record a call with the push of a button and create a .WAV file that can be shared or stored. Hospitals will use it to have nurses record doctors' orders, and suppliers will use it to record incoming orders to avoid later confusion or liability issues, she said.

Eventually, virtual call centers will allow companies to add staff during peak calling times or conference in knowledge workers only as needed to both improve service and keep costs down, Treaster said.

AccessLine, a service provider that came out of the applications space and is developing its own apps, sees smaller enterprises using VoIP to create a virtual company that looks like a larger enterprise, said Kent Hellebust, chief marketing officer.

"The customer calls one number but can be transferred to one of many different locations or teleworkers," he said.

There is still a great deal to be explored about how VoIP will enable better use of mobility and collaboration, said Tim Miller, director of product planning for Siemens.

Federal regulators on Thursday denied a petition by SBC Communications Inc. that requested deregulation of Internet Protocol services.

The FCC said the forbearance petition filed by the second-largest local phone company was vague and requested exemption from requirements the regulatory agency had not yet decided whether even applied to the services in question.

The commission is examining in a broad rulemaking the extent to which rules should apply to IP services.

“Although by today’s action we deny SBC’s forbearance petition on procedural grounds, I believe that the issues presented by this petition are important ones that require the commission’s attention,” FCC Chairman Kevin Martin said in a statement.

SBC filed the forbearance petition Feb. 5, 2004, and today was the statutory deadline for the FCC to take action. Otherwise, the request would have been granted under the law unless San Antonio, Texas-based SBC had withdrawn the petition.

Earthlink Inc. and MCI Inc. were among those entities that asked the FCC to deny the petition, which requested forbearance of “IP platform services” from Title II common carrier regulations under the Telecommunications Act of 1996.

Title II regulations cover dozens of provisions, including a requirement that incumbents such as SBC provide underlying network access to unaffiliated Internet service providers like Atlanta-based Earthlink. The rules do not apply to TV services, which SBC plans to offer to millions of homes over networks the company is spending billions to construct.

In a positive sign for SBC, Martin indicated the agency is on a path to deregulating new services.

• Contract Negotiation
• Audit and Recovery
• Billing Acuracy
• Telecom Management
• Network Design
• Network Management
• Future Technology Positioning
• Telephony Maintenance & Installation 
   

Jimmy E. Greene  CEO
Amy Suchy  COO
Steve Harris  VP
Tammy Kruse Marketing
Amanda Archangeli: Audit Specialist

2621 Bay Street
Saginaw, MI  48602
Office: 989-793-8128
Fax: 989-399-2266
Toll Free: 877-455-3074
www.TotalsolutionsGroup.org