Forty-two years with IBM as:
systems designer and developer
IBM internal auditor
instructor in IBM's new auditor school
application controls instructor
senior business controls analyst
audit consultant for outsourced contracts to IBM
Key lessons learned through 12 years developing and programming application systems at IBM:
controls cannot be an after-thought - the cost of applying corrective actions and retrofitting controls at a later date can grow exponentially
the only thing worse than no control is the illusion of control - if you believe, without verification, that controls within your business processes and applications are installed and effectively being executed, you will not correct problems - you will not be aware of any exposures, believieng that there are none
there is a valuable lesson in being assigned to maintain the applications and systems you designed and installed - there is significant value in living with control problems that you were responsible for since the primary objective was in meeting deadlines of installing systems on time
Benefits of putting my experience and passion for auditing to work:
experience as a developer and programmer and my realization of the consequences of not having adequate controls, placed me in a position to become a valued auditor and effective teacher
my enthusiasm was the foundation of a book I published in 2007 on auditing Information Technology, titled "IT Governance: The Only Thing Worse than No Control is the Illusion of Control."
both my experience and book are unique attributes of the IAE program
Adjunct Professor at Kean University in New Jersey:
serving as adjunct profesor for the last three years following IBM retirement
teaching auditing to both undergraduate and graduate students
instructing accounting students and business managers on audit processes and techniques
addressing Auditing Financial Statements and Auditing Information Systems
Key elements of Kean classes: Interactive mock audits that take students beyond theory:
enable students to participate in interactive experiences, role playing both auditee and auditor
provide practice in all steps ranging from generating initial audit annoucement letters, conducting interviews, evaluating exposures and non-compliance to requirements through final audit reports and presentation to executives
offer a real-life, hands-on experience that is valuable, essential and unique
help students achieve sound audit knowledge and gain an insight into audit challenges
Internal Audit Education (IAE)
Internal Audit Education (IAE) provides essential education to current and future corporate executives who have, or will have, responsibility for ensuring that adequate controls are in place within their companies. If they become auditees and are audited by either internal or external audit staffs, they should be positioned for successful audit results. They will be responsible for the controls that help establish and maintain both integrity and accuracy in financial reporting.
Management needs to be well versed in internal control theory and practice to meet acceptable audit standards. They must step up and enhance their knowledge of controls, understand their company’s overall compliance plans and ensure that the two are effectively integrated.
The education offered covers a wide scope, from the “why’s” and “what’s” of Sarbanes Oxley to the establishment of the infrastructure for audit survival, including an understanding of the audit process used by internal and external auditors.
Take a few minutes to answer the following questions about your management and key personnel:
1) What education do your current and future management teams have in being audited?
2) Will they be intimidated?
3) Will they know how to prepare and present responses to audit requests?
4) Will they know what, when and how to challenge audit findings?
5) Will they know what to do during an audit interview?
6) Do they understand the differences among processes, procedures and controls?
7) How familiar are they with government regulations (e.g. Sarbanes Oxley, HIPPA)?
8) Do they know what pro-active measures they can take prior to being audited?
9) Do they know how to respond to auditors request for documentation?
10) Do they know how to respond to audit findings?
11) Do they know what issues need to be escalated during an audit and to whom they need to be escalated to?
12) Do they know how to establish and track corrective actions until closure?
13) Do they know what controls need to be in place if processes are outsourced?
14) Do they understand their audit responsibilities?
15) Do they understand the difference between responsibility and accountability?
IAE education also provides a foundation for current and future internal audit staffs who have the responsibility of conducting financial or Information System audits for their firms.
If you already have an internal audit organization, please take a few moments to answer the following questions about your internal auditors to enhance their job performance:
1) What education do they receive to enhance their job performance?
2) What education do they receive in conducting financial statement audits?
3) Will they be prepared to conduct Information System Audits?
4) Do they have the information they need to ask the right questions and prepare audit checklists to conduct audits on the above?
5) What education do they receive in conducting interviews?
6) What preparation do they receive in writing audit reports and reporting audit findings to executive management?
7) How familiar are they with past financial and information technology scandals?
8) How knowledgeable are they about Sarbanes Oxley requirements?
9) Do they have the acumen to distinguish material issues from non-material issues?
10) Do they know the procedure to follow if they uncover a fraud?
11) Do they understand the difference and can they distinguish between different types of controls (e.g. preventive vs. detective controls)?
12) Do they understand the Information Technology challenges of today and do they understand the relationship between Information Technology and Information System controls to Financial Statements?
13) Do they understand the processes for announcing, conducting and following up on audit recommendations?
14) Do they know how to formulate initial questions and how to follow up with additional questions?
15) Are they aware of how to conduct audits on outsourcing entities?