Forty-two years with IBM as:
systems designer and developer
IBM internal auditor
instructor in IBM's new auditor school
application controls instructor
senior business controls analyst
audit consultant for outsourced contracts to IBM
Key lessons learned through 12 years developing and programming application systems at IBM:
controls cannot be an after-thought - the cost of applying corrective actions and retrofitting controls at a later date can grow exponentially
the only thing worse than no control is the illusion of control - if you believe, without verification, that controls within your business processes and applications are installed and effectively being executed, you will not correct problems - you will not be aware of any exposures, believieng that there are none
there is a valuable lesson in being assigned to maintain the applications and systems you designed and installed - there is significant value in living with control problems that you were responsible for since the primary objective was in meeting deadlines of installing systems on time
Benefits of putting my experience and passion for auditing to work:
experience as a developer and programmer and my realization of the consequences of not having adequate controls, placed me in a position to become a valued auditor and effective teacher
my enthusiasm was the foundation of a book I published in 2007 on auditing Information Technology, titled "IT Governance: The Only Thing Worse than No Control is the Illusion of Control."
both my experience and book are unique attributes of the IAE program
Adjunct Professor at Kean University in New Jersey:
serving as adjunct professor for the last eight years following IBM retirement
teaching auditing to both undergraduate and graduate students
instructing accounting students and business managers on audit processes and techniques
addressing Auditing Financial Statements and Auditing Information Systems
Key elements of Kean classes: Interactive mock audits that take students beyond theory:
enable students to participate in interactive experiences, role playing both audit client and auditor
provide practice in all steps ranging from generating initial audit announcement letters, conducting interviews, evaluating exposures and non-compliance to requirements through final audit reports and presentation to executives
offer a real-life, hands-on experience that is valuable, essential and unique
help students achieve sound audit knowledge and gain an insight into audit challenges
Internal Audit Education (IAE)
Audit Client Education
Internal Audit Education (IAE) provides essential education to current and future corporate executives who have, or will have, responsibility for ensuring that adequate controls are in place within their companies. If they become audit clients and are audited by either internal or external audit staffs, they should be positioned for successful audit results. They will be responsible for the controls that help establish and maintain both integrity and accuracy in financial reporting.
Management needs to be well versed in internal control theory and practice to meet acceptable audit standards. They must step up and enhance their knowledge of controls, understand their company’s overall compliance plans and ensure that the two are effectively integrated.
The education offered covers a wide scope, from the “why’s” and “what’s” of Sarbanes Oxley to the establishment of the infrastructure for audit survival, including an understanding of the audit process used by internal and external auditors.
Take a few minutes to answer the following questions about your management and key personnel:
1) What education do your current and future management teams have in being audited?
2) Will they be intimidated?
3) Will they know how to prepare and present responses to audit requests?
4) Will they know what, when and how to challenge audit findings?
5) Will they know what to do during an audit interview?
6) Do they understand the differences among processes, procedures and controls?
7) How familiar are they with government regulations (e.g. Sarbanes Oxley, HIPPA)?
8) Do they know what pro-active measures they can take prior to being audited?
9) Do they know how to respond to auditors request for documentation?
10) Do they know how to respond to audit findings?
11) Do they know what issues need to be escalated during an audit and to whom they need to be escalated to?
12) Do they know how to establish and track corrective actions until closure?
13) Do they know what controls need to be in place if processes are outsourced?
14) Do they understand their audit responsibilities?
15) Do they understand the difference between responsibility and accountability?