Michael Juergens, CISA, CGEIT
Political and social mores of the last few years have given rise to a myriad of corporate initiatives around corporate social responsibility (CSR). As the economic recession became more severe, the focus on bottom-line performance took precedence over many of the well-meaning, but costly, CSR initiatives. One large exception to this, however, has been “green IT.” Green IT initiatives occupy a unique intersection; they accomplish socially responsible goals, while providing hard monetary returns on investment and improved financial performance. Thus, while some CSR programs have been shelved in anticipation of future funding, green IT programs have been pursued enthusiastically.
The results are mixed. Some organizations have reported substantial progress and significant gains through IT initiatives, while other organizations have been less fortunate. What makes a green IT program successful depends on a variety of factors, which vary greatly from organization to organization. This article will not attempt to tackle that challenge, as intriguing as it is. Rather, this article will assume that green IT initiatives will continue, at least in the short term, and will focus on how this evolution of green IT will impact the IT auditor’s professional career.
This isn’t the first time IT auditors have had to contend with a rapidly evolving IT environment. The migration to client-server-based enterprise resource planning (ERP) systems, year 2000 conversions, and the advent of e-commerce and the extended enterprise have had major impacts on corporate IT environments. These changes challenged IT auditors who had to reengineer their skills and approach to auditing. Simultaneously, these changes created opportunities for IT auditors to grow their careers in satisfying ways.
The green IT movement is no different. Those IT auditors who seize this opportunity and evolve will likely be more successful than those who do not.
How will the green IT movement impact careers in IT audit? As with some of the aforementioned evolutions (e.g., ERP implementations), the changes will take numerous forms, each with various levels of complexity. Some green IT initiatives (such as virtualization) could individually represent multiday training courses for the IT auditor. This article identifies a few of the major changes to provide a starting point for how IT auditors should manage their careers as they are impacted by green IT.
Green IT programs change the IT environment. Green initiatives such as cloud computing, virtualization, outsourcing, data center redesign and workstation management impact the components that IT auditors assess when performing audits. This raises two questions:
On the surface, these seem to be easy questions—that is, until one gets into the details of planning audits. For example, consider an organization pursuing a data center redesign to improve air circulation and decrease energy costs. Does the IT auditor visit the data center to audit the redesign only, and then return next month when performing the annual data center security and environmental controls audit? Or, should these trips be combined? There is no right answer to this question—each environment is different, but it is something that the IT auditor should think through.
This issue is exacerbated by political issues, timing and resource availability, as well. Some IT departments may be collaborative and actively seek involvement from IT audit on these initiatives. Others may be more closed and may suggest that the IT auditor’s scope be limited to Sarbanes-Oxley IT controls over financial reporting, which excludes green IT initiatives. The IT auditor must also address the continued downward pressure on budgets and resources. Everyone may agree wholeheartedly that audits should be expanded to include green IT, but IT audit resources may be stretched too thin to provide coverage.
RecommendationIt is recommended that the IT auditor gain an understanding of what green IT activities are planned, underway or recently completed by the organization. This will provide a starting point for determining how the IT audit universe should change. By comparing those activities against planned IT audits, it should be clear how to react. Start by adding a few green IT audit procedures to the planned IT audits, or by requiring more comprehensive procedures or distinct audits. Significant projects that impact mission-critical systems should be considered as any other major implementation, and may require IT audit support throughout the duration of the project. By thinking through the impact on the IT audit universe in advance, IT auditing resources can be proactively managed more effectively.
Green IT activities are changing the way the IT function operates. The progressive IT auditor understands these changes and modifies procedures and findings accordingly. Some green IT solutions appear incongruent with IT control objectives, or even mutually exclusive. For example, who can forget how many IT functions pursued high-availability strategies? The theory was sound: eliminate single points of failure by building in layers of redundancy throughout the IT environment. By doing so, the theory was that failure of any single device would not interrupt continuity of services. IT auditors were thrilled. This allowed them to finally close out those outstanding audit findings on disaster recovery planning.
Those redundancies now represent waste and overconsumption of electricity. Green IT initiatives may start to remove these redundancies, which will help achieve cost reduction and green IT goals, but put the IT auditor into a difficult situation—choosing between reporting these changes to management as “improvements” and “successes” or reporting them back as “deficiencies” and “audit issues.”
RecommendationThe best way to address this conflict is to focus on straight talk. It is recommended to obtain the organization’s green IT strategy and project plan and review it in detail, paying close attention to items like consolidation, virtualization, environmental controls, and removal of IT applications or hardware. By understanding what is to be done under the banner of green IT, the IT auditor can proactively identify those green IT initiatives that may represent security or control issues, and have discussions with IT management before they occur.
In some cases, the IT audit function may not have visibility into these changes until after they occur, limiting the ability to influence decisions that may pose control issues. If so, IT auditors should operate with a heightened sense of awareness that objectives have changed, and new goals are taking priority. This requires an increased amount of diligence on the IT auditor’s part when it comes to validating findings and drafting reports. The IT auditor should seek to understand the IT department’s perspective and consider increased reporting timelines due to the need for additional discussions with the affected parties and reviews of audit reports.
IT auditors generally seek to add value to the enterprise through sound recommendations based on their audit results, or by bringing an IT controls and risk perspective and experience to IT initiatives. Opportunities to add value, however, can be few and far between, particularly when IT auditors are performing tests of the same Sarbanes-Oxley controls that have been tested annually since 2005 and are trying to get the testing done in 30 percent fewer hours this year.
Green IT is an opportunity for IT auditors to get reengaged in key business strategies and bring insight to the IT function that can translate to increased stakeholder value. For example, although many data centers were well planned when they were constructed, over time, equipment was acquired based on where it physically fit, as opposed to how it might help reduce the cooling needs of the data center. Oftentimes, a straightforward rearranging of the data center into alternating rows of cold and hot equipment can dramatically increase airflow, with a corresponding reduction in utility costs. This is not to say that such a rearranging is simple, but it generally does not require a large capital expenditure.
An IT auditor could also work with IT management to help develop a new green policy for workstations. Screen savers, for example, use more energy than putting a workstation into sleep mode. Energy settings on workstations, printer settings, orphan device management and other workstation default settings can have a big impact on energy consumption, while simultaneously increasing security and control.
Last, many organizations are looking for green achievements to publicize. IT auditors can provide leadership to assist with some of these initiatives for the organization. By doing so, they will not only help bring value to the organization, but they can also increase the visibility of their personal brand within the organization.
RecommendationBring ideas. Green IT is a growing field, and there is not a checklist for how to do it right. The opportunities for real savings are going to be driven by the specifics of each individual environment. In many organizations, IT auditors have greater knowledge of the broad IT environment than the IT staff members (who are solely focused on their areas of responsibility). Thus, the IT auditors can see opportunities that are missed by line management.
To bring ideas, IT auditors must continue to educate themselves and enhance their knowledge along a wide spectrum of information: hardware, processing units, HVAC ducting and airflow, tax subsidies and incentives (federal, state and local), building design software, etc. The IT auditor who takes the extra time to educate themselves along these lines will be able to continue delivering shareholder value and insight to the IT function and the organization.
Green IT initiatives are changing the way that organizations approach IT. This represents challenges and opportunities for IT auditors. It is an evolving field and those IT auditors who embrace it will receive career dividends, while those who do not may find themselves at odds with IT management. Think about how the organization’s IT environment is changing, and start evaluating how to help to reengineer aspects of one’s approach to auditing that environment.
This article contains general information only and Deloitte and the author are not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect the business. Before making any decision or taking any action that may affect the business, consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this article.
Michael Juergens, CISA, CGEITis a principal with Deloitte & Touche LLP, where he specializes in IT auditing. His background includes numerous IT security, audit and control assessments for a variety of companies in a wide range of industries. He is a sought-after thought leader and speaker on IT controls topics, and has served as an expert legal witness in litigation related to IT security and controls. He has also taught graduate-level IT courses at the University of Southern California (USA) and the University of California, Irvine (USA).
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.