July 2, 2011

Stakeholders: Identifying Who You Need to Interview


As an IS auditor, it is important for you to be cognizant of whom you should be interviewing, and how long those interviews should take. Every auditor will frequently face a time crunch due to the customer's schedule or other issues. You will need to pay particular attention to the value of the others’ time. Consider the work outage created when you take someone out of their job role to spend time with you. Will it be necessary to backfill their position by providing a substitute during this time away?
Think for a moment of what it would cost the organization for a key executive to spend 15 minutes with you. This executive's time may be measured in personal compensation or by the revenue they generate for the organization. Top executives, such as the CEO, will have compensation packages that include both money and substantial shares of stock. Based on total compensation, the CEO may be receiving several thousand dollars per hour or more.
Note 
Former Walt Disney CEO Michael Eisner received total compensation equal to $27,000 per hour, which was equivalent to approximately 0.18 percent of the revenue generated under his leadership during the same time period.
The moral is that to justify 15 minutes of somebody's time, you better have something to discuss that is of greater value than that person's prorated value to the organization (greater than prorated revenue + compensation). Consider the cost for a meeting of high-level executives. You need to ensure that the time spent is relevant and remains focused on the audit objectives. The savvy auditor respects the value of a person's time.
Every system will have an inherent need for controls. The auditor needs to ensure that discussions occur with the correct individuals concerning appropriate controls. Three basic IT-related roles exist for every system: owner, user, and custodian. Table 1 shows examples of individuals with their associated roles and responsibilities.
Table 1: Responsibilities of data owner, user, and custodian 
Role
Example
Basic Responsibilities
Data owner
Vice president
Determine classification
Specify controls
Appoint custodian
Data user
Internal business user
Business partner
Business client (web)
Follow acceptable usage requirements
Maintain security
Report violations
Data custodian
Database administrator
Production programmer
System administrator
Protect information
Ensure availability
Implement and maintain controls
Provide provisions for independent audit
Support data users
These individuals don't have to work in the IT department. On the contrary, these roles exist regardless of the individual department boundaries. If someone performs the function, the responsibility of the role applies to that person. No exceptions. If a person performs two roles, two sets of responsibilities apply. If someone performs all three roles, either it's a one-person operation or you need to have a talk about separation of duties and the value of their data.

1 comment: