Thursday, March 12, 2009

How to attract Rockstars

In the previous post, Rotate - Why Rockstars Should be in Audit, I made a pretty compelling case (I thought) for adding your company's "rockstars" to your audit team.

Of course, by Rockstars I mean the heavy hitters of your business. They are engineers in an engineering company, architects in an architecture company, doctors or RNs (a case could definitely be made that the RNs are the real stars) in a medical organization, and loan officers in banks.

Certainly, a business may have more than one kind of Rockstar and you want some in audit.

How in the world do you attract them?

For the basic answer, you have to look at the reasons they may not want to come to your corner of the organization in the first place.

Like most things, reasons are pretty simple. If your audit function has a reputation for being police-ish, you'll have a tough time. If your audit unit is irrelevant, it won't happen. If your audit department is staffed primarily of fresh-out-of-school young people, the odds are lower. And, if your audit department is a career dead-end, Rockstars won't touch you with a 50 foot red pen.

Now we have something to work with.

In my experience, Rockstars like anyone else want to be sure their career decisions advance their career. Silly them. As a result, they will be on the lookout for taking roles that damage their reputation.

Now, we could take each issue in turn, but its obvious that you'll want to start working on fixing the above - stop being police-ish, become relevant, increase the experience level of your staff, and avoid being a dead-end. I'd be bored if this post stopped here.

Rather, lets talk about some positive attractants. These bits have been known to ensare a Rockstar or two, in my experience.

  • See the World - If your audit function is structured well, your people will have a unique perspective on the company. You get to see it all. You can offer to a Rockstar the opportunity to wander the halls of the entire organization, meet people, and understand the company in ways they never would from their engineering cubicle. At RSA, seeing the world wasn't just a figure of speech. We had one Rockstar get seconded (a British term for "borrowed") to New Zealand. As far as I know, she is still there.

  • Meet the President - Exposure to senior leaders can be a tasty carrot. When you present your quarterly audit findings to the Audit Committee or the Senior Leadership, ensure that you bring along your Rockstars (maybe one at a time). Introduce them. They may just sit quietly next to you, but they are getting exposure that their colleagues are not. If they are ready, let them present a portion of the report. With a reputation for making these kinds of connections, Rockstars will line up at your door.

  • Credibility - This is not an easy thing to offer, because it takes a long time to build. But, if your audit function is seen as a strategic asset, one that is helping to advance the company's competitive advantage, this can rub off on Rockstars that work with you. Build this, and they will come.
  • Pre-arranged Return Agreements - I'd suggest not accepting a Rockstar without having a hard agreement for them to return to the business at a specified point in time. While this is important to the Rockstar at hand, it is critical to being able to get others in the future. It also signals that you really are borrowing them for their career development and not yours. You may have to make these agreements with some very senior people. Nothing is worse than two years later finding that all the players have changed and no one will accept your Rockstar back.

  • Skills, skills, skills - I have found that promising to make a Rockstar a better writer, a better communicator, and a better analyst often can be very compelling. Most Rockstars have limited opportunity to develop skills outside their discipline. Yet, they understand that the top people in most industries are great communicators and wide-thinkers. Promise them that you'll give them these skills (and deliver), and the next one will be easier to recruit.

As a final thought, start small.

A junior Rockstar is better than none. They tend to be more eager, easier to dislodge, and they give you the opportunity to practice the above. Done right, eventually you'll reel in bigger fish.

-- Prescott Coleman, CIA, CISA

Tuesday, March 3, 2009

Privacy Auditing

Between 2008 and 2009, Privacy Management moved up two spots to #2 on the AICPA's annual review of Top Technology Initiatives.

The full list of the Top Ten was:

  1. Information Security Management
  2. Privacy Management
  3. Secure Data File Storage, Transmission and Exchange (Formerly known as Securing and Controlling
  4. Business Process Improvement, Work Flow and Process Exception Alerts
  5. Mobile and Remote Computing
  6. Training and Competency
  7. Identity and Access Management
  8. Improved Application and Data Integration
  9. Document, Forms, Content and Knowledge Management
  10. Electronic Data Retention Strategy

This is true even while an Ernst & Young Survey of last summer suggests that IT executives and chief audit executives still haven't become wise to the risk. Indeed, according to survey, "Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business."

Nevertheless, the lack of awareness of the risk doesn't change the nature of the risk. So, it was with this in mind that I went hunting for some good intel on auditing this risk for the benefit of my readers.

And I found a terrific source.

The American Association of Accountants (AAA) held a conference in Anaheim, California last year and I found the content of their presentation a nicely encapsulated primer for auditors to approach risk assessing and auditing Privacy.

I was particularly pleased with the slide that compares the various international standards on the subject. And, if the E&Y survey reflects your organization's awareness of the risk, the opening section presents a very compelling case for getting a bit more motivated about the subject.

Enjoy.




-- Prescott Coleman, CIA, CISA