At the 2014 GRC Conference, House IG Theresa Grafenstine argues internal auditors must be more forward looking -- and explains why being exempt from regulations just makes her job harder.
In a Congress slanted every which way, trying to work equally well with Democrats and Republicans takes a sense of humor, and Theresa Grafenstine laughs a lot.
Speaking at a West Palm Beach, Fla., gathering that included both financial and IT auditors and risk managers, Grafenstine described her job as US House Inspector General as "like internal audit, only with access to firearms." More seriously, in her presentation at the 2014 GRC Conference and in an interview with InformationWeek, Grafenstine advocated for auditors taking a more proactive role in preventing problems, rather than merely categorizing what went wrong after their organization's finances, information security, and reputation have already suffered damage.
"If you don't front-manage risks and they blow up, you pay for it in the long run," she said.
It's not Grafenstine's job to participate in audits or investigations of other agencies, but to act as an internal auditor for the US House of Representatives itself, as an institution. The House is an enterprise of about 11,000 people, with 22 staff members for every member of Congress plus all the committee staffs, plus Capitol Police, maintenance and security personnel, and administrative staffers. Her own office has a staff of 24.
Grafenstine plays what is necessarily a strictly non-partisan role, capable of working with leaders on all sides and impartially focusing on concerns that should be equally important to all -- making sure Congress's budget and IT systems are well-managed. "If a hacker wants to hack into us and steal our information, I don't care if the hacker is a D or an R," Grafenstine said. Her role is such that all the Congressional leaders of both parties had to agree, unanimously, on her appointment. "I've had to get them to agree on everything I do for 17 years."
She has been walking the non-partisan tightrope since 1998, when she joined the Inspector General's office as an IT auditor. She was appointed to the top job in 2010, only the fourth person to hold the IG job since the creation of the office. Before coming to work for the House, she was an IT auditor at the Department of Defense.
While stressing her non-partisan status, Grafenstine wasn't afraid to mention the launch of HealthCare.gov as one of several examples of where more proactive oversight would have saved a government agency a lot of grief and the public a lot of money. "You have to wonder, where were the auditors there?"
Actually, it's not so mysterious. In some circles, her advocacy of proactive auditing is a controversial proposition -- not because auditors don't want to prevent problems, but because they must stay strictly independent if they are to do their jobs properly. She argues auditors can still sound alarms earlier. "We never make management decisions, we just give them the data," she said.
The line auditors can't cross is taking on operational responsibility, Grafenstine said, because "then you're just a manager." She believes her office strikes the right balance by keeping one team focused on traditional retrospective auditing work, while another concentrates on more forward-looking risks. The more formal discipline of enterprise risk management is something she is working hard to establish as part of the operations of the House.
Grafenstine serves as an international VP of ISACA, the IT-focused audit organization that put on the 2014 GRC Conference in partnership with the Institute of Internal Auditors, which has also been noting the rising importance of IT and cyber security concerns.
Although cyber security and IT operations aren't the only concerns for the House or any other organization, they are hugely important, Grafenstine said. Congress is famously unpopular overall, and there are partisans on both sides -- including partisan hackers who hate their opponents with a white-hot passion. Just imagine the damage one of those people might do given the chance to access an opposing leader's email account or the records of a key Congressional committee. Nor is cyber security the only IT-related risk for the House. What if the electronic system that it uses to record votes were to be wiped out by an electromagnetic pulse, either manmade or natural? There has to be a backup.
Congress also needs to plan for more drastic worst-case scenarios. One of Grafenstine's major projects has been updating a comprehensive plan for "Continuity of Congress," or "if the Capitol building wasn't there anymore, what do you do?" If the building burns down, blows up, or gets caught in a Sharknado, Congress needs a plan to regroup at another location and reconstitute both digital and institutional systems that will allow it to go back to work and address the crisis. Lots of groups within Congress, from IT and the Clerk's office to the Capitol Police, had their own continuity plans, but she needed to ensure that they were all coordinated.
Regulatory compliance is less of an issue for Congress than most organizations -- almost a non-issue because Congress exempts itself from most regulations. "I know that's something that drives a lot of citizens crazy," Grafenstine acknowledges.
Here's the trick, though. As much as everyone complains about regulation, in general those rules were put in place for a reason. That means
David F. Carr oversees InformationWeek's coverage of government and healthcare IT. He previously led coverage of social business and education technologies and continues to contribute in those areas. He is the editor of Social Collaboration for Dummies (Wiley, Oct. 2013) and ... View Full Bio
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?