Government // Leadership
News
8/20/2014
01:36 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

US House Inspector General: IT Audit Activist

At the 2014 GRC Conference, House IG Theresa Grafenstine argues internal auditors must be more forward looking -- and explains why being exempt from regulations just makes her job harder.

In a Congress slanted every which way, trying to work equally well with Democrats and Republicans takes a sense of humor, and Theresa Grafenstine laughs a lot.

Speaking at a West Palm Beach, Fla., gathering that included both financial and IT auditors and risk managers, Grafenstine described her job as US House Inspector General as "like internal audit, only with access to firearms." More seriously, in her presentation at the 2014 GRC Conference and in an interview with InformationWeek, Grafenstine advocated for auditors taking a more proactive role in preventing problems, rather than merely categorizing what went wrong after their organization's finances, information security, and reputation have already suffered damage.

"If you don't front-manage risks and they blow up, you pay for it in the long run," she said.

[For effective governance, read Cybersecurity: How Involved Should Boards Of Directors Be?]

It's not Grafenstine's job to participate in audits or investigations of other agencies, but to act as an internal auditor for the US House of Representatives itself, as an institution. The House is an enterprise of about 11,000 people, with 22 staff members for every member of Congress plus all the committee staffs, plus Capitol Police, maintenance and security personnel, and administrative staffers. Her own office has a staff of 24.

Grafenstine plays what is necessarily a strictly non-partisan role, capable of working with leaders on all sides and impartially focusing on concerns that should be equally important to all -- making sure Congress's budget and IT systems are well-managed. "If a hacker wants to hack into us and steal our information, I don't care if the hacker is a D or an R," Grafenstine said. Her role is such that all the Congressional leaders of both parties had to agree, unanimously, on her appointment. "I've had to get them to agree on everything I do for 17 years."

Theresa Grafenstine

She has been walking the non-partisan tightrope since 1998, when she joined the Inspector General's office as an IT auditor. She was appointed to the top job in 2010, only the fourth person to hold the IG job since the creation of the office. Before coming to work for the House, she was an IT auditor at the Department of Defense.

While stressing her non-partisan status, Grafenstine wasn't afraid to mention the launch of HealthCare.gov as one of several examples of where more proactive oversight would have saved a government agency a lot of grief and the public a lot of money. "You have to wonder, where were the auditors there?"

Actually, it's not so mysterious. In some circles, her advocacy of proactive auditing is a controversial proposition -- not because auditors don't want to prevent problems, but because they must stay strictly independent if they are to do their jobs properly. She argues auditors can still sound alarms earlier. "We never make management decisions, we just give them the data," she said.

The line auditors can't cross is taking on operational responsibility, Grafenstine said, because "then you're just a manager." She believes her office strikes the right balance by keeping one team focused on traditional retrospective auditing work, while another concentrates on more forward-looking risks. The more formal discipline of enterprise risk management is something she is working hard to establish as part of the operations of the House.

Grafenstine serves as an international VP of ISACA, the IT-focused audit organization that put on the 2014 GRC Conference in partnership with the Institute of Internal Auditors, which has also been noting the rising importance of IT and cyber security concerns.

Although cyber security and IT operations aren't the only concerns for the House or any other organization, they are hugely important, Grafenstine said. Congress is famously unpopular overall, and there are partisans on both sides -- including partisan hackers who hate their opponents with a white-hot passion. Just imagine the damage one of those people might do given the chance to access an opposing leader's email account or the records of a key Congressional committee. Nor is cyber security the only IT-related risk for the House. What if the electronic system that it uses to record votes were to be wiped out by an electromagnetic pulse, either manmade or natural? There has to be a backup.

Congress also needs to plan for more drastic worst-case scenarios. One of Grafenstine's major projects has been updating a comprehensive plan for "Continuity of Congress," or "if the Capitol building wasn't there anymore, what do you do?" If the building burns down, blows up, or gets caught in a Sharknado, Congress needs a plan to regroup at another location and reconstitute both digital and institutional systems that will allow it to go back to work and address the crisis. Lots of groups within Congress, from IT and the Clerk's office to the Capitol Police, had their own continuity plans, but she needed to ensure that they were all coordinated.

Regulatory compliance is less of an issue for Congress than most organizations -- almost a non-issue because Congress exempts itself from most regulations. "I know that's something that drives a lot of citizens crazy," Grafenstine acknowledges.

Here's the trick, though. As much as everyone complains about regulation, in general those rules were put in place for a reason. That means

Next Page

David F. Carr oversees InformationWeek's coverage of government and healthcare IT. He previously led coverage of social business and education technologies and continues to contribute in those areas. He is the editor of Social Collaboration for Dummies (Wiley, Oct. 2013) and ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tekedge
50%
50%
tekedge,
User Rank: Moderator
8/27/2014 | 7:25:14 PM
It Audit Activist
Regulations are put in place for a reason and organisations  need to abide by them and need to be constantly monitered by audits. Remember the failed financial organisations and financial markets which brought everything down. I still feel some audits would have caught the problems at the earlier stages....just my two cents
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
8/22/2014 | 9:43:41 AM
Re: Raising risk awareness
Perhaps we should even give Congress a little bit of credit for recognizing the need to have an Inspector General (the office is relatively new; Theresa worked for three IGs who preceded her)
Charlie Babcock
IW Pick
100%
0%
Charlie Babcock,
User Rank: Author
8/21/2014 | 7:53:29 PM
Raising risk awareness
Fascinating picture of an auditor in a difficult position, David. It's amazing Theresa has lasted as long as she has as Inspector General. Also, how many times have we all understood that "when something is really wrong with an organization, plenty of people are aware of the problem." Yet it's impossible to do anything about it. Instead of embedded journalists, perhaps some military operations, oarticularly invasions of other countries, should have embedded auditors.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
8/20/2014 | 5:41:49 PM
Would you want this job?
Must be quite a challenge to stand apart for the partisan rancor in Congress.
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.