For Immediate Release: Shape Minds, Build Brands, and Deliver Results with Game-Changing Public Relations (2015)
• Thursday, September 4
I wake up with a jolt when the alarm clock goes off at 6:15 a.m.. My jaw still hurts from clenching it all night. The dismal prospects of the upcoming Phoenix launch were never far from my mind.
As usual, before climbing out of bed, I quickly scan my phone for any bad news. Usually, I would spend about ten minutes replying to e-mails—it always feels good to lob a couple of balls off my side of the court.
I see something that makes me bolt upright so abruptly that I wake up Paige. “Oh, my God. What, what?” she asks frantically, not fully awake.
“It’s another e-mail from Steve. Hang on, darling…” I say to her, while I squint to read it.
From: Steve Masters
To: Bill Palmer
Cc: Nancy Mailer, Dick Landry
Date: September 4, 6:05 AM
Subject: URGENT: SOX-404 IT Audit Findings Review
Bill, please look into this ASAP. I don’t need to tell you how critical it is to have a clean SOX-404 audit.
Nancy, please work with Bill Palmer, who is now in charge of IT Operations.
>>> Begin forwarded message:
We just concluded our Q3 internal audit in preparation for the upcoming SOX-404 external audit. We discovered some very concerning deficiencies that we need to discuss with you. Due to the severity and urgency of the findings, we need to meet with ITthis morning.
Indeed, there’s a two-hour meeting scheduled for 8 a.m. on my calendar, set up by Nancy Mailer, Chief Audit Executive.
Holy crap. She is incredibly smart and formidable. Years ago during the retail acquisition integration, I watched her grill a manager from the business we were acquiring. He was presenting their financial performance, when she started a rapid-fire interrogation, like a cross between Columbo, Matlock, and Scarface.
He quickly broke, admitting that he was exaggerating his division’s performance.
Recalling that meeting, my armpits feel damp. I haven’t done anything wrong. But given the tone of the e-mail, she is clearly hot on the trail of something important, and Steve just threw me in her path.
I’ve always run a very tight ship in my Midrange Technology group. This kept Audit from interfering too much. Sure, there would still be a lot of questions and documentation requests, requiring us to spend a few weeks collecting data and preparing responses. Occasionally, they would find something, but we would quickly fix it.
I like to think that we built a mutually respectful working relationship. However, this e-mail portends something more ominous.
I look at my watch. The meeting is in ninety minutes, and I don’t have a clue about what she wants to talk about.
“Shit!” I exclaim, as I jostle Paige’s shoulder. “Honey, can you drive the kids into school today? Something really bad just came up involving the Chief Audit Executive and Steve. I need to make some phone calls and get to the office right away.”
Annoyed, she says, “For two years you’ve always taken the kids on Thursdays! I have an early start today, too!”
“I’m sorry, honey. This is really important. The CEO of the company asked me to handle this. Steve Masters. You know, the guy on TV and who gives the big speeches at the company holiday party? I can’t drop another ball after a day like yesterday. And the newspaper headline the night before that—”
Without a word, she storms down the stairs.
When I finally find the conference room for the 8 a.m. meeting, I immediately notice how silent it is, devoid of the usual small talk that fills the time while attendees trickle in.
Nancy sits at the head of the table, with four other people sitting around her. Sitting next to her is John along with his ever-present, black three-ring binder. As always, I’m surprised by how young he is. He’s probably in his mid-thirties with thick, curly black hair.
John has a haggard look about him, and like many college students, has continually gained weight in the three years he’s been here at Parts Unlimited. Most likely from all the stress associated with his failing moral crusade.
John actually reminds me more of Brent than anyone else in the room. However, unlike Brent who normally wears a Linux T-shirt, John wears a starched, collared shirt that’s slightly too large.
Wes is conspicuously underdressed compared to everyone in the room, but he obviously doesn’t care. The last person in the room is a young man who I don’t recognize, presumably the IT auditor.
Nancy begins, “We have just concluded our Q3 internal audit in preparation for the upcoming external SOX-404 audits. We have a grave situation. Tim, our IT auditor, found an eye-opening number of IT control issues. Worse, many are repeat findings going into the third year. Left unresolved, these findings may force us to conclude that the company no longer has sufficient controls to assert the accuracy of its financial statements. This could result in an adverse footnote from the external auditors in the company 10-K filings with the US Securities and Exchange Commission.
“Although these are only preliminary findings, due to the gravity of the situation, I have already verbally informed the audit committee.”
I blanch. Although I don’t understand all the audit jargon, I know enough that this could ruin Dick’s day and mean potentially more bad front-page news.
Satisfied that I understand the severity of the situation, Nancy nods. “Tim, please walk us through your conclusions.”
He takes out a huge stack of stapled papers, handing one out to everyone assembled. “We have just concluded our audit of the IT general controls at Parts Unlimited for all of the critical financial systems. It took a team of four people over eight weeks to create this consolidated report.”
Holy crap. I lift the two-inch thick stack of papers in my hand. Where did they find a stapler this big?
It’s a printed Excel spreadsheet, with twenty rows per page in tiny eight-point type. The last page is numbered page 189. “There must be a thousand issues here!” I say in disbelief.
“Unfortunately, yes,” he responds, not entirely able to hide his smug satisfaction. “We found 952 IT general control deficiencies, of which sixteen are significant deficiencies and two are potential material weaknesses. Obviously, we’re very alarmed. Given how soon the external audit starts, we need your remediation plan as soon as possible.”
Wes is hunched over the table, one hand on his forehead, the other hand flipping through page after page. “What kind of horseshit is this?”
He holds up one page. “ ‘Issue 127. Insecure Windows operating system MAX_SYN_COOKIE setting’? Is this a joke? In case you haven’t heard, we’ve got a real business to run. Sorry if that interferes with this full-time audit employment racket you’ve got going on here.”
Trust Wes to say what people are thinking but are too smart to actually say aloud.
Nancy responds gravely, “Unfortunately, at this point, the phase of control review and testing is over. What we require from you now is the ‘management response letter.’ You need to investigate each of these findings, confirm them, and then create a remediation plan. We’ll review it and then present to the audit committee and the board of directors.
“Normally, you would have months to prepare your response letter and execute your remediation plan,” she continues, suddenly looking apologetic. “Unfortunately, the way the audit testing calendar worked out, we only have three weeks until the external auditors arrive. That’s regrettable. We’ll make sure to give IT more time in the next audit cycle. But this time around, we require your response by…”
She looks at her calendar. “One week from Monday, at the very latest. Do you think you can make it?”
That’s just six working days away. We’ll need half that time just to read the entire document.
Our auditors, who I’ve long believed are a force for justice and objectivity, are crapping on me, too?
I pick up the huge stack of papers again and look at a couple of random pages. There are many entries like Wes read, but others have references to inadequate security settings, presence of ghost login accounts, change control issues, and segregation of duties issues.
John flips his three-ring binder open and says officiously, “Bill, I brought up many of the same issues with Wes and your predecessor. They convinced the CIO to sign a management waiver, stating that he accepted the risk, and do nothing. Given that some of these are now repeat audit findings, I don’t think we’ll be able to talk our way out of it this time.”
He turns to Nancy. “During the previous management regime, IT controls clearly weren’t a priority, but now that all the security chickens are coming home to roost, I’m sure Bill will be more prudent.”
Wes looks at John with contempt. I can’t believe John is grandstanding in front of the auditors. It’s times like this that make me wonder whose side he’s really on.
Oblivious to Wes and me, John says to Nancy, “My department has been remediating some other controls, which I think we should be given credit for. For starters, we’ve completed the tokenization of the PII on our critical financial systems, so at least we dodged that bullet. That finding is now closed.”
Nancy says dryly, “Interesting. The presence of PII is not in the scope of the SOX-404 audit, so from that perspective, focusing on the IT general controls might have been a better use of time.”
Wait. John’s urgent tokenization change was for nothing?
If that’s true, John and I need to talk. Later.
I say slowly, “Nancy, I genuinely don’t know what we can get to you by Friday. We’re buried in recovery work and are scrambling to support the upcoming Phoenix rollout. Which of these findings are the most important for us to respond to?”
Nancy nods to Tim, who says, “Certainly. The first issue is the potential material weakness, which is outlined on page seven. This finding states that an unauthorized or untested change to an application supporting financial reporting could have been put into production. This could potentially result in an undetected material error, due to fraud or otherwise. Management does not have any control that would prevent or detect such a change.
“Furthermore, your group was also unable to produce any change management meeting minutes, which is supposed to meet weekly, according to your policy.”
I try not wince visibly, recalling that no one even showed up at the CAB meeting yesterday, and during the payroll incident, we were so oblivious to John’s tokenization change that we ended up bricking the SAN.
If we were clueless about those changes, I sincerely doubt that we’ d notice if someone disabled a control that would enable a minor, say, $100 million fraudulent transaction.
“Really? That’s unbelievable! I’ll look into that.” I say with what I hope is the right amount of surprise and moral outrage. After I pretend to take detailed notes on my clipboard, circling and underlining random words, I nod, prompting Tim to continue.
“Next, we found numerous instances where developers have administrative access to production applications and databases. This violates the required segregation of duty required to prevent risk for fraud.”
I look over to John. “Really? You don’t say. Developers making changes to an application without an approved change order? That certainly sounds like a security risk. What would happen if someone coerced a developer, say Max, into doing something unauthorized? We’ve go to do something about that, right, John?”
John turns bright red, but says politely, “Yes, of course. I agree and would be happy to help.”
Tim says, “Good. Let’s move onto the sixteen significant deficiencies.”
A half hour later, Tim is still droning on. I stare glumly at the huge stack of findings. Most of these issues are just like the huge, useless reports we get from Information Security, which is another reason why John has such a bad reputation.
It’s the never-ending hamster wheel of pain: Information Security fills up people’s inboxes with never-ending lists of critical security remediation work, quarter after quarter.
When Tim finally finishes, John volunteers, “We must get these vulnerable systems patched. My team has a lot of experience patching systems, if you require assistance. These audit findings are an awesome opportunity to close some big security holes.”
“Look, both of you guys have no idea what you’re asking for!” Wes says to John and Tim, clearly exasperated. “Some of the servers that those manufacturing ERP systems run on are over twenty years old. Half the company will grind to a halt if they go down, and the vendor went out of business decades ago! These things are so fragile that if you even look at them at the wrong time of day, they’ll crash and require all sorts of voodoo to get them to successfully reboot. They’ll never survive the changes you’re proposing!”
He leans over the table, putting his finger in John’s face. “You want to patch it yourself, fine. But I want a signed piece of paper from you saying that if you push the button and the entire business grinds to a halt, you’ll fly around and grovel to all the plant managers, explaining to them why they didn’t hit their production targets. Deal?”
My eyes widen with amazement when John actually leans forward into Wes’ finger and says angrily, “Oh, yeah? How about when we’re on the front page of the news because we lost consumer data that we’re responsible for protecting? You’ll personally apologize to the thousands or millions of families whose data are now being sold by the Russian Mafia?”
I say, “Settle down, everyone. We all want to do what’s right for the company. The trick is figuring out what we have time to do and what systems can actually be patched.”
I look at the stack of papers. Wes, Patty, and I can assign people the task of investigating each issue, but who will actually do the work? We’re already buried with Phoenix, and I fear that this new massive project might be the straw that breaks the camel’s back.
I say to Nancy, “I’ll get with my team right away, and we’ll come up with a plan. I can’t promise you that we’ll have our response letter completed by then, but I can promise you that we’ll get you everything we can. Will that be adequate?”
“Quite so,” Nancy says amicably. “Going through the preliminary audit findings and identifying next steps were the only objectives for this meeting.”
As the meeting adjourns, I ask Wes to stay behind.
Noticing this, John remains behind, as well. “This is a disaster. All my objectives and bonuses are tied to getting a clean compliance report for the SOX-404 and PCI audits. I’m going to fail because you Ops guys can’t get your shit together!”
“Join the club,” I say.
To get him off my back, I say, “Sarah and Steve decided to move up the Phoenix deployment date to next Friday. They want to skip all the security reviews. You probably should talk to Chris and Sarah right away.”
Predictably, John swears and storms out, slamming the door behind him.
Exhausted, I lean back in my chair and say to Wes, “This is just not our week.”
Wes laughs humorlessly. “I told you that the pace of things around here would make your head explode.”
I gesture at the audit findings. “We’re supposed to protect all our key resources for Phoenix, but that’s sucking in everybody. We don’t have a bunch of people just sitting on the bench we can throw at the audit findings, right?”
Wes shakes his head, his face uncharacteristically pinched with tension.
He flips through his stack of papers again. “We’re definitely going to need to bring the technology leads into this. But as you said, they’re already assigned to the Phoenix team. Should we reassign them here?”
I honestly don’t know. Wes stares at one of the pages for a moment. “By the way, I think a bunch of these will require Brent.”
“Oh, come on.” I mutter. “Brent. Brent, Brent, Brent! Can’t we do anything without him? Look at us! We’re trying to have a management discussion about commitments and resources, and all we do is talk about one guy! I don’t care how talented he is. If you’re telling me that our organization can’t do anything without him, we’ve got a big problem.”
Wes shrugs, slightly embarrassed. “He’s undoubtedly one of our best guys. He’s really smart, and he knows a lot about almost everything we have in this shop. He’s one of the few people who really understand how all the applications talk together at an enterprise level. Heck, the guy may know more about how this company works than I do.”
“You’re a senior manager. This should be as unacceptable to you as it is to me!” I say firmly. “How many more Brents do you need? One, ten, or a hundred? I’m going to need Steve to prioritize all this work. What I need from you is what resources we need. If I ask Steve for more resources, I don’t want to have to crawl back, begging for more later.”
He rolls his eyes. “Look, I’ll tell you right now what’s going to happen. We’ll go to management and present our case. Not only will they say no, they’ll cut our budget by another five percent. That’s what they’ve done for the past five years. In the meantime, everyone will continue to want everything at the same time, and keep adding to our list of things to do.”
Exasperated, he continues, “And just so you know, I have tried to hire more Brents. Because I never got the budget, I eliminated a bunch of positions just so I could hire four more very senior engineers at the same level of experience as Brent. And you know what happened?”
I merely raise my eyebrows.
Wes says, “Half quit within a year, and I’m not getting anywhere near the productivity I need from the ones who stayed. Although I don’t have data to prove it, I’m guessing Brent is even more behind than ever. He complains that he had to spend a bunch of time training and helping the new guys, and is now stretched thinner than ever. And he’s still in the middle of everything.”
I respond, “You said that people ‘add stuff to our list.’ What does the list look like right now? Where can I get a copy? Who owns the list?”
Wes replies slowly, “Well, there are the business projects and the various IT infrastructure projects. But a lot of the commitments just aren’t written down.”
“How many business projects? How many infrastructure projects?” I ask.
Wes shakes his head. “I don’t know offhand. I can get the list of business projects from Kirsten, but I’m not sure if anyone knows the answer to your second question. Those don’t go through the Project Management Office.”
I have a sinking feeling in the pit of my stomach. How can we manage production if we don’t know what the demand, priorities, status of work in process, and resource availability are? Suddenly, I’m kicking myself that I didn’t ask these questions on my first day.
Finally, I’m thinking like a manager.
I call Patty. “Wes and I just got hammered by audit and they need a response one week from Monday. I need your help to figure what all our work commitments are, so I can have an intelligent discussion with Steve about resourcing. Can you talk?”
She says, “That’s right up my alley. Come on over.”
After Wes briefs Patty on the implications of the mammoth audit report that he thumped down on the table, she whistles.
“You know, I really wish you were at that meeting with the auditors,” I say. “Most of the biggest issues were around the absence of a functional change management process. I think you could end up being the auditors’ best friend.”
“Auditors have friends?” she laughs.
“I need you to help Wes estimate the work to fix the audit findings by Monday,” I say. “But right now, let’s talk about a higher level issue. I’m trying to get the list of what all our commitments to the organization are. How big is that list and how do things get on it?”
After hearing what Wes told me, Patty replies, “Wes is right. Kirsten owns the official business project list, almost all of which have something that we’re on the hook for. We have our own IT Operations projects, which are typically managed by the technology budget owner—there is no centralized list of those projects.”
Patty continues, “We also have all the calls going into the service desk, whether it’s requests for something new or asking to fix something. But that list will be incomplete, too, because so many people in the business just go to their favorite IT person. All that work is completely off the books.”
I ask slowly, “So, you’re saying that we have no idea what the list of our commitments is? Really?”
Wes says defensively, “Until now, no one ever asked. We’ve always hired smart people and tasked them with certain areas of responsibility. We’ve never had to manage things beyond that.”
“Well, we need to start. We can’t make new commitments to other people when we don’t even know what our commitments are now!” I say. “At the very least, get me the work estimate to fix the audit findings. Then, for each of those resources, tell me what their other commitments are that we’re going to be pulling them off of.”
Thinking for a moment, I add, “For that matter, do the same thing for every person assigned to Phoenix. I’m guessing we’re overloaded, so I want to know by how much. I want to proactively tell people whose projects have been bumped, so they’re not surprised when we don’t deliver what we promised.”
Both Wes and Patty look surprised. Wes speaks up first, “But…but we’ d have to talk with almost everyone! Patty may have fun grilling people on what changes they’re making, but we can’t go around wasting the time of our best people. They’ve got real work to do!”
“Yes, I know they have real work to do,” I say adamantly. “I merely want a one-line description about what all that work is and how long they think it will take!”
Realizing how this might come across, I add, “Make sure you tell people that we’re doing this so we can get more resources. I don’t want anyone thinking that we’re outsourcing or firing anyone, okay?”
Patty nods. “We should have done this a long time ago. We bump up the priorities of things all the time, but we never really know what just got bumped down. That is, until someone screams at us, demanding to know why we haven’t delivered something.”
She types on her laptop. “You just want a list of organizational commitments for our key resources, with a one-liner on what they’re working on and how long it will take. We’ll start with all Phoenix and audit remediation resources first, but will eventually cover the entire IT Operations organization. Do I have it right?”
I smile, genuinely happy that Patty has framed it so succinctly. I know she’s going to do a great job. “Exactly. Bonus points if you and Wes can determine which resources are most overutilized and how many new resources we need. That would be the basis of an ask to Steve for more staffing.”
Patty says to Wes, “This should be pretty straightforward. We can put together fifteen-minute interviews, pull data from our service desk and ticketing system, get Kirsten’s project list…”
Surprisingly, Wes agrees, adding, “We could also look in our budgeting tools to see how we’ve coded personnel and hardware requests.”
I stand up. “Great thinking, guys. Get a meeting set up for us to go over what you find, no later than Friday. I want to have a meeting with Steve on Monday, armed with some real data.”
She gives me the thumbs-up. Now we’re getting somewhere.