If the company’s hotels can’t check people in, its slot machines don’t work, or if it can’t issue credit or accept credit cards, it loses revenue. To prevent such occurrences, MGM Mirage’s internal auditors and its IT team will try to unearth risk throughout its systems, according to Rudloff. They will perform risk triage, gauging the exposures they need to address right now, although not ignoring lower-level perils that still can hurt its business and our customers. “Even a risk of low likelihood can have a very high impact on our operations,” he says.
Two internal auditors out of Rudloff’s staff of 82, Cari Baalman and Patti Rotraxsa, have been working with IT day in and day out, and three others are assigned mainly to work involving IT-related auditing issues. The first two items on IA’s agenda were to evaluating a new point-of-sale program for the retail division and an initiative involving the processing of credit-card transactions designed to safeguard customer data. “There’s a lot of information in the mag[netic] stripe on your credit card that we have to protect from falling into the wrong hands,” Rudloff notes. The company also is also being aided by Ernst & Young, which is bringing in subject-matter specialists to perform audits of specific technologies as they’re needed.
The first month of the Internal Audit-IT alliance served as a transition period, as Rudloff and Peck considered how best to proceed. Peck has put together a list of assessment and audit projects, some of which will be done completely internally, some by Ernst &Young, and some jointly. They’ve already begun moving to a more risk-based approach to assessing IT general controls that they feel is in keeping with the Public Company Accounting Oversight Board’s proposed Auditing Standard No. 5, which has sought to push auditors to become less dependent on rules. Next comes an IT-specific risk assessment that looks at the company’s plans for future technology upgrades, identifies the highest risk, and puts internal audit resources in place in those areas.
Despite IA’s aggressiveness in rooting out risks, however, Rudloff doesn’t want to look like another Danny Ocean. “This isn’t internal audit forcing its way into IT,” he says. “It’s a good business practice.”