Although director Steven Soderbergh went to the well for a third time to film Danny Ocean and his gang pulling off a casino heist, he chose not to return to shoot “Ocean’s Thirteen” at real casinos. Instead, unlike “Ocean’s Eleven” and “Ocean’s Twelve,” which were both filmed at a variety of casinos, the third movie in the series, which opened over the weekend to a huge box-office success, was shot on a Warner Brothers back lot.
The main reason, reportedly, was that the filmmakers couldn’t find a casino available for a long enough period to do the shooting. But the merry band of Vegas thieves might have had a better reason for not returning to the scenes of their first heist, which were shot at Bellagio, the Mirage, and the MGM Grand. Indeed, they might have heard on the Strip about the recent collaboration between Bob Rudloff and Tom Peck to face down threats to the security and integrity of properties owned by MGM Mirage, which include those three venues.
As vice president of internal audit at MGM Mirage—and especially since the Sarbanes-Oxley Act of 2002—Rudloff has long been involved with the company’s information-technology systems and processes. But the links between internal audit and IT have taken on new dimensions since chief information officer Tom Peck came on board in March 2006.
At MGM Mirage, IT runs the reservation systems that assign rooms to guests, the slot machines that pay the winners, and the credit cards that cover losers. Through its systems run the accounting systems that track and report on revenues—the company reported $7.2 billion of them in 2006—and personal details about the whereabouts and spending habits of some of the world’s most affluent and famous consumers.
But Rudloff and Peck have gone further, hatching a new approach to meeting the company’s compliance, financial, and managerial needs. Rather than just doing an IT audit every couple of months and delivering a report with a list of deficiencies, Rudloff decided to take a pre-emptive step. In March, he dedicated two full-time internal-audit staffers exclusively to working with IT to lead the evaluation of risk related to IT systems.
The goal was not simply to report security issues or other typical IT problems after the fact. Rather, Rudloff wanted to evaluate all the business-critical systems and the potential impact if any one were to fail. Working together, IA and IT will identify the points where failure is most likely to occur and brainstorm ways to stop it. “It’s not about having a hacker try to break in so we see where security is weak,” Rudloff explains. “It’s more [about] looking at the IT organization holistically and evaluating if we are running consistent versions of our software across all our business units, where are we planning to change a system or upgrade it, and what risks that could cause.”
As an example, he points to the March meltdown of the global reservation system of USAirways, which soon had customers lined up for hours trying to check in. With MGM guests arriving at its 23 hotels 24 hours a day, “that’s the kind of issue we are trying to get ahead of and avoid,” he says.
If the company’s hotels can’t check people in, its slot machines don’t work, or if it can’t issue credit or accept credit cards, it loses revenue. To prevent such occurrences, MGM Mirage’s internal auditors and its IT team will try to unearth risk throughout its systems, according to Rudloff. They will perform risk triage, gauging the exposures they need to address right now, although not ignoring lower-level perils that still can hurt its business and our customers. “Even a risk of low likelihood can have a very high impact on our operations,” he says.
Two internal auditors out of Rudloff’s staff of 82, Cari Baalman and Patti Rotraxsa, have been working with IT day in and day out, and three others are assigned mainly to work involving IT-related auditing issues. The first two items on IA’s agenda were to evaluating a new point-of-sale program for the retail division and an initiative involving the processing of credit-card transactions designed to safeguard customer data. “There’s a lot of information in the mag[netic] stripe on your credit card that we have to protect from falling into the wrong hands,” Rudloff notes. The company also is also being aided by Ernst & Young, which is bringing in subject-matter specialists to perform audits of specific technologies as they’re needed.
The first month of the Internal Audit-IT alliance served as a transition period, as Rudloff and Peck considered how best to proceed. Peck has put together a list of assessment and audit projects, some of which will be done completely internally, some by Ernst &Young, and some jointly. They’ve already begun moving to a more risk-based approach to assessing IT general controls that they feel is in keeping with the Public Company Accounting Oversight Board’s proposed Auditing Standard No. 5, which has sought to push auditors to become less dependent on rules. Next comes an IT-specific risk assessment that looks at the company’s plans for future technology upgrades, identifies the highest risk, and puts internal audit resources in place in those areas.
Despite IA’s aggressiveness in rooting out risks, however, Rudloff doesn’t want to look like another Danny Ocean. “This isn’t internal audit forcing its way into IT,” he says. “It’s a good business practice.”