US House Inspector General: IT Audit Activist - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Leadership
01:36 PM
Connect Directly

US House Inspector General: IT Audit Activist

At the 2014 GRC Conference, House IG Theresa Grafenstine argues internal auditors must be more forward looking -- and explains why being exempt from regulations just makes her job harder.

In a Congress slanted every which way, trying to work equally well with Democrats and Republicans takes a sense of humor, and Theresa Grafenstine laughs a lot.

Speaking at a West Palm Beach, Fla., gathering that included both financial and IT auditors and risk managers, Grafenstine described her job as US House Inspector General as "like internal audit, only with access to firearms." More seriously, in her presentation at the 2014 GRC Conference and in an interview with InformationWeek, Grafenstine advocated for auditors taking a more proactive role in preventing problems, rather than merely categorizing what went wrong after their organization's finances, information security, and reputation have already suffered damage.

"If you don't front-manage risks and they blow up, you pay for it in the long run," she said.

[For effective governance, read Cybersecurity: How Involved Should Boards Of Directors Be?]

It's not Grafenstine's job to participate in audits or investigations of other agencies, but to act as an internal auditor for the US House of Representatives itself, as an institution. The House is an enterprise of about 11,000 people, with 22 staff members for every member of Congress plus all the committee staffs, plus Capitol Police, maintenance and security personnel, and administrative staffers. Her own office has a staff of 24.

Grafenstine plays what is necessarily a strictly non-partisan role, capable of working with leaders on all sides and impartially focusing on concerns that should be equally important to all -- making sure Congress's budget and IT systems are well-managed. "If a hacker wants to hack into us and steal our information, I don't care if the hacker is a D or an R," Grafenstine said. Her role is such that all the Congressional leaders of both parties had to agree, unanimously, on her appointment. "I've had to get them to agree on everything I do for 17 years."

Theresa Grafenstine

She has been walking the non-partisan tightrope since 1998, when she joined the Inspector General's office as an IT auditor. She was appointed to the top job in 2010, only the fourth person to hold the IG job since the creation of the office. Before coming to work for the House, she was an IT auditor at the Department of Defense.

While stressing her non-partisan status, Grafenstine wasn't afraid to mention the launch of as one of several examples of where more proactive oversight would have saved a government agency a lot of grief and the public a lot of money. "You have to wonder, where were the auditors there?"

Actually, it's not so mysterious. In some circles, her advocacy of proactive auditing is a controversial proposition -- not because auditors don't want to prevent problems, but because they must stay strictly independent if they are to do their jobs properly. She argues auditors can still sound alarms earlier. "We never make management decisions, we just give them the data," she said.

The line auditors can't cross is taking on operational responsibility, Grafenstine said, because "then you're just a manager." She believes her office strikes the right balance by keeping one team focused on traditional retrospective auditing work, while another concentrates on more forward-looking risks. The more formal discipline of enterprise risk management is something she is working hard to establish as part of the operations of the House.

Grafenstine serves as an international VP of ISACA, the IT-focused audit organization that put on the 2014 GRC Conference in partnership with the Institute of Internal Auditors, which has also been noting the rising importance of IT and cyber security concerns.

Although cyber security and IT operations aren't the only concerns for the House or any other organization, they are hugely important, Grafenstine said. Congress is famously unpopular overall, and there are partisans on both sides -- including partisan hackers who hate their opponents with a white-hot passion. Just imagine the damage one of those people might do given the chance to access an opposing leader's email account or the records of a key Congressional committee. Nor is cyber security the only IT-related risk for the House. What if the electronic system that it uses to record votes were to be wiped out by an electromagnetic pulse, either manmade or natural? There has to be a backup.

Congress also needs to plan for more drastic worst-case scenarios. One of Grafenstine's major projects has been updating a comprehensive plan for "Continuity of Congress," or "if the Capitol building wasn't there anymore, what do you do?" If the building burns down, blows up, or gets caught in a Sharknado, Congress needs a plan to regroup at another location and reconstitute both digital and institutional systems that will allow it to go back to work and address the crisis. Lots of groups within Congress, from IT and the Clerk's office to the Capitol Police, had their own continuity plans, but she needed to ensure that they were all coordinated.

Regulatory compliance is less of an issue for Congress than most organizations -- almost a non-issue because Congress exempts itself from most regulations. "I know that's something that drives a lot of citizens crazy," Grafenstine acknowledges.

Here's the trick, though. As much as everyone complains about regulation, in general those rules were put in place for a reason. That means

Next Page

David F. Carr oversees InformationWeek's coverage of government and healthcare IT. He previously led coverage of social business and education technologies and continues to contribute in those areas. He is the editor of Social Collaboration for Dummies (Wiley, Oct. 2013) and ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Author
8/22/2014 | 9:43:41 AM
Re: Raising risk awareness
Perhaps we should even give Congress a little bit of credit for recognizing the need to have an Inspector General (the office is relatively new; Theresa worked for three IGs who preceded her)
Charlie Babcock
IW Pick
Charlie Babcock,
User Rank: Author
8/21/2014 | 7:53:29 PM
Raising risk awareness
Fascinating picture of an auditor in a difficult position, David. It's amazing Theresa has lasted as long as she has as Inspector General. Also, how many times have we all understood that "when something is really wrong with an organization, plenty of people are aware of the problem." Yet it's impossible to do anything about it. Instead of embedded journalists, perhaps some military operations, oarticularly invasions of other countries, should have embedded auditors.
David F. Carr
David F. Carr,
User Rank: Author
8/20/2014 | 5:41:49 PM
Would you want this job?
Must be quite a challenge to stand apart for the partisan rancor in Congress.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll