IT Compliance Institute, April 4, 2006:

Trends and Technologies

Excess Baggage: Unwanted Inventory Costs Millions

Are your warehouses stuffed with unordered stuff? Companies are suffering huge financial losses due to a lack of effective business controls that check incoming inventory against orders. New software frameworks that tackle this dilemma could save your business millions.

By Mathew Schwartz

If a well-known retailer with $25 billion in annual sales loses millions of dollars per year because it blindly accepts inventory it never ordered, whose fault is it?

John Lazarine, global IT audit director of Raytheon, relates just such a case—one of his former employers, a national retailer with massive distribution centers throughout the country.

Their problem: goods were scanned upon arrival at a distribution center’s loading dock, then simply added to the warehouse. What they weren’t checking was whether or not they had actually ordered the product.

Effective software auditing isn’t just about discovering if a specific application works (such as loading-dock software for tracking inventory). Especially in today’s regulated environments, it’s also about knowing whether needed business controls are in place and working.

IT and audit frameworks such as COSO and CobiT are common and effective ways to ascertain proper controls. Another, new option is the “Software Security Audit Framework,” sponsored by information assurance and auditing provider Ounce Labs and written by Charles Le Grand, CEO of CHL Global Associates.

IT and Audit Frameworks

Effective IT and audit frameworks are mandatory for helping companies diagnose not just control problems, but also business problems. “If you don’t have a good framework both from an audit framework and from an IT perspective to manage software in general,” notes Lazarine, you can face “significant cost issues,” plus problems with “risk, stability, availability of systems, and integrity of data.”

The issue isn’t auditing, but auditing effectively. At the aforementioned retailer, financial auditors had conducted annual audits for more than 10 years. But they focused on whether company’s software could track inventory, without ever asking whether the inventory included unwanted assets.

The company’s inventory control problem was apparently well known, with many suppliers taking advantage of it, an issue Lazarine discovered during an audit. “I found out that there were a large number of times that vendors were just sending us merchandise that not only had we not ordered or didn’t need, but in extreme cases, we had an overstock and were selling that overstock in a discount store, then taking more at cost, losing money.”

After Lazarine’s audit the retailer implemented a simple, preventive software control: incoming items were scanned at the loading dock to see whether they’d been ordered, and if not, immediately rejected (since once they entered the labyrinthine warehouse, they were not going back). Subsequently, the retailer reaped millions in recurring savings from reduced inventory, handling, and storage costs.

Helping CEOs Ask the Right Questions

Tracking the right information is key for maintaining effective IT controls. Yet when it comes to application development, there’s often a lack of a lingua franca for discussing essential controls, notwithstanding such frameworks as COSO and CobiT.

“What auditable security controls should be present inside applications if an organization is to feel good about its security?” asks Jack Danahy, chief technology officer of Ounce. Their new “Software Security Audit Framework” is an attempt to answer that question, he says.

While the framework can be applied to developing new software, don’t start auditing there, says Le Grand. “You want to start with the existing code, because that’s what we’re providing assurance for: that the systems currently in place are secure, will provide accurate and reliable information, and that they will be sustainable—all the typical control issues.”

One part of the framework is designed to help auditors, while another targets executives. “We give them the questions they should ask in these environments, to know that they’re protected,” says Le Grand. “Frankly, these guys are not experts and don’t want to be experts in the IT control environment.” Under Sarbanes-Oxley (SOX), CEOs and CFOs can go to jail over falsified financial information, yet they rely on their CIO, external consultants, and external auditors to tell them what’s relevant.

Since many organizations audit to meet regulatory requirements, the guide includes crosswalks between COSO and CobiT, and such regulations as SOX and HIPAA. “What we’ve done is taken the subject of software security assurance and broken it down into the key elements, and compared those to where they’re actually referenced in the requirements and key guidelines,” says Le Grand. “So if SOX says you have to do these things, then we say, “Okay, here are the specific [things] you’re addressing when you address the vulnerabilities of your software services.’”

The guide also provides an overview of automated vulnerability assessment tools, which are relatively new. Because of that, “Not every auditor—and especially auditors without a technical background—will understand the availability and appropriate uses of those tools,” he says. “So that was a lot of the reasoning behind addressing management and auditors in the guide we prepared.”

One Framework, Many Standards

Will Ounce’s new framework catch on? While it’s too soon to tell, it is already attracting interest. Le Grand notes he’s being invited to speak on the framework, including presenting to the Canadian Institute of Chartered Accountants. Ounce and Le Grand have also been promoting it to other auditors, including the Internal Auditors Research Foundation (of which Le Grand is a past CIO).

“The framework they developed was very thorough,” notes Raytheon’s Lazarine, who says he plans to use aspects of it. “There are a lot of frameworks I look at, because there are always some things in frameworks I like more than others.” As that reflects, auditors often have to adopt aspects of different frameworks to audit any particular environment.

Audit and IT frameworks aren’t just a nice thing to have: they can also drive noticeable cost savings. As Lazarine notes, “If you can save a million dollars for the company in terms of identifying waste, and you’ve got a 10 percent margin, you’d need to have 10 million dollars in sales to make up for that.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.