Come Monday, the EDP Audit Supervisor, Alf James (widely known as AJ, to identify him apart from Alf, his boss), felt sure his group had come a big step closer to one of his boss's fond ambitions. The pair who had spent a week in the Mulgrave Centre had produced a very searching report on computer Centre procedures, with a recommendation for higher-profile involvement in the Centre's operations. With the help of his O & M visitor, he had completed a parallel investigation on Security control, and his report, completed over the weekend, pressed strongly for the separation of Computer Security and EDP Audit. Each of those functions, he claimed, had become too specialised and too important to share staff and priorities, at the very least.
Beneath the Computer Centre audit report was an undertone he wasn't comfortable with, however. Ken Murray was a newcomer as Software Manager, and the Report from the Audit pair was pretty scathing about control and security in the Software and Operations areas both. One week's training on the Computer's software security package didn't make them unbeatable experts but it did show them that the system upset of ten days ago had really been very badly handled. That was Murray’s problem. Alf would ask old Rosen's advice, and maybe he'd need to water down the strength of the reports to Murray and his Operations equivalent. No sense in getting them offside.
He had a brief preview of the other two reports, one on the System fault, the other on Control procedures in the Centre, on Friday evening, and now he settled back to study the manuscripts while they were being typed. The first priority, clearly, was the System fault.
There were four distinct shortcomings pointed out. Accounting were almost a fortnight late with that Payables run, and who knew how many other of their commitments, and weren't sure whether they'd get it any better next month. The Systems Programming group had put inexperienced people, without adequate supervision, on the recovery project. The Operations staff had packed up, as a group, late Friday, and walked away hoping for good news next week. Last, the Database team, and to a less culpable extent the Applications Programmers, had stood politely by while Rome might have been burning, while their users took second place to some hobbyist investigation.
James pushed his chair back and stared out the window for a while. Inadequate or unfamiliar procedures, no effective supervision, very little user sensitivity. Any malicious intent, he wondered? Re-reading a couple of earlier paragraphs, he conceded they didn't know, and could not at this stage find out. Too late; should they say anything about the malpractice aspect?
He jotted down an extra sentence for the summary section of the report, suggesting that such loose supervision could invite staff dishonesty, but decided to go no further. He carried the note out to the typist for inclusion, and settled down again with the "Centre Procedures" manuscript.
An hour later, he was very satisfied with that, as well. The boss had been pressing him and his people for months now to take more interest in System auditing. Old Rosen felt they should be asking more awkward questions, about how effectively and efficiently the work was being done, whether the rules were right, why timetables might not be met - all that sort of behind-the scenes evaluation.
Today, he felt, they'd taken the first small step. The Computer Centre people had been careless, true, but the rules were inadequate, too.
A brief phone conversation with Rosen, and he set up a series of discussion meetings for the next two days with the four involved Managers. Rosen wanted to come along for the meeting with Ken Murray, heaven knew why, so he set that one for late Wednesday.
With the next two days accounted for, James settled back for a while to plan out the next step. Most of the other corporate EDP Audit groups he knew of had started into some kind of annual Computer Project Review. Any development project run by the Computer people had budget and timetable constraints, which mattered a great deal to many more people than just the Computer group. The standing joke in the Computer industry needed to be addressed: computer projects were always over time and over budget. You just had to learn to live with it - but did you?
James had presented the relevant highlights of the System Fault report three times to other Managers by the time old Rosen arrived from the City to join him for a repeat performance with Murray, the Software Manager. He wasn't looking forward to it - he'd already gone through unsatisfying discussions with two of Murray's subordinates, who assured him they knew all the answers, and it wouldn't happen again. The Operations Manager had felt the whole mess had nothing to do with him, and James wasn't sure which he disliked more: apparent irresponsibility, or apparent insensitivity.
Murray invited the Audit managers in cordially, accepted the report, and laid his hands flat on it.
"What's it say, gentleman? I'll read the lot later, and maybe I'll want to ask more questions. For now, what can you tell me about Database and Systems Programming?"
James briefly laid out the main points, the sketchy supervision, inexperience and intervention oversights without interruption, and outlined his recommendations.
"Yes," Murray guided, “we've discussed some of those briefly, and I'm waiting on another report from some friends I ...."
"We've not talked about that yet, Ken," Rosen cut in. "We're very keen at the moment to see how you feel about our own opinions. Are the judgments we're making credible, and are the final recommendations digestible?"
Murray recovered quickly, but James had noticed the redirection, and began to wonder what was going on. Another report?
In a nutshell," Alf took up smoothly, "what are you proposing to do with this information, Ken, and can we help any further?" It was a bit early to be that pushy, but the reference to a second opinion was puzzling. Even stranger, Rosen seemed to know all about it.
"To take your three points in order," Murray responded unruffled, "I think your people have done a splendid piece of investigative work, and I've started doing some work already along the lines of your recommendations. You probably realise that we need to clean up some policy areas before we can get some of the Procedures you talk about in place. That's valuable, because you've fastened on several more than I had. Now tell me, what was the result of that training one of our people delivered a couple of weeks back for your people?" Obviously, the subject of the report was closed, the junior Alf presumed.
Briefly, he identified the nature of the training course - an update on the IBM access control software system. He explained how, over the week, the group had moved from a stance of frustration to discovering a new tool. Time well spent, he assured Murray, and his group was very grateful for Bayliss' help.
"What kind of people do you think he could communicate so well with?" Murray pressed. "Was this just a special case, do you think, a case of warming to his specialty?"
"Security isn't his specialty, I wouldn't think," James chuckled, beginning to see the direction of the conversation. It seemed to him as though Bayliss' performance was under review - a promotion in the wind, perhaps. Maybe he could do the man a favour here. "No, the only real expertise he's got in the security area is in knowing how to bypass the present system controls. He's up to a lot of those tricks, in the sense that he knows how, that is, and he was very open with us on what our people ought to have known about long before. I admit we all had similar technical backgrounds, and he’s got special value from his work. I also think he did a damned good communications job."
"Would you have him on your staff?" Murray finished.
"Too right, if he's available. He'd be a precious resource. I'd have to watch out for my job, though," James finished. So he was right; Bayliss was being "fitted" for bigger things.
The discussion was over. That helped to explain a lot of things to AJ. Murray had been pleased with his brief introduction to the Audit report. He probably knew he had most of the issues identified. He probably wasn't very hopeful about attacking those problem areas through the efforts of Fred Hart, the defensive systems Programming Supervisor, or Jack Arnold, the carefree supervisor of Database Engineering. So Murray was looking at his options. So that's it!
Back behind his desk, James spent a few minutes reviewing the surprises of the last hour. Murray had reacted totally unlike his two subordinates to the very idea of audit comment. He welcomed outside opinion, whereas they seemed to resent it. Murray was already collecting information from other sources and, James surmised, was questioning the ability of subordinates.
He couldn't do anything so blunt as wave a flag for Bayliss, but he'd take a bit of care that his people's references to and around Murray's areas weren't misunderstood. Bayliss had done nothing but good for EDP Audit: and a lot of it, too. While everyone seemed to be talking in shadows, Bayliss particularly need not cop any criticism unjustly.
It was early next week when Ken Murray got his second report on the surrounds of the System fault from his friend at Peat Marwick. It was hand delivered on Tuesday, a slim six page collection of conclusions and recommendations. His boss and the Audit Manager would have received copies as he had asked, and the only thing unique about his bundle was the additional $22,000 invoice. A bit steep, but he's been very specific about how he wanted things done: very quickly, very thoroughly, and discreetly - some task statement, he knew, so the bill stood to be steep if the material was good. He started by mentally recalling the question.
"Last weekend," he had asked, "there was a fault in the Computer system that caused the aborting of an Accounts Payable routine. How serious was it, how serious could it have been, how well did staff recover from it, how should a recurrence be minimised or avoided?"
The PMM team felt the fault was probably not serious at all but inadequate procedures and inept activities could have made it into a fully fledged disaster. Luck had prevented far more serious inconvenience and damage, they proposed.
The Centre Operations Manager merited a bucketing. There was neither a Fault Acceleration nor a disaster plan. Both were needed urgently, and PMM would be delighted to help. Of course they would, Murray surmised; it would be a couple of man-months of very lucrative work for them.
The lack of supervision all round was heavily criticised; the visiting team were aghast at the number of involved supervisors who'd smugly packed up last thing on Friday night with nothing more than high hopes. Their suggested acceleration plan would fix that; and anyway, they pointed out, in many Centres the System Programmers wouldn't be allowed in Operations areas, much less left alone there over a weekend. Those people knew so much about the insides of the machine that, for security reasons, many Centres these days didn't let them anywhere close to the outsides, the peripherals. A point to think about, Murray noted.
Last, the PMM team suggested daintily, they had discussed the potential role of Internal Audit after the fiasco. If, as they surmised, Consolidated did not believe its own EDP Audit group was competent to undertake such investigations, then high-level management scrutiny of that view seemed appropriate. The modern view of Internal Audit's role centered on good management control and effective procedures. So where were they?
That was the substance of his $22,000 report.
His three main supervisors needed a shakeup; that wasn't any news to him. If the Centre needed a Fault Acceleration Program, the same three people (or someone in their positions) would need to provide an on-call service to implement it, some day.
That was why he'd got a second opinion, not a very complimentary one, on three of his people. Through the local network, he'd identified a potential replacement for Fred Hart from Hart’s own ranks. The best way to proceed, he decided, was to ask the Personnel Director in the city office to give him an account on the readiness and willingness of Bayliss for a promotion. While that was being done discreetly, he'd have to start discussions with the Computer Manager about the feasibility of barring System staff access to Operations areas. And while that conversation got warmed up, he would press on Arnold and Hart to upgrade their supervisory skills, by a large amount.
At least nobody had perceived any real attempt at malpractice, just an impressive line-up of gaping security holes. He knew that, too: the other week he'd heard the Security Guard called by name. The contractor needed a shakeup as well; they ought to rotate those guards more often than that. What a mess! Seemed you couldn't rely on anybody, except perhaps this largely unknown quantity, Bayliss.
He phoned Personnel to get that project started right away.