Green IT

Green IT

Opportunities for Internal Auditors

Opportunities for Internal Auditors

Glen L. Gray, PhD, CPA

Government regulators and other stakeholders are increasing their demands on organizations regarding corporate social responsibility (CSR) and sustainable development. A key component of CSR is reducing an organization’s environmental impact and “green information technology”

(green IT) can play a critical role in this effort.

The report summarizes what organizations and internal auditors are currently doing in the green IT domain and what they should be doing in this area.

Selecting the best green IT solutions — and prioritizing those solutions — for an organization requires careful analysis of all the lifecycle costs (front-end and ongoing), benefits, and risks before selecting the appropriate solutions.

Green IT: Opportunities for Internal Auditors identifies significant opportunities for internal auditors to provide a wide variety of value-added green IT services in auditing, facilitating, and consulting.

RESEARCH

Order No. 5017.dl IIA members US $0 Nonmembers US $25 ISBN: 978-0-89413-707-5

5/11349/PM/GS

RESEARCH

Internal Audit Capability Model (IA-CM) For the Public Sector

Glen L. Gray, PhD, CPA

GREEN IT OPPORTUNITIES FOR INTERNAL AUDITORS

By

Glen L. Gray, PhD, CPA

Copyright © 2011 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or other- wise — without prior written permission of the publisher.

The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained.

The Institute of Internal Auditors’ (IIA’s) International Professional Practices Framework (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guid- ance to internal auditors globally and paves the way to world-class inter- nal auditing.

The mission of The IIARF is to expand knowledge and understanding of internal auditing by providing relevant research and educational prod- ucts to advance the profession globally.

The IIA and The IIARF work in partnership with researchers from around the globe who conduct valuable studies on critical issues affecting today’s business world. Much of the content presented in their final reports is a result of IIARF-funded research and prepared as a service to The Foundation and the internal audit profession. Expressed opinions, interpretations, or points of view represent a consensus of the research- ers and do not necessarily reflect or represent the official position or policies of The IIA or The IIARF.

ISBN 978-0-89413-707-5 6/11

First Printing

iii

CONTENTS

Acknowledgments ... vii

About the Author ... ix

Preface ... xi

Executive Summary ... 1

Introduction... 5

The Green IT Domain ... 9

IT Acquisition and Deployment ... 10

Electrical and Cooling Management ... 14

Moving to the Cloud ... 15

Paperless Workflow ... 17

Telecommuting ... 18

E-commerce ... 19

Software Design and Deduplication... 19

Manufacturing ... 20

Disposal and Recycling ... 21

Survey Results ... 23

General Opinions Regarding Climate Change and Green IT ... 23

Organizational Green and Green IT Activities ... 25

Calculating a Carbon Footprint ... 26

General and Green IT Initiators ... 28

Relationships of General and Green IT Activities ... 29

Green IT Drivers ... 30

Monitoring IT Energy Use and Setting Goals ... 31

Green IT Activities that Organizations Practice ... 32

Vendor Green Requirements and Audits ... 35

Internal Audit Opportunities on the IT Vendor Side of the SLA ... 37

Can and Should Internal Auditors Become More Involved in Green IT? ... 38

Current Involvement of Internal Auditors in Green IT Activities ... 38

Green IT Activities that Internal Auditors Should be Involved In ... 43

Concluding Comments ... 45

Where to Go From Here? ... 49

Appendix A: Demographics ... 53

Responding Organizations ... 53

Internal Audit Departments ... 56

The Respondents ... 56

References ... 59

The IIA Research Foundation Sponsors ... 63

The IIA Research Foundation Board of Trustees ... 65

The IIA Research Foundation Committee of Research and Education Advisors ... 67

v

FIGURES

Figure 1: Green IT Domain and Value Chain. ... 9 Figure 2: Percentage of Organizations That Measure Their Carbon Footprint. ... 27 Figure 3: “Not Sure” Responses Sorted By Job Position. ... 42

TABLES

Table 1: Summary of Assumptions for Analysis of

Alternative Efficiency Scenarios. ... 12 Table 2: Opinions Regarding Green Statements. ... 24 Table 3: Does Your Organization Have a General

Green Statement? ... 25 Table 4: Does Your Organization Measure Its Carbon

Footprint? ... 26 Table 5: Most Senior Person Driving General and

Green IT Initiatives. ... 28 Table 6: Relationship Between Green IT Activities and

General Green Activities. ... 29 Table 7: Expected Change in Green IT Importance

Over the Next 12 Months. ... 30 Table 8: Importance of Various Potential Green IT

Drivers. ... 31 Table 9: Does Your Organization Monitor IT-related

Energy Spending? ... 32 Table 10: Does Your Organization Have Measurable

Geen IT Goals? ... 32

Table 11: Considering All the Computers in Your

Organization. ... 33

Table 12: Potential Green IT Activities. ... 34

Table 13: Green IT Requirements for Vendors. ... 36

Table 14: Audit Provisions in Green IT Vendor Requirements. ... 36

Table 15: How Many Times Have These Audits Been Performed? ... 37

Table 16: Who Conducted These Vendor Audits? ... 37

Table 17: What Green IT Activities Could You Or Your Internal Audit Department Do? ... 39

Table 18: What Green IT Areas Have You Or Your Department Been Involved In?... 41

Table 19: In General, Should Internal Auditors Be Involved in These Green IT Areas? ... 44

Table 20: Annual Revenue of Responding Organizations. ... 54

Table 21: Industries Represented. ... 55

Table 22: Current Position. ... 56

Table 23: Primary Education or Training Background. ... 57

Table 24: Primary Job/Position Before Becoming an Internal Auditor. ... 57

Table 25: Personal Experiences With General Green Activities. ... 58

Table 26: Personal Experiences With Green IT Experiences. ... 58

vii

ACKNOWLEDGMENTS

The leadership and staff within The IIA Research Foundation (IIARF) have provided considerable tangible assistance in addi- tion to their financial support. I want to extend thanks to Nicki Creatore, who served as project manager, and to the review team, comprising members of The IIARF’s Committee of Research and Education Advisors and The IIA’s Advanced Technology Committee, who offered their time and assistance.

ix

ABOUT THE AUTHOR

Glen L. Gray, PhD, CPA, is a professor in the Accounting and Information Systems Department of the College of Business and Economics at California State University at Northridge. He specializes in information technology and accounting informa- tion systems. His research interests include IT implementation and controls, XBRL, Sarbanes-Oxley, data mining and analysis, auditing and assurance services, financial reporting, and electronic commerce.

He has been a member of the San Fernando Valley Chapter of The IIA since 1988, where he has served as an officer, a board member, and the past webmaster. He has authored seven research reports published by The Institute of Internal Auditors Research Foundation (IIARF): How Internal Auditors Can Improve the Success Rate of System Development Projects (2010), Then and Now: Expectations and Reality of Sarbanes-Oxley (2008), XBRL: Potential Opportunities and Issues for Internal Auditors (2005), Changing Internal Practices in the New Paradigm (2003), Assurance Services within the Audit Profession (2000), Enhancing Internal Auditing through Innovative Practices (1996), and Business Management Auditing: Promoting of Consulting Auditing (1994).

He also co-authored IT Governance and Process Maturity (2008), a research study for ISACA.

In 2006, Dr. Gray was part of a team that prepared a research report titled The Application of Data Mining to Fraud Detection in Financial Statement Audits to the Research Advisory Board.

In 2009, he was a team member on a major research project funded by the AICPA and IAASB resulting in a report titled The Unqualified Auditor’s Report: A Study of User Perceptions, Effects on User Decisions and Decision Processes, and Directions for Future Research.

He has written academic and trade articles related to his research interests and made numerous presentations at trade, professional, and academic conferences in North America, Europe, and Asia.

He has also helped organizations develop database applications, establish websites, acquire computers and software, and iden- tify procedural inefficiency and control weaknesses. He is the webmaster for the audit section of the American Accounting Association.

Before joining the academic world, Dr. Gray was a consultant with national CPA firms and an engineer at an aerospace company. He has a BSEE from Michigan Technological University, an MBA from the University of California, Los Angeles, and a PhD from the University of Southern California.

xi

“If you don’t develop a strategy of your own, you become a part of someone else’s strategy.”

— Alvin Toffler¹

PREFACE

One major driver in the internal audit profession is the search for value-added services that internal auditors can provide in addi- tion to their traditional financial auditing activities. With the passage of the U.S. Sarbanes-Oxley Act of 2002, internal auditing in public companies had to shift significant resources to financial auditing — and other value-added activities were put on the back burner. But Sarbanes-Oxley activities have become less demanding and internal auditing needs to reconfigure its future strategies. As this report suggests, “green information technology (IT)” activities should be considered part of those strategies.

Two years ago, I attended a presentation where a partner from a Big 4 accounting firm described green IT concepts and the related consulting and assurance services his firm provided. That moti- vated me to formulate this study, focusing on how internal auditors could proactively provide these services to their organizations.

This resulting report provides an overview of green IT, summa- rizes a survey of IIA members regarding the green IT activities of their organizations and internal audit departments, and provides suggestions for internal auditors to become more involved in green IT. A few of the survey respondents included some deroga- tory comments, saying that the survey indicates that The IIA was promoting a belief in global warming and mankind’s contribution to it. However, beliefs concerning global warming are not really relevant to this report. The corporate social responsibility (CSR) and sustainable development train has long left the station in that

1 Futurist and author of Future Shock and The Third Wave, as well as many other books. http://www.alvintoffler.net/

sustainability is becoming mainstream for organizations — and, by extension, for internal auditors.² Countries, states, municipali- ties, and other government agencies and regulators around the world have sustainability laws and regulations — and more will be promulgated in the future. These laws and regulations provide growing opportunities for internal auditors. For example, testing the internal controls associated with compliance with laws and regulations, as well as organizational policies that go beyond these legal requirements, is a traditional part of the internal auditor’s responsibility. A growing trend is moving IT activities to cloud computing where an organization’s data and applications reside on a vendor’s computers interconnected by the Internet. Cloud computing introduces a whole new set of risks and internal control issues that the internal auditors could help assess and test.

Although the specific metrics and key performance indicators (KPIs) can vary for different organizations, CSR is about using less energy, water, and other resources, and generating less waste and pollution. Green IT is a critical building block of CSR and sustainable development. As this report illustrates, some green IT activities can be the low-hanging fruit of CSR and sustainable development. Green IT activities can substantially reduce oper- ating costs. Being involved in these activities offers the potential for internal auditing to provide value-added services and should be considered part of the internal audit activity’s strategic plans.

If internal auditors do not provide these services, many outside companies are ready to do so.

Good luck, Glen L. Gray, PhD, CPA

2 See The IIA’s Practice Guide, Evaluating Corporate Social Responsibility/Sustainable Development.

1

EXECUTIVE SUMMARY

Government regulators and other stakeholders are increasing their demands on organizations regarding corporate social responsibility (CSR) and sustainable development. Although the specific metrics and key performance indicators (KPIs) can vary for different orga- nizations, a key objective of CSR is reducing an organization’s environmental impact. Green IT is a critical building block of an organization’s CSR efforts. A comprehensive approach to green IT takes a cradle-to-grave lifecycle perspective. Depending on the industry and the size of the organization, green IT can include:

• Designing IT equipment manufacturing processes to minimize energy use, waste, and pollution.

• Designing IT equipment to maximize recyclable components and materials.

• Designing IT packaging to minimize storage and transportation requirements.

• Selecting IT acquisition and deployment approaches to minimize energy use.

• Designing IT infrastructure to minimize energy, cooling, and water requirements as well as maximizing the subsequent use of resulting warmed air and water.

• Using IT to minimize environmental demands, such as:

• E-commerce and e-procurement.

• Telecommuting.

• Paperless workflows.

• Designing software to minimize IT hardware demands and storage requirements, such as:

• Improving data search algorithms.

• Deduplication.

• Reducing the number of computers and reducing infrastructure demands by moving data and applications to a third party’s cloud computing environment.

• Disposing of IT equipment to maximize reuse and recycling, and to minimize materials sent to landfills.

The Big Four and other accounting and consulting firms are aggres- sively selling green IT consulting, assessment, compliance, and assurance services to organizations. Many of these green IT services seem like a natural fit for internal auditors to offer. Borrowing from an IIA advertisement in the February 2011 issue of Internal Auditor, internal auditors have unique insight into improving the organiza- tion’s processes, procedures, performance, and risk management.

Internal auditing can provide assurance on whether green IT poli- cies are being followed, controls are effective, and the organization is operating as management intends. In large organizations in particular, in addition to financial auditing, the internal auditors are already heavily involved in operational and IT-related activities.

This report summarizes a survey of The IIA’s membership to explore what organizations and internal auditors are currently doing in the green IT domain and what internal auditors should be doing in this area. The survey respondents represented a wide variety of indus- tries, sizes of organizations, and internal auditor positions. Overall, 44 percent of the organizations have some form of general green (sustainability) statement and 38 percent calculate their carbon foot- print. These percentages increase for larger organizations and for certain high-emissions industries. The three primary green IT drivers include (1) reducing operational costs; (2) being socially responsible;

and (3) complying with government regulations.

3 Based on the survey, the experiences of internal audit departments in green IT activities have been minimal, with 3 percent to 10 percent of the respondents reporting that their departments have experiences with specific green IT activities. Between 21 percent and 25 percent of the respondents selected “Not Sure” in response to whether their internal audit departments had the skills to be involved in specific green IT activities. Based on these high percent- ages, if chief audit executives (CAEs) want their departments to become involved proactively in green IT, they must develop educa- tional programs to bring these percentages down.

Considering the low involvement in green IT activities by internal audit departments, there are significant potential opportunities for internal auditors to provide a wide variety of value-added green IT services in auditing, facilitating, and consulting. Depending on how deeply or broadly the internal audit department wants to be involved, it should consider preparing a gap analysis by comparing where it currently is in terms of other priorities and the skill sets of the auditors and where it wants to be in terms of green IT involve- ment. Then the department can develop an action plan to close that gap. Of course, any plan should stay within the department’s charter, strategic plans, and annual risk assessment and within applicable board policies. In addition, while being more involved in green IT can increase the audit department’s visibility and value to the organization, the department must also consider the poten- tial risk to its reputation if problems arise.

A good place to start exploring green IT opportunities is to read The IIA’s Practice Guide, Evaluating Corporate Social Responsibility/Sustainable Development. Two other books, Green IT and The Greening of IT, listed in the References section provide very good overviews of the green IT domain. Internet searches will supply more information on green IT technology and terminology and can also help explore how accounting and consulting firms are marketing and selling green IT services. What are the main hot buttons and talking points? This information will all be valuable Executive Summary

in formulating value-added green IT services that internal auditing can potentially provide to their organizations in auditing, facili- tating, and consulting.

5

INTRODUCTION

In February 2010, The IIA published a Practice Guide titled Evaluating Corporate Social Responsibility/Sustainable Development. Although there are numerous definitions for corporate social responsibility (CSR) and exactly what responsibilities and activities to include under CSR can vary by organization, for the purpose of that practice guide, “CSR refers to social responsibility, sustainable development, and corporate citizenship.” The guide describes the risks and opportunities associated with CSR and provides guid- ance in planning and implementing CSR-related internal audit strategies and programs.

Although the CSR practice guide does not specifically discuss IT, IT provides many opportunities for organizations to reduce their environmental impact, which is a critical component of CSR.

Organizations are becoming increasingly interested in green IT.

According to Murugesan (2008), green IT is:

…the study and practice of designing, manufac- turing, using, and disposing of computers, servers, and associated subsystems — such as monitors, printers, storage devices, and networking and communications systems — efficiently and effectively with minimal or no impact on the environment. Green IT also strives to achieve economic viability and improved system perfor- mance and use, while abiding by our social and ethical responsibilities. Thus, green IT includes the dimen- sions of environmental sustainability, the economics of energy efficiency, and the total cost of ownership, which includes the cost of disposal and recycling. [emphasis added]

Green IT is a good idea from an economic perspective as well as being socially responsible. According to a 2009 white paper

published by T-Systems, in the aggregate, IT causes the same release of CO₂ as nearly 320 million automobiles. Every orga- nization wastes energy and money by not optimizing their IT use. Landfills are filling up rapidly with the disposal of tons of discarded IT equipment. Even small changes in IT practices can make a difference. Leaving one copy machine “on” overnight uses as much energy as copying 1,500 pages.

This report does not debate the degree to which human activities impact the global climate. Although the specific metrics and key performance indicators (KPIs) can vary for different organiza- tions, as the above definition indicates, green IT is synonymous with efficient IT, which in turn means lowering costs (e.g., elec- trical, water, and waste), increasing return on investment (ROI), decreasing demand for natural resources, and decreasing various forms of pollution. The key point is that management should want assurance that the green IT KPIs being reported to them are accurate, complete, and timely — and this could be the internal auditors’ responsibility.

Some non-IT green projects, such as retrofitting the electrical or cooling systems in existing buildings, can require significant front-end investments that may take years, if ever, to provide an economic return. However, green IT projects have the potential for both quick and relatively high ROIs. There are several reasons why this potential is easily achievable. One primary reason is the short lifecycle of IT equipment, which usually has a refresh rate of three to five years. So, unlike retrofitting a 30-year-old building, new IT equipment will be purchased every three to five years whether environmental impact is part of the motivation or not. Because of competitive pressures on IT manufacturers, each new generation of technology is greener (e.g., more energy efficient) than the prior generation. When replacing equipment, organizations can choose from a mix of four broad approaches.

7 Approach 1: Replace boxes with newer boxes. If an organization simply does box-for-box replacements (e.g., replacing desktop PCs with an equal number of new desktop PCs), energy savings will be real- ized automatically. According to the U.S. Environmental Protection Agency (EPA) (2007), current technologies and design strategies could reduce the energy use of a typical server by 25 percent or more.

Approach 2: Replace boxes with smaller boxes. By replacing tradi- tional desktop PCs with thin clients or laptops, the organizations will experience an even more substantial drop in energy use.

Approach 3: Replace boxes with fewer boxes. By implementing virtual- ization software and thereby increasing the use of IT equipment, the organization can reduce the total number of computers purchased, resulting in an even greater decrease in energy use. According to the EPA, implementing best energy-management practices in existing data centers and consolidating applications from many servers to one server could reduce current data center energy usage by around 20 percent.

Approach 4: Eliminate boxes. Organizations could shut down some of their servers and move relevant applications to a cloud computing environment. At first, it may appear that an organi- zation moving to cloud computing is replacing some computers at its location with computers at a vendor’s location, but cloud computing providers have the potential to achieve economies of scale (by increasing usage rates); and they can locate their data centers closer to alternative (non-fossil) energy sources, plentiful (cheaper) water, and less sensitive environments. As an extreme example, Google has more than 200,000 servers, which collec- tively use as much electricity as a small city and generate a huge amount of heat that requires expensive air conditioning and water usage for cooling. In a search to reduce IT-related costs, a March 9, 2009, Wall Street Journal article, “Where Clouds Displace Forests,” describes how Google, Facebook, Amazon, and others have built (or are building) mammoth data centers in Oregon and Washington to be close to cheap electricity and water plus “…low humidity and cool nights.”

Introduction

Note that this report is not promoting any green IT alternatives as one-size-fits-all solutions in the above examples. What works for one organization may be completely inappropriate for another.

The primary point of this report is that selecting the best green IT solutions — and prioritizing those solutions — for an organiza- tion requires careful analysis of all the lifecycle costs (front-end and ongoing), benefits, and risks before selecting the appropriate solutions.

The remainder of this report has three major sections. The first section provides a broad overview of green IT. A key point of that overview is that green IT requires a cradle-to-grave perspective to minimize the environmental impact of IT. The second section summarizes a survey of The IIA membership regarding what orga- nizations and internal auditors are currently doing and what they should (could) be doing in the future. The final section provides concluding comments and suggestions for internal auditors to become more involved in value-added green IT activities.

9

THE GREEN IT DOMAIN

The green IT domain is almost boundless. Exploring green IT takes a cradle-to-grave lifecycle perspective. As Figure 1 illus- trates, green IT covers many elements in the IT value chain. The narrowest focus is captured in the center of Figure 1, namely, IT acquisition and deployment. However, as the following section discusses, green IT includes many more elements.

Figure 1

Green IT Domain and Value Chain

IT Acquisition and Deployment

Some examples of IT acquisition and deployment can be the low- hanging fruit of green IT, such as having a policy of acquiring only ENERGY STAR rated equipment. Just replacing older IT equip- ment with new equipment will generally result in an automatic decrease in energy use. However, organizations should consider even more efficient alternatives, such as replacing desktop PCs with thin clients or laptops, replacing servers with rack-mounted blade servers, and/or moving some applications to cloud computing.

According to a frequently quoted EPA study (EPA 2007), just the servers and data centers in the United States are estimated to have consumed about 61 billion kilowatt hours (kWh) in 2006 (1.5 percent of total U.S. electricity consumption) for a total electricity cost of about $4.5 billion — which is similar to the amount of electricity consumed by approximately 5.8 million average house- holds. This consumption doubled from 2000 to 2006 and could nearly double again by 2011 to more than 100 billion kWh ($7.4 billion annually). About 50 percent of that consumption is power and cooling infrastructure that supports the IT equipment in the data centers. The peak load from these servers and data centers was estimated to be approximately seven gigawatts (GW) in 2006, equivalent to the output of about 15 typical power plants. If this trend continues, this demand would rise to 12 GW by 2011, which would require an additional 10 power plants to be built in the United States to accommodate the increase.

To develop a better understanding of energy-efficiency opportuni- ties that would accelerate adoption of energy-efficient technologies beyond current trends, the EPA’s 2007 report explored three energy-efficiency scenarios:³

3 Although the 155-page EPA report focuses on servers and data centers, their observations and recommendations can be applied to other IT uses.

11

• The “improved operation” scenario includes energy-efficiency improvements beyond current trends that are essentially operational in nature and require little or no capital investment.

This scenario represents the “low-hanging fruit” that can be harvested simply by operating the existing capital stock more efficiently.

• The “best practice” scenario represents the efficiency gains that can be obtained through the more widespread adoption of the practices and technologies used in the most energy-efficient facilities in operation today.

• The “state-of-the-art” scenario identifies the maximum energy-efficiency savings that could be achieved using available technologies. This scenario assumes that servers and data centers in the United States will be operated at maximum possible energy efficiency using only the most efficient technologies and best management practices available today.

Details of the key energy-efficiency assumptions used in the EPA’s analysis are shown in Table 1. These assumptions represent only a subset of the energy-efficiency strategies that could be employed in practice; it is not a comprehensive list of all energy-efficiency opportunities available for data centers.

The Green IT Domain

Table 1

Summary of Assumptions for Analysis of Alternative Efficiency Scenarios

Data Center Subsystem

Scenario IT Equipment Site Infrastructure (Power and Cooling)

Improved Operation

• Continue current trends for server consolidation.

• Eliminate unused servers (e.g., legacy applications).

• Adopt “energy-efficient”

servers to modest level.

• Enable power

management on 100%

of applicable servers.

• Assume modest decline in energy use of enterprise storage equipment.

30% improvement in infrastructure energy efficiency from improved airflow management.

Best Practice

All measures in “improved operation” scenario, plus:

• Consolidate servers to moderate extent.

• Aggressively adopt

“energy-efficient”

servers.

• Assume moderate storage consolidation.

Up to 70% improvement in infrastructure energy efficiency from all measures in “improved operation” scenario, plus:

• Improved transformers and uninterruptible power supplies.

• Improved efficiency chillers, fans, and pumps.

• Free cooling.

13 Table 1

Summary of Assumptions for Analysis of Alternative Efficiency Scenarios (Continued)

Data Center Subsystem

Scenario IT Equipment Site Infrastructure (Power and Cooling)

State of the Art

All measures in “best practice” scenario, plus:

• Aggressively consolidate servers.

• Aggressively

consolidate storage.

• Enable power management at data center level of applications, servers, and equipment for networking and storage.

Up to 80% improvement in infrastructure energy efficiency, due to all measures in “best practice” scenario, plus:

• Direct liquid cooling.

• Combined heat and power.

Source: EPA (2007) The Green IT Domain

Electrical and Cooling Management

In an IDC white paper, Scaramella and Eastwood (2007) estimated that by 2012, for each dollar spent to acquire a computer another dollar will be spent on electrical power and cooling. Considering the current increases in energy costs, their estimates may now be understated. Or, as another comparison, according to a white paper by Force 10 Networks, each watt used by IT equipment requires an additional 1.4 to 2.0 watts to remove the heat generated by the equipment. As such, electrical and cooling management are an integral part of even basic green IT activities. In fact, in many cases, electrical and cooling management can drive IT acquisition and deployment decisions by selecting equipment that uses less power.

For many organizations, the total number of IT devices employed grew incrementally over several years. Initially, the server rooms were just regular office spaces where servers were placed and, over time, more and more servers and peripheral equipment were added as IT demands grew. Generally, this server room was cooled by the building’s regular cooling system. Then, as the number of servers and other devices increased, a booster or isolated cooling system was added. However, these regular or isolated cooling systems usually cooled all the air in the room, which is very inefficient because the IT devices heated the air in the room and then the air was circulated through the cooling system to keep all of the air in the room at a desired temperature. A green alternative is to use rack-mounted servers, enclose the rack, and put a fan at one end to blow all the hot air out one vent at the other end. At minimum, that hot air could be vented directly outside, making little or no demands on the building’s cooling system.

For larger organizations, managing electrical and cooling costs can include major organizational changes. For example, Google opened a data center in the Midwest so it can use wind-generated electricity and reduce its use of fossil fuel-generated electricity.

15 As mentioned in the Introduction, Google, Facebook, Amazon, and others have built (or are building) mammoth data centers in Oregon and Washington to be near cheap electricity and water.

No matter what actions are taken, even the most efficient IT equip- ment is going to generate heat. Some organizations have found creative ways to use this heat instead of just dissipating it into the air or water. For example, Intel recycles the excess heat from a data center to heat offices and provide warm water for cafeterias.⁴ A Swedish company uses the heat to warm a community swimming pool.

Moving to the Cloud

A growing trend, which relates to both IT deployment and infra- structure design, is moving data and applications to third-party servers interconnected via the Internet. This service is generally referred to as cloud computing, which reflects the ubiquitous and nebulous aspects of the Internet.⁵ The servers could be located literately anywhere in the world and can be accessed from anywhere in the world. Conceptually, cloud computing is like an electrical utility and the underlying electrical grid. An organization pays for the level of service it needs and those costs will increase as the organization grows and makes more demands on the cloud. The core assumption is that the service provider will keep expanding its resources so that any additional demands by its customers will be met.

4 A podcast describing this heat recycling is available at http://www.

podtech.net/home/5053/data-centers-recycle-excess-heat.

5 For an overview of cloud computing, see http://en.wikipedia.org/wiki/

Cloud_computing.

The Green IT Domain

Since a third party will have the organization’s data, a whole new set of risks will have to be assessed. For example, an organiza- tion could discover it is sharing the same servers and databases with a competitor. Even though the competitors are on different virtual machines, knowing that they are sharing the same physical machines could/would make management uncomfortable. Some managers may even be uncomfortable with a competitor using the same cloud computer vendor whether their data resides on the same physical servers or not. Issues regarding stipulating and testing of internal controls can be particularly challenging, depending on the applicability of Sarbanes-Oxley (mainly Sections 302 and 404), Payment Card Industry (PCI), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Basel Accords, as well as the privacy and breach-notice laws that have been enacted by many states.⁶

Generally, cloud computing is divided into three layers, each of which may have its own risk and control issues. The Software as a Service (SaaS) layer is the application layer with its relevant application control issues. For example, how strong are the access controls? If the cloud can be accessed from literately anywhere in the world, access controls are paramount. Does the service provider have super users who can access any server at any time? The next layer is the Platform as a Service (PaaS), which is essentially the data layer. An important control here would be encrypting the data so even if a provider’s super user or unauthorized outsiders hackers) access the data, they cannot really do anything with it.

The third layer is the Integration as a Service (IaaS), which is about managing the virtual machines.⁷

6 See the list of state breach notification laws at http://www.ncsl.org/

Default.aspx?TabId=13489.

7 One source of information regarding cloud security are available from the Cloud Security Alliance at http://www.cloudsecurityalliance.org/

Their Top Threats to Cloud Computing is available at: http://www.cloud- securityalliance.org/topthreats/csathreats.v1.0.pdf.

17 The service-level agreement (SLA) must address the above ques- tions/issues as well as other issues, such as the provider’s disaster recovery and continuity plans. Then someone, such as internal auditors, must provide assurance that the vendor is in compliance with the SLA.

Paperless Workflow

In the aggregate, paper has a major impact on the environment.

Nearly 4 billion trees are used annually for paper production, which is about 35 percent of all trees harvested.⁸ Many of those trees, at least in the United States, do come from tree farms. According to Technical Association for the Worldwide Pulp, Paper and Converting Industry (TAPPI), 2.5 billion trees are planted each year in the United States.⁹ However, Velte et al. (2008) indicates that deforestation has released 120 billion tons of carbon dioxide (CO2) into the atmosphere. In addition, the EPA reports that each year millions of pounds of toxic chemicals such as toluene, meth- anol, chlorine dioxide, hydrochloric acid, and formaldehyde are released into the air and waterways from papermaking plants.¹⁰ Transporting cut trees, manufacturing paper, and transporting paper products use tremendous amounts of various forms of energy and generate carbon monoxide (CO). Organizations dedicate significant cubic feet of space (e.g., storage shelves, file cabinets, desk drawers, boxes in storage rooms and off-site storage, etc.) to store all their paper materials. Compounding the demand for storage are the many duplicate copies of paper documents that exist in organizations. To these costs, organizations can also add

8 http://ecology.com/features/paperchase/.

9 http://www.tappi.org/paperu/all_about_paper/faq.htm.

10 http://www.epa.gov/tri/.

The Green IT Domain

expenses for postage, ink and laser cartridges, energy to power printers, and so on. Finally, paper not being saved and stored must be disposed of and may be sent to a landfill or recycling center, which requires transportation and processing.

As such, all workflows should be reviewed to identify opportuni- ties to eliminate or reduce paper usage. The opportunities should be transformed into policies, which in turn can be monitored periodically by internal auditing.¹¹ In broad terms, those policies could include:

• Record retention rules.

• Document copying and distribution.

• Electronic billing and statements (both to customers and from vendors).

• Email instead of regular mail and faxes.

• Paper recycling.

Telecommuting

A significant CSR contribution of IT can be supporting telecom- muting. With modern computers and the ubiquitous reach of the Internet, there is no technological reason for not implementing tele- commuting. Besides the obvious savings associated with reduced transportation costs, telecommuting reduces required parking and office space (and associated lighting, cooling, and heating).

Obviously, not every job is a candidate for telecommuting. On the other hand, telecommuting is not an all-or-nothing proposition.

While some employees could work away from the office nearly

11 Chapter 6 of Green IT provides a broad overview of going paperless.

19 100 percent of the time because of their job responsibilities, other employees may be able to telecommute for some parts of their work week. At IBM, the internal auditors responsible for auditing travel and entertainment expenses work essentially 100 percent of the time from their homes (Gray 2004).

E-commerce

E-commerce and e-procurement can greatly reduce trips to stores both on the buying and selling side. As discussed before, reducing vehicle transportation has an immediate and significant impact of reducing fossil fuel and other energy uses and pollution.

Software Design and Deduplication

How software applications use IT hardware can have a major impact on the amount of hardware needed to support the appli- cations and the level of use of that hardware. For example, many applications have processes that access storage devices to search and retrieve data. At the extreme, there are data mining appli- cations designed to conduct complex, multi-attribute searches through extremely large data warehouses. No matter the degree of search activities (moderate-size applications through major data mining applications), inefficient searches are very demanding on central processing units (CPUs) and data storage devices. As such, a part of green IT consideration must be given to tuning data searches to improve their efficiency. While extreme, Lamb (2009) mentions an example where a data search algorithm was changed to reduce searches from eight hours to eight minutes.

With the highly decentralized IT environment that exists in most organization, files are frequently propagated and duplicated. For example, if a person sends out an email with a 1MB attachment to 100 employees, the server and/or client computers will be storing 100MB in the aggregate because the 1MB attachment will be stored The Green IT Domain

in each recipient’s email folder. Then, if email folders are backed up each day, after 10 days, that original 1MB attachment is now occupying 1GB (10 days x 1MB x 100 employees) of storage space.

Federal evidence laws mandate how long organizations must archive emails, which adds to the multiplicative aspects of file storage requirements. This growing demand for storage means purchasing more storage devices and using more energy. In addi- tion, these big files require more CPU resources to search and retrieve data.

As a short-term deduplication solution, organizations can encourage employees to post attachments to the organization’s intranet and then include a link in the emails to the referenced attachments. For the longer term, the email software could be modified to include pointers to the attachment instead of including the actual attachment with each email.

Manufacturing

Moving upstream in the IT value chain, the manufacture, ware- housing, and distribution of IT-related equipment have a very large carbon footprint. For example, Apple estimated that in 2009, it was responsible for 9.6 million metric tons of greenhouse gas, which breaks down as follows:¹²

• 45 percent from manufacturing.

• 5 percent from transportation.

• 3 percent for Apple facilities.

12 The summary material regarding Apple’s environmental activities are extracted from http://www.apple.com/environment/.

21

• 1 percent from recycling

• 46 percent from consumers’ use of Apple products

Like most companies in the IT supply chain, Apple has an ongoing program to reduce its carbon footprint and has reduced the mate- rials used in its products. For example, the current 21.5-inch iMac is designed with 50 percent less material and generates 35 percent fewer carbon emissions than the first-generation, 15-inch iMac.

The packaging for the MacBook is 53 percent smaller than for the first-generation MacBook, which means 80 percent more MacBook boxes fit on each shipping pallet. Apple claims that this reduced packaging saves one 747 flight for every 23,760 units it ships.

Disposal and Recycling

On one hand, it is good news that IT is on a three- to five-year refresh cycle because that means that organizations are constantly deploying the latest technologies with decreasing energy demands.

On the other hand, that refresh cycle generates a huge amount of trash. Besides the sheer volume (both in quantity and in cubic feet) of IT equipment that must be disposed of, IT equipment includes toxic materials that can be released into the atmosphere or leached into the soil and water supply.

Because the components were so valuable in secondary markets, traditional mainframe computers were historically stripped of parts instead of being completely discarded. Starting in the early 1980s, as desktop computers were growing in popularity, discarded equipment ended up entirely in landfills. Municipalities soon real- ized that landfills were filling up faster than projected and passed laws that restricted the dumping of IT equipment. Organizations have incorporated a variety of activities to reduce their volume of discards that go to landfills. If the equipment is still functioning, it can be distributed inside the organization to people who do not The Green IT Domain

need the latest technology, or it can be sent to outside (typically not-for-profit) organizations.

Some organizations (including some not-for-profit organiza- tions) will accept discarded equipment. They may either strip the equipment of valuable metals (e.g., gold and platinum) and toxic materials, or clean and upgrade the equipment and distribute it to other organizations.

It is critical that disk drives be sanitized (“wiped”) before computers are transferred inside the organization or sent to outside organiza- tions. Merely deleting (e.g., using Windows’ delete function) the data does not actually remove it; the data can be easily restored with free or commercial un-erase software. Special wipe programs are available to overwrite all the data on the disk drive.¹³ Going one step further, there are services that can physically shred an entire disk drive.

13 U.S. Department of Defense standards are available in the NISP Operating Manual (also called NISPOM or DoD 5220.22-M) and Defense Security Service’s Cleaning and Sanitization Matrix (C&SM).

The National Institute of Standards and Technology (NIST) publishes Guidelines for Media Sanitization (Special Publication 800-88), which includes sanitation methods.

23

SURVEY RESULTS

This section provides a summary of The IIA membership green IT survey results and is divided into two major subsections. The first subsection provides statistics on what organizations are doing in terms of general (non-green IT) green activities and green IT activ- ities. The second subsection explores what internal auditors are currently doing and what they could or should be doing in terms of green IT activities. A summary of the demographics of the organi- zations, internal audit departments, and the survey participants is included in Appendix A.

General Opinions Regarding Climate Change and Green IT

Table 2 shows the participants’ level of agreement with six state- ments regarding climate change and green IT. For the first four statements, a majority (55 percent to 61 percent) “Agreed” or

“Strongly Agreed” with each statement. For all five statements, a minority (16 percent to 20 percent) “Disagreed” or “Strongly Disagreed” with those statements. The fact that 26 percent to 32 percent of the participants selected “Not Sure” or “Neutral”

may reflect the ongoing debates about global warming and man’s impact on it. Climate change and the impact of humans on those changes are still argued and I am not advocating one side or the other, but it is important to capture the beliefs of the participants because those beliefs provide a foundation for other opinions stated in the survey.

Table 2

Opinions Regarding Green Statements

Statements

Not Sure Strongly Disagree Disagree Neutral Agree Strongly Agree Rating Average

0 1 2 3 4 5

1. The weather/

climate is really

changing. 6% 7% 9% 20% 30% 28% 3.4

2. Human- created carbon emissions are causing climate changes.

10% 9% 7% 20% 30% 25% 3.3

3. Green IT has a major role in reducing our organization’s carbon footprint.

12% 5% 8% 20% 37% 18% 3.2

4. Green IT is important to our organization.

8% 7% 7% 18% 39% 22% 3.4

5. Green IT costs more than

“business as usual.”

15% 2% 18% 28% 29% 8% 2.8

6. The IT department uses green IT to justify IT projects too often.

25% 13% 32% 23% 5% 2% 1.8

25 In terms of the impact of IT, 55 percent of the respondents

“Agreed” or “Strongly Agreed” that green IT has a major role in reducing their organization’s carbon footprint. In terms of green IT costs, the respondents were more split with 37 percent indicating that green IT costs more than business as usual and 21 percent indicating otherwise. Only a small fraction (7 percent) indicated that IT overuses green IT to justify projects.

Organizational Green and Green IT Activities

Table 3 shows that 44 percent of organizations in this study have some form of general green (sustainability) statement. For 20 percent of the organizations, their sustainability statement has risen to the level of importance such that the statement is part of the organization’s mission or vision statement. On the other hand, for 25 percent of the organizations, general green activities do not impact their decisions.

Table 3

Does Your Organization Have a General Green Statement?

Options Percent

Yes, it’s actually an integral part of our mission or vision

statements. 20%

Yes, it’s not part of our mission statement, but it’s on our website — and employees are reminded that it’s

there (e.g., via periodic emails to employees). 18%

Yes, it’s posted to our website, but it’s not actively

publicized to our employees. 6%

There is no formal, written statement, but we do

consider ecological impact in decisions. 30%

No. 25%

Other. 1%

Survey Results

Calculating a Carbon Footprint

Table 4 indicates that 38 percent of organizations calculate their carbon footprint, with a small group (10 percent) doing a separate calculation for IT. Almost half (46 percent) of the organizations do not measure their carbon footprints and have no plans to do so in the future.

Table 4

Does Your Organization Measure Its Carbon Footprint?

Options Percent

Yes — IT is not separately calculated. 28%

Yes — IT is separately calculated. 10%

No, but we plan to do the measurement in the near

future. 14%

No, and we have no plan to do so in the near future. 46%

Other. 2%

As Figure 2 illustrates, in general, the percentage of organizations measuring their carbon footprint increases significantly for larger organizations. Also, the percentage of organizations that make a separate measurement for IT increases for larger organizations.

27 Figure 2

Percentage of Organizations that Measure Their Carbon Footprint

As would be expected, the number of organizations that measured their carbon footprint also varied by industry. The IIA member- ship database has 22 industry codes. For five industries, more than half the organizations measure their carbon footprint. Specifically, those industries included transportation (88 percent), utilities (76 percent), manufacturing (52 percent), aerospace and defense (50 percent), and energy/oil and gas (50 percent). At the low end were health services (18 percent), insurance carrier/agents (14 percent), and the nonprofit sector (14 percent).

Survey Results

General and Green IT Initiators

For those organizations with general and/or green IT initiatives, Table 5 shows the most senior person driving each of those initia- tives. The numbers in the table indicate that green IT does not have the same level of status as general green activities. For 60 percent of the organizations with general green initiatives, the senior-most person driving those initiatives is either a board member or the CEO, but that drops to a combined 31 percent for green IT initia- tives. For 42 percent of the organizations with green IT initiatives, the senior-most person driving those initiatives was the chief infor- mation officer (CIO).

Table 5

Most Senior Person Driving General and Green IT Initiatives

Options

General Green Initiatives

Green IT Initiatives

Board member 24% 14%

Chief executive officer (CEO) 36% 17%

Chief financial officer (CFO) 2% 2%

Chief operating officer (COO) 10% 6%

Chief information officer (CIO) 2% 42%

Chief audit executive (CAE) 2% 1%

Business unit managers 24% 18%

29

Relationships of General and Green IT Activities

Table 6 shows the relationship of general and green IT activities and Table 7 shows the expected change in the importance of green IT over the next 12 months. At first, it may seem a little surprising that nearly half (47 percent) of the participants reported that green IT activities lag behind other general green activities because many green IT activities are cherry-picking opportunities in that it is fairly easy to realize a return on green IT investments. This lag may reflect the findings presented in Table 5 that a significant number of general green activities are initiated by a board member or CEO, but green IT activities are most frequently initiated by the CIO.

Table 6

Relationship Between Green IT Activities and General Green Activities

Options Percent

Green IT activities parallel other general green activities. 40%

Green IT activities lead (are more advanced than) other

general green activities. 10%

Green IT activities lag behind other general green

activities. 47%

Other. 3%

On the other hand, Table 7 shows that a third (34 percent) of the participants indicated that green IT is expected to become more important over the next 12 months.

Survey Results

Table 7

Expected Change in Green IT Importance Over the Next 12 Months

Options Percent

More important 34%

About the same 62%

Less important 4%

Green IT Drivers

Table 8 shows the importance of various potential green IT drivers. The drivers are listed in order based on the driver’s rating average. The fact that the top four drivers have similar rating aver- ages indicates that green IT is multifaceted. As the last driver in the table indicates, the action of competitors is a relatively minor driver, with 28 percent of participants indicating that it was not important.

31 Table 8

Importance of Various Potential Green IT Drivers

Drivers ^Not

Important Somewhat Important Important Very Important Rating Average

1 2 3 4

Reducing operational

costs (e.g., energy use). 5% 13% 40% 42% 3.2 Socially responsible thing

to do. 6% 15% 43% 36% 3.1

Government regulations. 8% 17% 35% 40% 3.1

Meet organization’s

overall green initiatives. 12% 19% 44% 26% 2.8 Actions of competitors. 28% 29% 30% 13% 2.3

Monitoring IT Energy Use and Setting Goals

Table 9 and Table 10 indicate how closely organizations monitor IT energy use and whether they set measurable green IT goals (e.g., reduce electrical usage by 25 percent over the next three years).

Survey Results

Table 9

Does Your Organization Monitor IT-related Energy Spending?

Table 10

Does Your Organization Have Measurable

Green IT Goals?

Options Percent Options Percent

Yes. 36% Yes — measurable

green IT goals. 15%

No, but we plan to

in the near future. 14%

We have broad green IT goals, but not specific numbers.

27%

No. 50% No. 56%

Green IT Activities that Organizations Practice

Table 11 and Table 12 explore the implementation of potential green IT activities. Table 11 quantifies the degree of distribution or implementation of four green IT activities, which are listed in order of their rating average. By far the most popular activity has been replacing cathode ray tube (CRT) monitors with flat-panel displays. This is an example of picking low-hanging fruit when it comes to green IT activities. Compared to a flat-panel display, a CRT monitor uses more electricity; generates more heat; has higher disposal costs due to its bulky size, poisonous gas in the CRT tube, and toxic metals in the onboard circuitry; and, because of its weight, requires more energy to ship along the supply chain.

33 Table 11

Considering All the Computers in Your Organization

Activities

None 1% to 25% 26% to 50% 51% to 75% 76% to 99% Essentially 100% Rating Average

1 2 3 4 5 6

What percentage of desktop computers is connected to flat-panel displays (as opposed to traditional CRT monitors)?

2% 7% 5% 13% 29% 43% 4.9

What percentage of employees who have an organization- provided computer have just a laptop computer?

5% 37% 22% 17% 13% 7% 3.1

What percentage of data processing takes place in an Internet-based

“cloud computing”

environment?

28% 37% 16% 9% 7% 3% 2.4

What percentage of desktop computers is

“thin clients” (no hard drive)?

38% 41% 8% 6% 4% 3% 2.0

Survey Results

Table 12 lists 12 potential green IT activities in order of popu- larity. Two of the more popular activities (automatically switching to sleep mode and turning off equipment at night) are almost zero- cost activities in terms of implementation. It is interesting that the second and third activities in the table deal with the end-of-life part of the lifecycle. This probably reflects common regulatory restrictions on disposing of electronic equipment in landfills.

Table 12

Potential Green IT Activities

Activities ^Yes

Sometimes No, But Plan to in the Future No and Don’t Expect That to Change

Configure desktops to automatically

enter sleep mode when inactive. 65% 18% 5% 13%

Use recycling service to dispose of

obsolete IT equipment. 62% 22% 6% 10%

Participated in product take-back/

recycling programs from vendors. 53% 24% 8% 15%

Educate users to turn off IT

equipment at night. 49% 23% 6% 22%

Reduce server power consumption. 48% 25% 9% 18%

Use virtualization software to reduce

the number of servers. 47% 23% 9% 21%

Reduce desktop computer power

consumption. 38% 25% 11% 26%

Install more efficient data center

power supplies. 33% 22% 15% 30%

35 Table 12

Potential Green IT Activities (Continued)

Activities ^Yes

Sometimes No, But Plan to in the Future No and Don’t Expect That to Change

Modified data center cooling

infrastructure to improve efficiency. 29% 17% 12% 41%

Use cloud computing to reduce the

number of servers. 22% 25% 21% 33%

Build a new data center that is

energy efficient. 18% 8% 14% 61%

Moved a data center to another city/

state to reduce energy costs and/or

environmental impact. 11% 7% 6% 76%

Vendor Green Requirements and Audits

Ultimately, organizations rely extensively on vendors to meet their green IT goals. In addition to buying energy-efficient computers and infrastructure hardware from vendors, a number of organiza- tions have also outsourced some of their IT activities to vendors (e.g., the use of cloud computing) to help achieve green objectives.

As discussed in the Introduction, outsourcing is not a zero-sum game — organizations are not just moving energy use from one location (the organization) to another (the vendor). For example, because of economies of scale and learning curve effects, cloud- commuting vendors could be more efficient in the aggregate than the organizations that outsource to them. Plus, these outsourcing vendors could establish their operations at locations where those operations could have a lesser impact on the environment.

Survey Results

With all that said, it raises the question: How do organizations know whether the vendors are achieving the performance terms of their contracts and service-level agreements (SLAs)? The survey asked a series of questions to explore that question. As Table 13 shows, 40 percent of organizations at least sometimes include green requirements in contracts and purchase agreements with IT vendors. For those respondents who answered “Yes” or

“Sometimes” to the question summarized in Table 13, they were then asked whether those contracts or agreements included audit provisions. The responses to that question are shown in Table 14.

Table 13

Green IT Requirements for Vendors

Table 14

Audit Provisions in Green IT Vendor Requirements

Options Percent Options Percent

Yes. 13% Yes 24%

Sometimes. 27% Sometimes 36%

No. 59% No. 39%

For those who answered “Yes” or “Sometimes” to that question, they were then asked how many times those audits have actually been performed. Of those organizations that do include an audit requirement (see Table 15), 30 percent have not performed any vendor audits. For those organizations that have performed audits (see Table 16), internal auditing has participated in 77 percent of those vendor audits — in some cases, as part of a team with people from outside of internal auditing.

In response to a final question in this section, less than half (44 percent) of the respondents who came from organizations that perform these audits have conducted them personally.

37 Table 15

How Many Times Have These Audits

Been Performed?

Table 16

Who Conducted These Vendor Audits?

Options Percent Options Percent

0 30% Internal auditing. 77%

1 to 5 57% Someone from the

IT department. 20%

6 to 10 2% External auditor/

consultant from an

accounting firm. 20%

11 to 20 4% External person not

from an accounting

firm. 17%

More than 20 6% (More than one response

allowed.)

Internal Audit Opportunities on the IT Vendor Side of the SLA

The survey questions related to vendor auditing were from the buyer’s perspective. Of course, in any contract or SLA there are two parties — the seller (the vendor) and the buyer. If the buyer’s purchase order specifies green requirements and, in particular, if the buyer requires the right to audit whether the vendor has met those requirements, then these requirements impose a risk on the vendor. The level of that risk depends on the size of the contract and the penalties for not meeting the requirements of the contract.

For example, the risk could be very significant if the contract allows the buyer to cancel the remaining contract and impose a penalty that requires the vendor to repay any monies already paid on the canceled contract.

Survey Results