Green-IT FINALwCover

Green-IT
Opportunities for Internal Auditors

Green IT
H
Glen L. Gray, PhD, CPA Opportunities for Internal Auditors
Government regulators and other stakeholders are increasing their
C
demands on organizations regarding corporate social responsibility (CSR)
and sustainable development. A key component of CSR is reducing an
Internal Audit Capability Model (IA-CM) For the Public Sector

organization’s environmental impact and “green information technology”
(green IT) can play a critical role in this effort.
R
The report summarizes what organizations and internal auditors are currently
doing in the green IT domain and what they should be doing in this area.
Selecting the best green IT solutions — and prioritizing those solutions — for
A
an organization requires careful analysis of all the lifecycle costs (front-end
and ongoing), benefits, and risks before selecting the appropriate solutions.
Green IT: Opportunities for Internal Auditors identifies significant
E
opportunities for internal auditors to provide a wide variety of value-added
green IT services in auditing, facilitating, and consulting.
R
S
C
E Glen L. Gray, PhD, CPA

Order No. 5017.dl
H
IIA members US $0
R
Nonmembers US $25
ISBN: 978-0-89413-707-5
5/11349/PM/GS
GREEN IT OPPORTUNITIES FOR
INTERNAL AUDITORS
By
Glen L. Gray, PhD, CPA

Disclosure
Copyright © 2011 by The Institute of Internal Auditors Research

Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida
32701-4201. All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form by
any means — electronic, mechanical, photocopying, recording, or other-
wise — without prior written permission of the publisher.
The IIARF publishes this document for informational and educational

purposes. This document is intended to provide information, but is not a
substitute for legal or accounting advice. The IIARF does not provide
such advice and makes no warranty as to any legal or accounting results
through its publication of this document. When legal or accounting
issues arise, professional assistance should be sought and retained.
The Institute of Internal Auditors’ (IIA’s) International Professional

Practices Framework (IPPF) comprises the full range of existing and
developing practice guidance for the profession. The IPPF provides guid-
ance to internal auditors globally and paves the way to world-class inter-
nal auditing.
The mission of The IIARF is to expand knowledge and understanding

of internal auditing by providing relevant research and educational prod-
ucts to advance the profession globally.
The IIA and The IIARF work in partnership with researchers from
around the globe who conduct valuable studies on critical issues affecting
today’s business world. Much of the content presented in their final
reports is a result of IIARF-funded research and prepared as a service to
The Foundation and the internal audit profession. Expressed opinions,
interpretations, or points of view represent a consensus of the research-
ers and do not necessarily reflect or represent the official position or
policies of The IIA or The IIARF.
ISBN 978-0-89413-707-5
6/11
First Printing
CONTENTS
Acknowledgments.................................................................... vii
About the Author..................................................................... ix
Preface...................................................................................... xi
Executive Summary................................................................... 1
Introduction.............................................................................. 5
The Green IT Domain............................................................... 9
IT Acquisition and Deployment........................................... 10
Electrical and Cooling Management..................................... 14
Moving to the Cloud............................................................. 15
Paperless Workflow............................................................... 17
Telecommuting..................................................................... 18
E-commerce.......................................................................... 19
Software Design and Deduplication..................................... 19
Manufacturing...................................................................... 20
Disposal and Recycling......................................................... 21
Survey Results......................................................................... 23
General Opinions Regarding Climate Change
and Green IT........................................................................ 23
Organizational Green and Green IT Activities...................... 25
Calculating a Carbon Footprint............................................ 26
General and Green IT Initiators........................................... 28
Relationships of General and Green IT Activities................ 29
Green IT Drivers.................................................................. 30
Monitoring IT Energy Use and Setting Goals...................... 31
Green IT Activities that Organizations Practice.................... 32
iii
Green IT Opportunities for Internal Auditors
Vendor Green Requirements and Audits............................... 35

Internal Audit Opportunities on the IT
Vendor Side of the SLA..................................................... 37
Can and Should Internal Auditors Become
More Involved in Green IT?.................................................. 38
Current Involvement of Internal Auditors in
Green IT Activities............................................................ 38
Green IT Activities that Internal Auditors Should
be Involved In.................................................................... 43
Concluding Comments............................................................ 45
Where to Go From Here?...................................................... 49
Appendix A: Demographics..................................................... 53
Responding Organizations.................................................... 53
Internal Audit Departments.................................................. 56
The Respondents.................................................................. 56
References................................................................................ 59
The IIA Research Foundation Sponsors.................................. 63

The IIA Research Foundation Board of Trustees.................... 65
The IIA Research Foundation Committee of
Research and Education Advisors............................................ 67
iv
FIGURES
Figure 1: Green IT Domain and Value Chain............................ 9

Figure 2: Percentage of Organizations That Measure Their
Carbon Footprint.................................................................... 27
Figure 3: “Not Sure” Responses Sorted By Job Position.......... 42
TABLES
Table 1: Summary of Assumptions for Analysis of

Alternative Efficiency Scenarios............................................... 12
Table 2: Opinions Regarding Green Statements....................... 24
Table 3: Does Your Organization Have a General
Green Statement?..................................................................... 25
Table 4: Does Your Organization Measure Its Carbon
Footprint?................................................................................ 26
Table 5: Most Senior Person Driving General and
Green IT Initiatives.................................................................. 28
Table 6: Relationship Between Green IT Activities and
General Green Activities.......................................................... 29
Table 7: Expected Change in Green IT Importance
Over the Next 12 Months......................................................... 30
Table 8: Importance of Various Potential Green IT
Drivers..................................................................................... 31
Table 9: Does Your Organization Monitor IT-related
Energy Spending?.................................................................... 32
Table 10: Does Your Organization Have Measurable
Geen IT Goals?........................................................................ 32
v
Table 11: Considering All the Computers in Your

Organization............................................................................ 33
Table 12: Potential Green IT Activities..................................... 34
Table 13: Green IT Requirements for Vendors......................... 36
Table 14: Audit Provisions in Green IT Vendor
Requirements........................................................................... 36
Table 15: How Many Times Have These Audits Been
Performed?............................................................................... 37
Table 16: Who Conducted These Vendor Audits?.................... 37
Table 17: What Green IT Activities Could You Or Your
Internal Audit Department Do?............................................... 39
Table 18: What Green IT Areas Have You Or Your
Department Been Involved In?................................................ 41
Table 19: In General, Should Internal Auditors Be
Involved in These Green IT Areas?.......................................... 44
Table 20: Annual Revenue of Responding Organizations......... 54
Table 21: Industries Represented.............................................. 55
Table 22: Current Position....................................................... 56
Table 23: Primary Education or Training Background............. 57
Table 24: Primary Job/Position Before Becoming an
Internal Auditor....................................................................... 57
Table 25: Personal Experiences With General Green
Activities.................................................................................. 58
Table 26: Personal Experiences With Green IT
Experiences.............................................................................. 58
vi
ACKNOWLEDGMENTS
The leadership and staff within The IIA Research Foundation

(IIARF) have provided considerable tangible assistance in addi-
tion to their financial support. I want to extend thanks to Nicki
Creatore, who served as project manager, and to the review team,
comprising members of The IIARF’s Committee of Research
and Education Advisors and The IIA’s Advanced Technology
Committee, who offered their time and assistance.
vii
ABOUT THE AUTHOR
Glen L. Gray, PhD, CPA, is a professor in the Accounting and

Information Systems Department of the College of Business
and Economics at California State University at Northridge. He
specializes in information technology and accounting informa-
tion systems. His research interests include IT implementation
and controls, XBRL, Sarbanes-Oxley, data mining and analysis,
auditing and assurance services, financial reporting, and electronic
commerce.
He has been a member of the San Fernando Valley Chapter of

The IIA since 1988, where he has served as an officer, a board
member, and the past webmaster. He has authored seven research
reports published by The Institute of Internal Auditors Research
Foundation (IIARF): How Internal Auditors Can Improve the
Success Rate of System Development Projects (2010), Then
and Now: Expectations and Reality of Sarbanes-Oxley (2008),
XBRL: Potential Opportunities and Issues for Internal Auditors
(2005), Changing Internal Practices in the New Paradigm (2003),
Assurance Services within the Audit Profession (2000), Enhancing
Internal Auditing through Innovative Practices (1996), and Business
Management Auditing: Promoting of Consulting Auditing (1994).
He also co-authored IT Governance and Process Maturity (2008),
a research study for ISACA.
In 2006, Dr. Gray was part of a team that prepared a research

report titled The Application of Data Mining to Fraud Detection
in Financial Statement Audits to the Research Advisory Board.
In 2009, he was a team member on a major research project
funded by the AICPA and IAASB resulting in a report titled The
Unqualified Auditor’s Report: A Study of User Perceptions, Effects
on User Decisions and Decision Processes, and Directions for Future
Research.
ix
He has written academic and trade articles related to his research

interests and made numerous presentations at trade, professional,
and academic conferences in North America, Europe, and Asia.
He has also helped organizations develop database applications,
establish websites, acquire computers and software, and iden-
tify procedural inefficiency and control weaknesses. He is the
webmaster for the audit section of the American Accounting
Association.
Before joining the academic world, Dr. Gray was a consultant with
national CPA firms and an engineer at an aerospace company. He
has a BSEE from Michigan Technological University, an MBA
from the University of California, Los Angeles, and a PhD from
the University of Southern California.
x
“If you don’t develop a strategy of your own,
you become a part of someone else’s strategy.”
— Alvin Toffler1
PREFACE
One major driver in the internal audit profession is the search for
value-added services that internal auditors can provide in addi-
tion to their traditional financial auditing activities. With the
passage of the U.S. Sarbanes-Oxley Act of 2002, internal auditing
in public companies had to shift significant resources to financial
auditing — and other value-added activities were put on the back
burner. But Sarbanes-Oxley activities have become less demanding
and internal auditing needs to reconfigure its future strategies. As
this report suggests, “green information technology (IT)” activities
should be considered part of those strategies.
Two years ago, I attended a presentation where a partner from a

Big 4 accounting firm described green IT concepts and the related
consulting and assurance services his firm provided. That moti-
vated me to formulate this study, focusing on how internal auditors
could proactively provide these services to their organizations.
This resulting report provides an overview of green IT, summa-
rizes a survey of IIA members regarding the green IT activities of
their organizations and internal audit departments, and provides
suggestions for internal auditors to become more involved in
green IT. A few of the survey respondents included some deroga-
tory comments, saying that the survey indicates that The IIA was
promoting a belief in global warming and mankind’s contribution
to it. However, beliefs concerning global warming are not really
relevant to this report. The corporate social responsibility (CSR)
and sustainable development train has long left the station in that
Futurist and author of Future Shock and The Third Wave, as well as
1
many other books. http://www.alvintoffler.net/
xi
sustainability is becoming mainstream for organizations — and,

by extension, for internal auditors.2 Countries, states, municipali-
ties, and other government agencies and regulators around the
world have sustainability laws and regulations — and more will
be promulgated in the future. These laws and regulations provide
growing opportunities for internal auditors. For example, testing
the internal controls associated with compliance with laws and
regulations, as well as organizational policies that go beyond these
legal requirements, is a traditional part of the internal auditor’s
responsibility. A growing trend is moving IT activities to cloud
computing where an organization’s data and applications reside
on a vendor’s computers interconnected by the Internet. Cloud
computing introduces a whole new set of risks and internal control
issues that the internal auditors could help assess and test.
Although the specific metrics and key performance indicators

(KPIs) can vary for different organizations, CSR is about using
less energy, water, and other resources, and generating less waste
and pollution. Green IT is a critical building block of CSR and
sustainable development. As this report illustrates, some green
IT activities can be the low-hanging fruit of CSR and sustainable
development. Green IT activities can substantially reduce oper-
ating costs. Being involved in these activities offers the potential
for internal auditing to provide value-added services and should
be considered part of the internal audit activity’s strategic plans.
If internal auditors do not provide these services, many outside
companies are ready to do so.
Good luck,
Glen L. Gray, PhD, CPA
See The IIA’s Practice Guide, Evaluating Corporate Social

2
Responsibility/Sustainable Development.
xii
EXECUTIVE SUMMARY

demands on organizations regarding corporate social responsibility
(CSR) and sustainable development. Although the specific metrics
and key performance indicators (KPIs) can vary for different orga-
nizations, a key objective of CSR is reducing an organization’s
environmental impact. Green IT is a critical building block of an
organization’s CSR efforts. A comprehensive approach to green
IT takes a cradle-to-grave lifecycle perspective. Depending on the
industry and the size of the organization, green IT can include:
• Designing IT equipment manufacturing processes to minimize

energy use, waste, and pollution.
• Designing IT equipment to maximize recyclable components

and materials.
• Designing IT packaging to minimize storage and transportation

requirements.
• Selecting IT acquisition and deployment approaches to

minimize energy use.
• Designing IT infrastructure to minimize energy, cooling, and

water requirements as well as maximizing the subsequent use
of resulting warmed air and water.
• Using IT to minimize environmental demands, such as:

• E-commerce and e-procurement.
• Telecommuting.
• Paperless workflows.
1
• Designing software to minimize IT hardware demands and

storage requirements, such as:
• Improving data search algorithms.
• Deduplication.
• Reducing the number of computers and reducing infrastructure

demands by moving data and applications to a third party’s
cloud computing environment.
• Disposing of IT equipment to maximize reuse and recycling,

and to minimize materials sent to landfills.
The Big Four and other accounting and consulting firms are aggres-
sively selling green IT consulting, assessment, compliance, and
assurance services to organizations. Many of these green IT services
seem like a natural fit for internal auditors to offer. Borrowing from
an IIA advertisement in the February 2011 issue of Internal Auditor,
internal auditors have unique insight into improving the organiza-
tion’s processes, procedures, performance, and risk management.
Internal auditing can provide assurance on whether green IT poli-
cies are being followed, controls are effective, and the organization
is operating as management intends. In large organizations in
particular, in addition to financial auditing, the internal auditors are
already heavily involved in operational and IT-related activities.
This report summarizes a survey of The IIA’s membership to explore

what organizations and internal auditors are currently doing in the
green IT domain and what internal auditors should be doing in this
area. The survey respondents represented a wide variety of indus-
tries, sizes of organizations, and internal auditor positions. Overall,
44 percent of the organizations have some form of general green
(sustainability) statement and 38 percent calculate their carbon foot-
print. These percentages increase for larger organizations and for
certain high-emissions industries. The three primary green IT drivers
include (1) reducing operational costs; (2) being socially responsible;
and (3) complying with government regulations.
2
Executive Summary
Based on the survey, the experiences of internal audit departments

in green IT activities have been minimal, with 3 percent to 10
percent of the respondents reporting that their departments have
experiences with specific green IT activities. Between 21 percent
and 25 percent of the respondents selected “Not Sure” in response
to whether their internal audit departments had the skills to be
involved in specific green IT activities. Based on these high percent-
ages, if chief audit executives (CAEs) want their departments to
become involved proactively in green IT, they must develop educa-
tional programs to bring these percentages down.
Considering the low involvement in green IT activities by internal

audit departments, there are significant potential opportunities for
internal auditors to provide a wide variety of value-added green
IT services in auditing, facilitating, and consulting. Depending on
how deeply or broadly the internal audit department wants to be
involved, it should consider preparing a gap analysis by comparing
where it currently is in terms of other priorities and the skill sets of
the auditors and where it wants to be in terms of green IT involve-
ment. Then the department can develop an action plan to close
that gap. Of course, any plan should stay within the department’s
charter, strategic plans, and annual risk assessment and within
applicable board policies. In addition, while being more involved
in green IT can increase the audit department’s visibility and value
to the organization, the department must also consider the poten-
tial risk to its reputation if problems arise.
A good place to start exploring green IT opportunities is to

read The IIA’s Practice Guide, Evaluating Corporate Social
Responsibility/Sustainable Development. Two other books, Green
IT and The Greening of IT, listed in the References section provide
very good overviews of the green IT domain. Internet searches will
supply more information on green IT technology and terminology
and can also help explore how accounting and consulting firms
are marketing and selling green IT services. What are the main hot
buttons and talking points? This information will all be valuable
3
in formulating value-added green IT services that internal auditing

can potentially provide to their organizations in auditing, facili-
tating, and consulting.
4
INTRODUCTION
In February 2010, The IIA published a Practice Guide titled Evaluating

Corporate Social Responsibility/Sustainable Development. Although
there are numerous definitions for corporate social responsibility
(CSR) and exactly what responsibilities and activities to include
under CSR can vary by organization, for the purpose of that
practice guide, “CSR refers to social responsibility, sustainable
development, and corporate citizenship.” The guide describes the
risks and opportunities associated with CSR and provides guid-
ance in planning and implementing CSR-related internal audit
strategies and programs.
Although the CSR practice guide does not specifically discuss IT,
IT provides many opportunities for organizations to reduce their
environmental impact, which is a critical component of CSR.
Organizations are becoming increasingly interested in green IT.
According to Murugesan (2008), green IT is:
…the study and practice of designing, manufac-

turing, using, and disposing of computers, servers, and
associated subsystems — such as monitors, printers,
storage devices, and networking and communications
systems — efficiently and effectively with minimal or
no impact on the environment. Green IT also strives to
achieve economic viability and improved system perfor-
mance and use, while abiding by our social and ethical
responsibilities. Thus, green IT includes the dimen-
sions of environmental sustainability, the economics of
energy efficiency, and the total cost of ownership, which
includes the cost of disposal and recycling. [emphasis
added]
Green IT is a good idea from an economic perspective as well

as being socially responsible. According to a 2009 white paper
5
published by T-Systems, in the aggregate, IT causes the same

release of CO2 as nearly 320 million automobiles. Every orga-
nization wastes energy and money by not optimizing their IT
use. Landfills are filling up rapidly with the disposal of tons of
discarded IT equipment. Even small changes in IT practices can
make a difference. Leaving one copy machine “on” overnight uses
as much energy as copying 1,500 pages.
This report does not debate the degree to which human activities
impact the global climate. Although the specific metrics and key
performance indicators (KPIs) can vary for different organiza-
tions, as the above definition indicates, green IT is synonymous
with efficient IT, which in turn means lowering costs (e.g., elec-
trical, water, and waste), increasing return on investment (ROI),
decreasing demand for natural resources, and decreasing various
forms of pollution. The key point is that management should
want assurance that the green IT KPIs being reported to them are
accurate, complete, and timely — and this could be the internal
auditors’ responsibility.
Some non-IT green projects, such as retrofitting the electrical

or cooling systems in existing buildings, can require significant
front-end investments that may take years, if ever, to provide an
economic return. However, green IT projects have the potential for
both quick and relatively high ROIs. There are several reasons why
this potential is easily achievable. One primary reason is the short
lifecycle of IT equipment, which usually has a refresh rate of three
to five years. So, unlike retrofitting a 30-year-old building, new
IT equipment will be purchased every three to five years whether
environmental impact is part of the motivation or not. Because of
competitive pressures on IT manufacturers, each new generation
of technology is greener (e.g., more energy efficient) than the prior
generation. When replacing equipment, organizations can choose
from a mix of four broad approaches.
6
Introduction
Approach 1: Replace boxes with newer boxes. If an organization simply

does box-for-box replacements (e.g., replacing desktop PCs with
an equal number of new desktop PCs), energy savings will be real-
ized automatically. According to the U.S. Environmental Protection
Agency (EPA) (2007), current technologies and design strategies
could reduce the energy use of a typical server by 25 percent or more.
Approach 2: Replace boxes with smaller boxes. By replacing tradi-

tional desktop PCs with thin clients or laptops, the organizations
will experience an even more substantial drop in energy use.
Approach 3: Replace boxes with fewer boxes. By implementing virtual-

ization software and thereby increasing the use of IT equipment, the
organization can reduce the total number of computers purchased,
resulting in an even greater decrease in energy use. According to the
EPA, implementing best energy-management practices in existing data
centers and consolidating applications from many servers to one server
could reduce current data center energy usage by around 20 percent.
Approach 4: Eliminate boxes. Organizations could shut down

some of their servers and move relevant applications to a cloud
computing environment. At first, it may appear that an organi-
zation moving to cloud computing is replacing some computers
at its location with computers at a vendor’s location, but cloud
computing providers have the potential to achieve economies of
scale (by increasing usage rates); and they can locate their data
centers closer to alternative (non-fossil) energy sources, plentiful
(cheaper) water, and less sensitive environments. As an extreme
example, Google has more than 200,000 servers, which collec-
tively use as much electricity as a small city and generate a huge
amount of heat that requires expensive air conditioning and water
usage for cooling. In a search to reduce IT-related costs, a March
9, 2009, Wall Street Journal article, “Where Clouds Displace
Forests,” describes how Google, Facebook, Amazon, and others
have built (or are building) mammoth data centers in Oregon and
Washington to be close to cheap electricity and water plus “…low
humidity and cool nights.”
7
Note that this report is not promoting any green IT alternatives

as one-size-fits-all solutions in the above examples. What works
for one organization may be completely inappropriate for another.
The primary point of this report is that selecting the best green IT
solutions — and prioritizing those solutions — for an organiza-
tion requires careful analysis of all the lifecycle costs (front-end
and ongoing), benefits, and risks before selecting the appropriate
solutions.
The remainder of this report has three major sections. The first
section provides a broad overview of green IT. A key point of that
overview is that green IT requires a cradle-to-grave perspective
to minimize the environmental impact of IT. The second section
summarizes a survey of The IIA membership regarding what orga-
nizations and internal auditors are currently doing and what they
should (could) be doing in the future. The final section provides
concluding comments and suggestions for internal auditors to
become more involved in value-added green IT activities.
8
THE GREEN IT DOMAIN
The green IT domain is almost boundless. Exploring green IT

takes a cradle-to-grave lifecycle perspective. As Figure 1 illus-
trates, green IT covers many elements in the IT value chain. The
narrowest focus is captured in the center of Figure 1, namely, IT
acquisition and deployment. However, as the following section
discusses, green IT includes many more elements.
Figure 1
Green IT Domain and Value Chain
9
IT Acquisition and Deployment

Some examples of IT acquisition and deployment can be the low-
hanging fruit of green IT, such as having a policy of acquiring only
ENERGY STAR rated equipment. Just replacing older IT equip-
ment with new equipment will generally result in an automatic
decrease in energy use. However, organizations should consider
even more efficient alternatives, such as replacing desktop PCs with
thin clients or laptops, replacing servers with rack-mounted blade
servers, and/or moving some applications to cloud computing.
According to a frequently quoted EPA study (EPA 2007), just

the servers and data centers in the United States are estimated to
have consumed about 61 billion kilowatt hours (kWh) in 2006 (1.5
percent of total U.S. electricity consumption) for a total electricity
cost of about $4.5 billion — which is similar to the amount of
electricity consumed by approximately 5.8 million average house-
holds. This consumption doubled from 2000 to 2006 and could
nearly double again by 2011 to more than 100 billion kWh ($7.4
billion annually). About 50 percent of that consumption is power
and cooling infrastructure that supports the IT equipment in the
data centers. The peak load from these servers and data centers
was estimated to be approximately seven gigawatts (GW) in 2006,
equivalent to the output of about 15 typical power plants. If this
trend continues, this demand would rise to 12 GW by 2011, which
would require an additional 10 power plants to be built in the
United States to accommodate the increase.
To develop a better understanding of energy-efficiency opportuni-

ties that would accelerate adoption of energy-efficient technologies
beyond current trends, the EPA’s 2007 report explored three
energy-efficiency scenarios:3
3
Although the 155-page EPA report focuses on servers and data
centers, their observations and recommendations can be applied to
other IT uses.
10
The Green IT Domain
• The “improved operation” scenario includes energy-efficiency

improvements beyond current trends that are essentially
operational in nature and require little or no capital investment.
This scenario represents the “low-hanging fruit” that can be
harvested simply by operating the existing capital stock more
efficiently.
• The “best practice” scenario represents the efficiency gains that

can be obtained through the more widespread adoption of the
practices and technologies used in the most energy-efficient
facilities in operation today.
• The “state-of-the-art” scenario identifies the maximum

energy-efficiency savings that could be achieved using available
technologies. This scenario assumes that servers and data
centers in the United States will be operated at maximum
possible energy efficiency using only the most efficient
technologies and best management practices available today.
Details of the key energy-efficiency assumptions used in the EPA’s

analysis are shown in Table 1. These assumptions represent only a
subset of the energy-efficiency strategies that could be employed
in practice; it is not a comprehensive list of all energy-efficiency
opportunities available for data centers.
11
Table 1
Summary of Assumptions for Analysis of
Alternative Efficiency Scenarios
Data Center Subsystem
Site Infrastructure
Scenario IT Equipment
(Power and Cooling)
• Continue current trends 30% improvement in
for server consolidation. infrastructure energy
efficiency from improved
• Eliminate unused
airflow management.
servers (e.g., legacy
applications).
• Adopt “energy-efficient”
Improved servers to modest level.
Operation
• Enable power
management on 100%
of applicable servers.
• Assume modest
decline in energy use
of enterprise storage
equipment.
All measures in “improved Up to 70% improvement
operation” scenario, plus: in infrastructure energy
efficiency from all
• Consolidate servers to
measures in “improved
moderate extent.
operation” scenario, plus:
• Aggressively adopt
• Improved
Best “energy-efficient”
transformers and
Practice servers.
uninterruptible power
• Assume moderate supplies.
storage consolidation.
• Improved efficiency
chillers, fans, and
pumps.
• Free cooling.
12
The Green IT Domain
Table 1
Summary of Assumptions for Analysis of
Alternative Efficiency Scenarios (Continued)
Data Center Subsystem
Site Infrastructure
Scenario IT Equipment
(Power and Cooling)
All measures in “best Up to 80% improvement
practice” scenario, plus: in infrastructure energy
efficiency, due to all
• Aggressively
measures in “best
consolidate servers.
practice” scenario, plus:
• Aggressively
• Direct liquid cooling.
State of consolidate storage.
the Art • Combined heat and
• Enable power
power.
management at
data center level of
applications, servers,
and equipment for
networking and
storage.
Source: EPA (2007)
13
Electrical and Cooling Management

In an IDC white paper, Scaramella and Eastwood (2007) estimated
that by 2012, for each dollar spent to acquire a computer another
dollar will be spent on electrical power and cooling. Considering
the current increases in energy costs, their estimates may now be
understated. Or, as another comparison, according to a white
paper by Force 10 Networks, each watt used by IT equipment
requires an additional 1.4 to 2.0 watts to remove the heat generated
by the equipment. As such, electrical and cooling management are
an integral part of even basic green IT activities. In fact, in many
cases, electrical and cooling management can drive IT acquisition
and deployment decisions by selecting equipment that uses less
power.
For many organizations, the total number of IT devices employed

grew incrementally over several years. Initially, the server rooms
were just regular office spaces where servers were placed and, over
time, more and more servers and peripheral equipment were added
as IT demands grew. Generally, this server room was cooled by the
building’s regular cooling system. Then, as the number of servers
and other devices increased, a booster or isolated cooling system
was added. However, these regular or isolated cooling systems
usually cooled all the air in the room, which is very inefficient
because the IT devices heated the air in the room and then the air
was circulated through the cooling system to keep all of the air in
the room at a desired temperature. A green alternative is to use
rack-mounted servers, enclose the rack, and put a fan at one end
to blow all the hot air out one vent at the other end. At minimum,
that hot air could be vented directly outside, making little or no
demands on the building’s cooling system.
For larger organizations, managing electrical and cooling costs

can include major organizational changes. For example, Google
opened a data center in the Midwest so it can use wind-generated
electricity and reduce its use of fossil fuel-generated electricity.
14
The Green IT Domain
As mentioned in the Introduction, Google, Facebook, Amazon,

and others have built (or are building) mammoth data centers in
Oregon and Washington to be near cheap electricity and water.
No matter what actions are taken, even the most efficient IT equip-
ment is going to generate heat. Some organizations have found
creative ways to use this heat instead of just dissipating it into the
air or water. For example, Intel recycles the excess heat from a data
center to heat offices and provide warm water for cafeterias.4 A
Swedish company uses the heat to warm a community swimming
pool.
Moving to the Cloud

A growing trend, which relates to both IT deployment and infra-
structure design, is moving data and applications to third-party
servers interconnected via the Internet. This service is generally
referred to as cloud computing, which reflects the ubiquitous and
nebulous aspects of the Internet.5 The servers could be located
literately anywhere in the world and can be accessed from anywhere
in the world. Conceptually, cloud computing is like an electrical
utility and the underlying electrical grid. An organization pays for
the level of service it needs and those costs will increase as the
organization grows and makes more demands on the cloud. The
core assumption is that the service provider will keep expanding
its resources so that any additional demands by its customers will
be met.
4
A podcast describing this heat recycling is available at http://www.
podtech.net/home/5053/data-centers-recycle-excess-heat.
For an overview of cloud computing, see http://en.wikipedia.org/wiki/

5
Cloud_computing.
15
Since a third party will have the organization’s data, a whole new
set of risks will have to be assessed. For example, an organiza-
tion could discover it is sharing the same servers and databases
with a competitor. Even though the competitors are on different
virtual machines, knowing that they are sharing the same physical
machines could/would make management uncomfortable. Some
managers may even be uncomfortable with a competitor using the
same cloud computer vendor whether their data resides on the same
physical servers or not. Issues regarding stipulating and testing of
internal controls can be particularly challenging, depending on the
applicability of Sarbanes-Oxley (mainly Sections 302 and 404),
Payment Card Industry (PCI), Health Insurance Portability and
Accountability Act of 1996 (HIPAA), Basel Accords, as well as
the privacy and breach-notice laws that have been enacted by many
states.6
Generally, cloud computing is divided into three layers, each of

which may have its own risk and control issues. The Software as
a Service (SaaS) layer is the application layer with its relevant
application control issues. For example, how strong are the access
controls? If the cloud can be accessed from literately anywhere in
the world, access controls are paramount. Does the service provider
have super users who can access any server at any time? The next
layer is the Platform as a Service (PaaS), which is essentially the
data layer. An important control here would be encrypting the
data so even if a provider’s super user or unauthorized outsiders
hackers) access the data, they cannot really do anything with it.
The third layer is the Integration as a Service (IaaS), which is about
managing the virtual machines.7
See the list of state breach notification laws at http://www.ncsl.org/

6
Default.aspx?TabId=13489.
7
One source of information regarding cloud security are available from
the Cloud Security Alliance at http://www.cloudsecurityalliance.org/
Their Top Threats to Cloud Computing is available at: http://www.cloud-
securityalliance.org/topthreats/csathreats.v1.0.pdf.
16
The Green IT Domain
The service-level agreement (SLA) must address the above ques-

tions/issues as well as other issues, such as the provider’s disaster
recovery and continuity plans. Then someone, such as internal
auditors, must provide assurance that the vendor is in compliance
with the SLA.
Paperless Workflow
In the aggregate, paper has a major impact on the environment.
Nearly 4 billion trees are used annually for paper production, which
is about 35 percent of all trees harvested.8 Many of those trees, at
least in the United States, do come from tree farms. According
to Technical Association for the Worldwide Pulp, Paper and
Converting Industry (TAPPI), 2.5 billion trees are planted each
year in the United States.9 However, Velte et al. (2008) indicates
that deforestation has released 120 billion tons of carbon dioxide
(CO2) into the atmosphere. In addition, the EPA reports that each
year millions of pounds of toxic chemicals such as toluene, meth-
anol, chlorine dioxide, hydrochloric acid, and formaldehyde are
released into the air and waterways from papermaking plants.10
Transporting cut trees, manufacturing paper, and transporting

paper products use tremendous amounts of various forms of
energy and generate carbon monoxide (CO). Organizations
dedicate significant cubic feet of space (e.g., storage shelves, file
cabinets, desk drawers, boxes in storage rooms and off-site storage,
etc.) to store all their paper materials. Compounding the demand
for storage are the many duplicate copies of paper documents that
exist in organizations. To these costs, organizations can also add
8
http://ecology.com/features/paperchase/.
9
http://www.tappi.org/paperu/all_about_paper/faq.htm.
10
http://www.epa.gov/tri/.
17
expenses for postage, ink and laser cartridges, energy to power

printers, and so on. Finally, paper not being saved and stored must
be disposed of and may be sent to a landfill or recycling center,
which requires transportation and processing.
As such, all workflows should be reviewed to identify opportuni-

ties to eliminate or reduce paper usage. The opportunities should
be transformed into policies, which in turn can be monitored
periodically by internal auditing.11 In broad terms, those policies
could include:
• Record retention rules.
• Document copying and distribution.
• Electronic billing and statements (both to customers and from

vendors).
• Email instead of regular mail and faxes.
• Paper recycling.
Telecommuting
A significant CSR contribution of IT can be supporting telecom-
muting. With modern computers and the ubiquitous reach of the
Internet, there is no technological reason for not implementing tele-
commuting. Besides the obvious savings associated with reduced
transportation costs, telecommuting reduces required parking
and office space (and associated lighting, cooling, and heating).
Obviously, not every job is a candidate for telecommuting. On the
other hand, telecommuting is not an all-or-nothing proposition.
While some employees could work away from the office nearly
11
Chapter 6 of Green IT provides a broad overview of going paperless.
18
The Green IT Domain
100 percent of the time because of their job responsibilities, other

employees may be able to telecommute for some parts of their
work week. At IBM, the internal auditors responsible for auditing
travel and entertainment expenses work essentially 100 percent of
the time from their homes (Gray 2004).
E-commerce
E-commerce and e-procurement can greatly reduce trips to stores
both on the buying and selling side. As discussed before, reducing
vehicle transportation has an immediate and significant impact of
reducing fossil fuel and other energy uses and pollution.
Software Design and Deduplication

How software applications use IT hardware can have a major
impact on the amount of hardware needed to support the appli-
cations and the level of use of that hardware. For example, many
applications have processes that access storage devices to search
and retrieve data. At the extreme, there are data mining appli-
cations designed to conduct complex, multi-attribute searches
through extremely large data warehouses. No matter the degree
of search activities (moderate-size applications through major
data mining applications), inefficient searches are very demanding
on central processing units (CPUs) and data storage devices. As
such, a part of green IT consideration must be given to tuning data
searches to improve their efficiency. While extreme, Lamb (2009)
mentions an example where a data search algorithm was changed
to reduce searches from eight hours to eight minutes.
With the highly decentralized IT environment that exists in most

organization, files are frequently propagated and duplicated. For
example, if a person sends out an email with a 1MB attachment to
100 employees, the server and/or client computers will be storing
100MB in the aggregate because the 1MB attachment will be stored
19
in each recipient’s email folder. Then, if email folders are backed

up each day, after 10 days, that original 1MB attachment is now
occupying 1GB (10 days x 1MB x 100 employees) of storage space.
Federal evidence laws mandate how long organizations must

archive emails, which adds to the multiplicative aspects of file
storage requirements. This growing demand for storage means
purchasing more storage devices and using more energy. In addi-
tion, these big files require more CPU resources to search and
retrieve data.
As a short-term deduplication solution, organizations can

encourage employees to post attachments to the organization’s
intranet and then include a link in the emails to the referenced
attachments. For the longer term, the email software could be
modified to include pointers to the attachment instead of including
the actual attachment with each email.
Manufacturing
Moving upstream in the IT value chain, the manufacture, ware-
housing, and distribution of IT-related equipment have a very
large carbon footprint. For example, Apple estimated that in 2009,
it was responsible for 9.6 million metric tons of greenhouse gas,
which breaks down as follows:12
• 45 percent from manufacturing.
• 5 percent from transportation.
• 3 percent for Apple facilities.
The summary material regarding Apple’s environmental activities are

12
extracted from http://www.apple.com/environment/.
20
The Green IT Domain
• 1 percent from recycling
• 46 percent from consumers’ use of Apple products
Like most companies in the IT supply chain, Apple has an ongoing

program to reduce its carbon footprint and has reduced the mate-
rials used in its products. For example, the current 21.5-inch iMac
is designed with 50 percent less material and generates 35 percent
fewer carbon emissions than the first-generation, 15-inch iMac.
The packaging for the MacBook is 53 percent smaller than for the
first-generation MacBook, which means 80 percent more MacBook
boxes fit on each shipping pallet. Apple claims that this reduced
packaging saves one 747 flight for every 23,760 units it ships.
Disposal and Recycling

On one hand, it is good news that IT is on a three- to five-year
refresh cycle because that means that organizations are constantly
deploying the latest technologies with decreasing energy demands.
On the other hand, that refresh cycle generates a huge amount of
trash. Besides the sheer volume (both in quantity and in cubic feet)
of IT equipment that must be disposed of, IT equipment includes
toxic materials that can be released into the atmosphere or leached
into the soil and water supply.
Because the components were so valuable in secondary markets,

traditional mainframe computers were historically stripped of
parts instead of being completely discarded. Starting in the early
1980s, as desktop computers were growing in popularity, discarded
equipment ended up entirely in landfills. Municipalities soon real-
ized that landfills were filling up faster than projected and passed
laws that restricted the dumping of IT equipment. Organizations
have incorporated a variety of activities to reduce their volume of
discards that go to landfills. If the equipment is still functioning,
it can be distributed inside the organization to people who do not
21
need the latest technology, or it can be sent to outside (typically

not-for-profit) organizations.
Some organizations (including some not-for-profit organiza-

tions) will accept discarded equipment. They may either strip the
equipment of valuable metals (e.g., gold and platinum) and toxic
materials, or clean and upgrade the equipment and distribute it to
other organizations.
It is critical that disk drives be sanitized (“wiped”) before computers

are transferred inside the organization or sent to outside organiza-
tions. Merely deleting (e.g., using Windows’ delete function) the
data does not actually remove it; the data can be easily restored
with free or commercial un-erase software. Special wipe programs
are available to overwrite all the data on the disk drive.13 Going one
step further, there are services that can physically shred an entire
disk drive.
13
U.S. Department of Defense standards are available in the NISP
Operating Manual (also called NISPOM or DoD 5220.22-M) and
Defense Security Service’s Cleaning and Sanitization Matrix (C&SM).
The National Institute of Standards and Technology (NIST) publishes
Guidelines for Media Sanitization (Special Publication 800-88), which
includes sanitation methods.
22
SURVEY RESULTS
This section provides a summary of The IIA membership green IT

survey results and is divided into two major subsections. The first
subsection provides statistics on what organizations are doing in
terms of general (non-green IT) green activities and green IT activ-
ities. The second subsection explores what internal auditors are
currently doing and what they could or should be doing in terms of
green IT activities. A summary of the demographics of the organi-
zations, internal audit departments, and the survey participants is
included in Appendix A.
General Opinions Regarding Climate

Change and Green IT
Table 2 shows the participants’ level of agreement with six state-
ments regarding climate change and green IT. For the first four
statements, a majority (55 percent to 61 percent) “Agreed” or
“Strongly Agreed” with each statement. For all five statements,
a minority (16 percent to 20 percent) “Disagreed” or “Strongly
Disagreed” with those statements. The fact that 26 percent to
32 percent of the participants selected “Not Sure” or “Neutral”
may reflect the ongoing debates about global warming and man’s
impact on it. Climate change and the impact of humans on those
changes are still argued and I am not advocating one side or the
other, but it is important to capture the beliefs of the participants
because those beliefs provide a foundation for other opinions
stated in the survey.
23
Table 2
Opinions Regarding Green Statements
Disagree
Disagree
Not Sure
Strongly
Strongly
Average
Neutral
Rating
Agree
Agree
Statements
0 1 2 3 4 5
1. The weather/
climate is really 6% 7% 9% 20% 30% 28% 3.4
changing.
2. Human-
created carbon
emissions are 10% 9% 7% 20% 30% 25% 3.3
causing climate
changes.
3. Green IT has a
major role in
reducing our
12% 5% 8% 20% 37% 18% 3.2
organization’s
carbon
footprint.
4. Green IT is
important
8% 7% 7% 18% 39% 22% 3.4
to our
organization.
5. Green IT costs
more than
15% 2% 18% 28% 29% 8% 2.8
“business as
usual.”
6. The IT
department
uses green IT
25% 13% 32% 23% 5% 2% 1.8
to justify IT
projects too
often.
24
Survey Results
In terms of the impact of IT, 55 percent of the respondents

“Agreed” or “Strongly Agreed” that green IT has a major role in
reducing their organization’s carbon footprint. In terms of green
IT costs, the respondents were more split with 37 percent indicating
that green IT costs more than business as usual and 21 percent
indicating otherwise. Only a small fraction (7 percent) indicated
that IT overuses green IT to justify projects.
Organizational Green and Green IT Activities

Table 3 shows that 44 percent of organizations in this study have
some form of general green (sustainability) statement. For 20
percent of the organizations, their sustainability statement has
risen to the level of importance such that the statement is part of
the organization’s mission or vision statement. On the other hand,
for 25 percent of the organizations, general green activities do not
impact their decisions.
Table 3
Does Your Organization Have a General Green Statement?
Options Percent
Yes, it’s actually an integral part of our mission or vision
20%
statements.
Yes, it’s not part of our mission statement, but it’s on
our website — and employees are reminded that it’s 18%
there (e.g., via periodic emails to employees).
Yes, it’s posted to our website, but it’s not actively
6%
publicized to our employees.
There is no formal, written statement, but we do
30%
consider ecological impact in decisions.
No. 25%
Other. 1%
25
Calculating a Carbon Footprint

Table 4 indicates that 38 percent of organizations calculate their
carbon footprint, with a small group (10 percent) doing a separate
calculation for IT. Almost half (46 percent) of the organizations
do not measure their carbon footprints and have no plans to do so
in the future.
Table 4
Does Your Organization Measure Its Carbon Footprint?
Options Percent
Yes — IT is not separately calculated. 28%
Yes — IT is separately calculated. 10%
No, but we plan to do the measurement in the near
future. 14%
No, and we have no plan to do so in the near future. 46%
Other. 2%
As Figure 2 illustrates, in general, the percentage of organizations

measuring their carbon footprint increases significantly for larger
organizations. Also, the percentage of organizations that make a
separate measurement for IT increases for larger organizations.
26
Survey Results
Figure 2
Percentage of Organizations that
Measure Their Carbon Footprint
As would be expected, the number of organizations that measured

their carbon footprint also varied by industry. The IIA member-
ship database has 22 industry codes. For five industries, more than
half the organizations measure their carbon footprint. Specifically,
those industries included transportation (88 percent), utilities (76
percent), manufacturing (52 percent), aerospace and defense (50
percent), and energy/oil and gas (50 percent). At the low end were
health services (18 percent), insurance carrier/agents (14 percent),
and the nonprofit sector (14 percent).
27
General and Green IT Initiators

For those organizations with general and/or green IT initiatives,
Table 5 shows the most senior person driving each of those initia-
tives. The numbers in the table indicate that green IT does not have
the same level of status as general green activities. For 60 percent
of the organizations with general green initiatives, the senior-most
person driving those initiatives is either a board member or the
CEO, but that drops to a combined 31 percent for green IT initia-
tives. For 42 percent of the organizations with green IT initiatives,
the senior-most person driving those initiatives was the chief infor-
mation officer (CIO).
Table 5
Most Senior Person Driving General and Green IT Initiatives
General
Green IT
Options Green
Initiatives
Initiatives
Board member 24% 14%
Chief executive officer (CEO) 36% 17%
Chief financial officer (CFO) 2% 2%
Chief operating officer (COO) 10% 6%
Chief information officer (CIO) 2% 42%
Chief audit executive (CAE) 2% 1%
Business unit managers 24% 18%
28
Survey Results
Relationships of General and Green IT Activities

Table 6 shows the relationship of general and green IT activities
and Table 7 shows the expected change in the importance of green
IT over the next 12 months. At first, it may seem a little surprising
that nearly half (47 percent) of the participants reported that
green IT activities lag behind other general green activities because
many green IT activities are cherry-picking opportunities in that
it is fairly easy to realize a return on green IT investments. This
lag may reflect the findings presented in Table 5 that a significant
number of general green activities are initiated by a board member
or CEO, but green IT activities are most frequently initiated by the
CIO.
Table 6
Relationship Between Green IT Activities
and General Green Activities
Options Percent
Green IT activities parallel other general green activities. 40%
Green IT activities lead (are more advanced than) other
general green activities. 10%
Green IT activities lag behind other general green
activities. 47%
Other. 3%
On the other hand, Table 7 shows that a third (34 percent) of the
participants indicated that green IT is expected to become more
important over the next 12 months.
29
Table 7
Expected Change in Green IT Importance
Over the Next 12 Months
Options Percent
More important 34%
About the same 62%
Less important 4%
Green IT Drivers
Table 8 shows the importance of various potential green IT
drivers. The drivers are listed in order based on the driver’s rating
average. The fact that the top four drivers have similar rating aver-
ages indicates that green IT is multifaceted. As the last driver in
the table indicates, the action of competitors is a relatively minor
driver, with 28 percent of participants indicating that it was not
important.
30
Survey Results
Table 8
Importance of Various Potential Green IT Drivers
Somewhat
Important
Important
Important
Important
Average
Rating
Very
Not
Drivers
1 2 3 4
Reducing operational
5% 13% 40% 42% 3.2
costs (e.g., energy use).
Socially responsible thing
6% 15% 43% 36% 3.1
to do.
Government regulations. 8% 17% 35% 40% 3.1
Meet organization’s
12% 19% 44% 26% 2.8
overall green initiatives.
Actions of competitors. 28% 29% 30% 13% 2.3
Monitoring IT Energy Use and Setting Goals

Table 9 and Table 10 indicate how closely organizations monitor
IT energy use and whether they set measurable green IT goals (e.g.,
reduce electrical usage by 25 percent over the next three years).
31
Table 9 Table 10
Does Your Organization Does Your Organization
Monitor IT-related Have Measurable
Energy Spending? Green IT Goals?
Options Percent Options Percent

Yes — measurable
Yes. 36% 15%
green IT goals.
We have broad
No, but we plan to green IT goals,
14% 27%
in the near future. but not specific
numbers.
No. 50% No. 56%
Green IT Activities that Organizations Practice

Table 11 and Table 12 explore the implementation of potential
green IT activities. Table 11 quantifies the degree of distribution
or implementation of four green IT activities, which are listed in
order of their rating average. By far the most popular activity has
been replacing cathode ray tube (CRT) monitors with flat-panel
displays. This is an example of picking low-hanging fruit when
it comes to green IT activities. Compared to a flat-panel display,
a CRT monitor uses more electricity; generates more heat; has
higher disposal costs due to its bulky size, poisonous gas in the
CRT tube, and toxic metals in the onboard circuitry; and, because
of its weight, requires more energy to ship along the supply chain.
32
Survey Results
Table 11
Considering All the Computers in Your Organization
Essentially 100%
Rating Average
26% to 50%
51% to 75%
76% to 99%
1% to 25%
None
Activities
1 2 3 4 5 6
What percentage of
desktop computers
is connected to
flat-panel displays 2% 7% 5% 13% 29% 43% 4.9
(as opposed to
traditional CRT
monitors)?
What percentage
of employees who
have an organization-
5% 37% 22% 17% 13% 7% 3.1
provided computer
have just a laptop
computer?
What percentage
of data processing
takes place in an
28% 37% 16% 9% 7% 3% 2.4
Internet-based
“cloud computing”
environment?
What percentage of
desktop computers is
38% 41% 8% 6% 4% 3% 2.0
“thin clients” (no hard
drive)?
33
Table 12 lists 12 potential green IT activities in order of popu-

larity. Two of the more popular activities (automatically switching
to sleep mode and turning off equipment at night) are almost zero-
cost activities in terms of implementation. It is interesting that the
second and third activities in the table deal with the end-of-life
part of the lifecycle. This probably reflects common regulatory
restrictions on disposing of electronic equipment in landfills.
Table 12
Potential Green IT Activities
No and Don’t Expect

That to Change
No, But Plan to
in the Future
Sometimes
Activities
Yes
Configure desktops to automatically

65% 18% 5% 13%
enter sleep mode when inactive.
Use recycling service to dispose of
62% 22% 6% 10%
obsolete IT equipment.
Participated in product take-back/
53% 24% 8% 15%
recycling programs from vendors.
Educate users to turn off IT
49% 23% 6% 22%
equipment at night.
Reduce server power consumption. 48% 25% 9% 18%
Use virtualization software to reduce
47% 23% 9% 21%
the number of servers.
Reduce desktop computer power
38% 25% 11% 26%
consumption.
Install more efficient data center
33% 22% 15% 30%
power supplies.
34
Survey Results
Table 12
Potential Green IT Activities (Continued)
No and Don’t Expect

That to Change
No, But Plan to
in the Future
Sometimes
Activities
Yes
Modified data center cooling
29% 17% 12% 41%
infrastructure to improve efficiency.
Use cloud computing to reduce the
22% 25% 21% 33%
number of servers.
Build a new data center that is
18% 8% 14% 61%
energy efficient.
Moved a data center to another city/
state to reduce energy costs and/or 11% 7% 6% 76%
environmental impact.
Vendor Green Requirements and Audits

Ultimately, organizations rely extensively on vendors to meet their
green IT goals. In addition to buying energy-efficient computers
and infrastructure hardware from vendors, a number of organiza-
tions have also outsourced some of their IT activities to vendors
(e.g., the use of cloud computing) to help achieve green objectives.
As discussed in the Introduction, outsourcing is not a zero-sum
game — organizations are not just moving energy use from one
location (the organization) to another (the vendor). For example,
because of economies of scale and learning curve effects, cloud-
commuting vendors could be more efficient in the aggregate than
the organizations that outsource to them. Plus, these outsourcing
vendors could establish their operations at locations where those
operations could have a lesser impact on the environment.
35
With all that said, it raises the question: How do organizations

know whether the vendors are achieving the performance terms
of their contracts and service-level agreements (SLAs)? The
survey asked a series of questions to explore that question. As
Table 13 shows, 40 percent of organizations at least sometimes
include green requirements in contracts and purchase agreements
with IT vendors. For those respondents who answered “Yes” or
“Sometimes” to the question summarized in Table 13, they were
then asked whether those contracts or agreements included audit
provisions. The responses to that question are shown in Table 14.
Table 13 Table 14
Green IT Requirements Audit Provisions in Green
for Vendors IT Vendor Requirements

Yes. 13% Yes 24%
Sometimes. 27% Sometimes 36%
No. 59% No. 39%
For those who answered “Yes” or “Sometimes” to that question,

they were then asked how many times those audits have actually
been performed. Of those organizations that do include an audit
requirement (see Table 15), 30 percent have not performed any
vendor audits. For those organizations that have performed audits
(see Table 16), internal auditing has participated in 77 percent of
those vendor audits — in some cases, as part of a team with people
from outside of internal auditing.
In response to a final question in this section, less than half (44

percent) of the respondents who came from organizations that
perform these audits have conducted them personally.
36
Survey Results
Table 15
Table 16
How Many Times
Who Conducted These
Have These Audits
Vendor Audits?
Been Performed?

0 30% Internal auditing. 77%
Someone from the
1 to 5 57% 20%
IT department.
External auditor/
6 to 10 2% consultant from an 20%
accounting firm.
External person not
11 to 20 4% from an accounting 17%
firm.
(More than one response
More than 20 6%
allowed.)
Internal Audit Opportunities on the

IT Vendor Side of the SLA
The survey questions related to vendor auditing were from the
buyer’s perspective. Of course, in any contract or SLA there are
two parties — the seller (the vendor) and the buyer. If the buyer’s
purchase order specifies green requirements and, in particular, if
the buyer requires the right to audit whether the vendor has met
those requirements, then these requirements impose a risk on the
vendor. The level of that risk depends on the size of the contract
and the penalties for not meeting the requirements of the contract.
For example, the risk could be very significant if the contract
allows the buyer to cancel the remaining contract and impose a
penalty that requires the vendor to repay any monies already paid
on the canceled contract.
37
These risks provide opportunities for the vendor’s internal auditors.

First, the auditors could provide assurance that the appropriate
contract risk assessment process is in place and being used. Second,
the internal auditors could provide assurance that the terms of the
contract are being complied with before the buyers do their own
compliance audits.
Can and Should Internal Auditors

Become More Involved in Green IT?
This final subsection of the survey results explores the overarching
questions of this study: (1) what types of green IT activities are
internal auditors (or their departments) currently involved in? and
(2) what types of green IT activities should internal auditors be
involved in? Answering the second question involves considerations
of both the auditors’ skills and maintaining their independence
and objectivity.
Current Involvement of Internal

Auditors in Green IT Activities
Two multipart questions were asked to explore what auditors are

doing or could be doing. A summary of the responses to these
questions is shown in Table 17 and Table 18. An interesting aspect
of Table 17 is that 21 percent to 23 percent of the respondents
selected “Not Sure” as to whether their own internal audit depart-
ment had the skills to conduct the particular green IT task in the
question. This is a potential problem if CAEs decide that they
want to actively expand into more green IT activities. It will be
important that the internal auditors know the green IT skill set
of the internal audit function so that they will be able to identify
potential green IT opportunities when they encounter them while
conducting other internal audit activities.
38
Survey Results
The next question takes a slightly different perspective. Whereas

the first question dealt with board activities (designing, moni-
toring, etc.), the next question focused more on green IT areas or
domains (equipment, infrastructure, etc.). Table 18 summarizes
the results. Again, about 21 percent to 25 percent of the respon-
dents are not sure if their internal audit department has the skills
to address those areas.
Table 17
What Green IT Activities Could You Or
Your Internal Audit Department Do?
Done This, But They Have
Help, But Not Do It Alone

I’ve Personally Done This
My Department Hasn’t
My Department Could
the Skills to Do This
Department Skills
I Haven’t, But My
Department Has
Couldn’t Do This
With Current
Done This
Not Sure
Options
Design/develop
specifications for 3% 5% 14% 28% 27% 23%
green IT activities.
Design/develop
controls to monitor
green IT activities to
3% 4% 25% 26% 19% 23%
ensure compliance
with green IT
specifications.
Monitor controls
to determine
whether green IT 4% 6% 36% 23% 11% 21%
specifications are
being complied with.
39
Table 17
What Green IT Activities Could You Or
Your Internal Audit Department Do? (Continued)
Department Has Done This
Current Department Skills

Done This, But They Have

I’ve Personally Done This
My Department Hasn’t
My Department Could
Couldn’t Do This With

the Skills to Do This
I Haven’t, But My
Not Sure
Options
Provide assurance
that the green IT
monitoring controls
are being used 4% 5% 35% 21% 13% 23%
properly by others
(outside of internal
auditing).
40
Survey Results
Table 18
What Green IT Areas Have You Or Your
Department Been Involved In?
I Haven’t, But My Department
My Department Hasn’t Been
Current Department Skills

Involved, But They Have
My Department Could
Couldn’t Do This With

the Skills in This Area
Involved in This Area
I’ve Personally Been
Has Been Involved
Not Sure
Options
Purchasing
computers
8% 10% 17% 24% 20% 21%
and related
equipment.
Designing data
center energy
2% 3% 8% 17% 44% 25%
and cooling
infrastructure.
Developing
equipment
disposal and 5% 6% 19% 31% 18% 21%
recycling policy
and procedures.
Complying with
green IT laws
and regulations 6% 4% 24% 29% 13% 24%
from government
agencies.
41
Figure 3 shows the results of a closer analysis of the “Not Sure”

responses in Table 17. Fortunately, as would be expected, CAEs
have a better sense of the aggregate skill sets of their departments.
The “Not Sure” responses by audit staff members were about
three times higher than the responses of the CAEs. With that said,
reducing this knowledge gap will be an important task for those
CAEs who want to be more proactively involved in their organiza-
tions’ green IT activities.
Figure 3
“Not Sure” Responses Sorted By Job Position
42
Survey Results
Green IT Activities that Internal

Auditors Should be Involved In
Next, the question that was summarized in Table 17 was restated

to ask what green IT activities should internal auditors be involved
in (assuming they have the skill), but still comply with The IIA’s
International Standards for the Professional Practice of Internal
Auditing (Standards) regarding independence and objectivity.
Table 19 summarizes the responses sorted by the rating average.
Not surprisingly, the two items with the highest average rating
were “Provide assurance that the green IT monitoring controls…”
and “Monitor controls…” Providing assurance and monitoring
controls are traditional services provided by internal auditors. In
term of what auditors should not do, 54 percent of the respondents
indicated that auditors should “Definitely Not” or “Probably Not”
design or develop specifications for green IT activities. Designing
and developing specifications would definitely challenge indepen-
dence and objectivity standards. That challenge does not mean
that internal auditors can never be involved in designing and
developing specifications. The key consideration is to not put the
individual auditors in the position of auditing their own activi-
ties, which would threaten their independence and objectivity. For
larger internal audit departments, in particular, they could estab-
lish a separate team for involvement in designing and developing
activities.
43
Table 19
In General, Should Internal Auditors Be
Involved in These Green IT Areas?
Maybe — It Depends
On Other Factors
Rating Average
Probably Okay
Definitely Not
Definitely Yes
Probably Not
Not Sure
Answers
1 2 3 4 5 0
Provide assurance
that the green IT
monitoring controls
are being used 2% 4% 8% 24% 54% 8% 4.0
properly by others
(outside of internal
auditing).
Monitor controls
to determine
whether green IT 4% 6% 11% 27% 44% 8% 3.8
specifications are
being complied with.
Design/develop
controls to monitor
green IT activities to
22% 17% 19% 20% 14% 8% 2.6
ensure compliance
with green IT
specifications.
Design/develop
specifications for 29% 25% 19% 14% 5% 8% 2.2
green IT activities.
44
CONCLUDING COMMENTS
In their second annual sustainability survey, the MIT Sloan

Management Review divides organizations into two groups:
embracers (who take a high-level, strategic view of sustainability)
and cautious adopters (who mostly focus on energy savings, mate-
rial efficiency, and risk mitigation).14 In the membership survey,
20 percent of the responding organizations could be considered
embracers (see Table 3). However, when it comes to green IT, it
does not make a difference if your organization is an embracer
or a cautious adopter. As Cascone et al. said about sustain-
ability in general in the December 2010 issue of Internal Auditor,
“Regardless of the organization’s stance, sustainability’s impact on
the current business landscape — and, by extension, internal audit
functions — is undeniable.” Green IT provides many opportunities
for organizations as part of their CSR and sustainable develop-
ment activities. Those green IT opportunities also have associated
risks for organizations, which in turn provide new, value-added
opportunities and new risks for internal auditors.
When implementing green IT initiatives, there are many possible

alternative approaches. The applicable metrics to analyze are not
numbers that only computer scientists understand (e.g., megaflops
per second). Instead, the basic KPIs consist of familiar terms,
including costs, benefits, ROI, electrical use measured in kilowatts,
heat measured in BTUs, water flow measured in gallons (or cubic
feet) per minute, the percentage of that water that is recycled,
and tons of material recycled or reused, which easily fall into the
internal auditor’s traditional skill portfolio. Internal auditors do
not necessarily have to do the actual analysis, but they can “audit”
The survey report, Sustainability: The ‘Embracers’ Seize Advantage,

14
can be downloaded for free at: http://sloanreview.mit.edu/special-report/

sustainability-advantage-executive-summary/.
45
the analysis and provide assurance to management that the appli-

cable metrics and risks have been included.
The Big Four and other accounting and consulting firms are
aggressively selling green IT consulting, assessment, compliance,
and assurance services to organizations.15 Many of these green
IT services seem like a natural fit for internal auditors to offer.
Internal auditors are the ultimate organization insiders and have a
unique organizational perspective. In large organizations in partic-
ular, besides financial auditing, the internal auditors are already
heavily involved in operational and IT-related activities.
Using the approaches to evaluating CSR in The IIA’s CSR Practice

Guide, Evaluating Corporate Social Responsibility/Sustainable
Development, as a framework, the following provides a broad
outline of potential green IT activities for internal auditors.
Auditing Metrics
1. Audit green IT financial and nonfinancial metrics

related to KPI provided by business units. This could be
conducted by incorporating traditional audit techniques,
such as analytical procedures, tests of details, and tests of
operating effectiveness of related controls. The measure-
ments could be over time (e.g., quarterly, annually, etc.) or
project based. An example of the project based would be a
post-implementation review of the redesigned datacenter
to determine whether the green IT goals that were used to
rationalize the project have actually been achieved. Some
metrics could include electricity/energy used, weight of
materials used/recycled/reused, etc.
According to the article at http://www.greenbiz.com/print/41358

15
the most prominent players in the IT-for-green services market

segment are: Accenture, Atos Origin, Capgemini, Deloitte, IBM, and
PricewaterhouseCoopers.
46
Concluding Comments
Slightly modifying the list from Cascone et al. (2010),

depending on the size and type of organization, test steps
could include:
• Inquiring about the accuracy and completeness of the
data used to compile the organization’s green IT report.
• Tracing reported green IT metrics and KPIs from their
collection points to final reporting and considering the
reliability of data management processes and internal
controls around such data.
• Conducting site visits and performing onsite reviews
and inquiries.
• Using statistical sampling and conducting tests of
details to draw conclusions regarding the completeness
and accuracy of the entire population based on the
sample tested.
• Inquiring about the nature of significant judgments and
estimates made by management and any uncertainties
regarding measurements.
• Reviewing the appropriateness of any assumptions
used in the calculation process.
2. Compare the organization’s green IT metrics to industry

benchmarks.
3. For IT vendors, audit general green IT metrics included

in public disclosures, websites, sales brochures, and speci-
fication sheets. Audit specific green IT metrics included
in customer contracts and SLAs — particularly in those
situations where the contract gives customers the right to
conduct their own audit.
4. For IT consumer, audit IT vendor to determine whether

the vendor’s green IT metrics comply with the metrics
stated in the contract and SLA.
47
5. Audit green IT metrics/reports submitted to regulators

and government agencies under mandatory and voluntary
reporting requirements.
Auditing Controls
1. Audit the process and controls related to implementing

the organization’s green IT goals and procedures. For
example, if the organization requires that IT equipment
meet ENERGY STAR specifications, what processes and
controls are in place to ensure that requirement is met?
2. Audit the internal controls over risk management,

recording, measuring, and reporting of green IT activities
within each department or function that is covered in the
audit plan.
3. Audit the process and controls related to identifying

regulations and compliance with those regulations.
Identifying and complying with laws and regulations can
be particularly challenging for multistate and multicountry
organizations. For example, in the United States, different
states can have their own regulations that are evolving over
time. In Europe, there are European Union (EU) regu-
lations, but countries within the EU can have their own
regulations as well as variations on the EU regulations. So,
the organization must have processes and controls in place
to identify regulations that apply to them, changes to those
regulations, and the organization’s compliance to all of the
applicable regulations.
Facilitating and Consulting
1. Facilitate a management self-assessment of green IT risks

and controls.
48
Concluding Comments
2. Consult on project design and implementation for green

IT programs and reports or serve as an adviser on green IT
governance, risk management, and internal controls.
Regarding audit activities, paraphrasing The IIA’s CSR Practice

Guide, the CAE should ensure that the elements of the Formulating
and Expressing Internal Audit Opinions Practice Guide have been
reviewed before issuing an opinion about an organization’s specific
green IT activity. Caution should be taken to manage liability
associated with the opinion if it is published.
Where to Go From Here?

Considering the low involvement in green IT activities by internal
audit departments reported in Table 17 and Table 18, there are
significant potential opportunities for internal auditors to provide
a wide variety of value-added green IT services in auditing, facili-
tating, and consulting. Depending on how deeply or broadly the
internal audit department wants to be involved in green IT (and
other CSR and sustainability activities, for that matter), it should
consider preparing a gap analysis by comparing where the depart-
ment currently is in terms of other priorities and the skill sets of
the auditors and where it wants to be in terms of green IT involve-
ment. Then it can develop an action plan to close that gap. Of
course, any green IT plan needs to stay within the department’s
charter, strategic plans, and annual risk assessment and within
applicable board policies. In addition, while being more involved
in green IT can increase the audit department’s visibility and value
to the organization, it must also consider the potential risk to its
reputation if problems arise.
49
Some of the questions and issues that the gap analysis could
include are:
1. What green IT activities is the organization currently

involved in and what are the organization’s near-term and
long-term green IT plans? (The EPA’s energy-efficiency
opportunities listed in Table 1 could provide some talking
points when meeting with management.)
2. What outside accounting and consulting firms are providing

green IT assurance and consulting services to the organiza-
tion — and what specific services are they providing?
3. What is the IT skill set of the current internal audit depart-

ment? Although there are valuable areas where internal
auditing could contribute to green IT activities without IT
skills, having IT skills will be valuable to expand internal
auditing’s roles in green IT. If the department wants to
expand its IT skills, should that be done through hiring,
rotations in from other departments, training current staff,
or some combination of these choices?
4. Is the internal audit department large enough to have a sepa-

rate group of auditors that can provide green IT consulting
services without challenging the department’s indepen-
dency and objectivity? In this situation, one group could
be providing green IT consulting and a completely different
internal audit group could provide objective audit services.
5. Develop a plan to get from the department’s current level of

green IT activities (if any) to the desired level, including elements
such as educating current internal auditors in terms of green
IT and the skill set of the department; identifying the need to
hire and/or rotate additional staff to enhance the green IT skill
set of the department; and developing a plan to increase the
awareness throughout the organization of the green IT services
that the internal audit department could provide.
50
Concluding Comments
A good place to start in exploring green IT opportunities would

be to read The IIA’s Practice Guide, Evaluating Corporate Social
Responsibility/Sustainable Development. Two other books, Green
IT and The Greening of IT, listed in the References section provide
very good overviews of the green IT domain. Internet searches will
supply more information on green IT technology and terminology
and can also help explore how accounting and consulting firms
are marketing and selling green IT services. What are the main hot
buttons and talking points? This information will all be valuable
in formulating value-added green IT services that internal auditing
can potentially provide in auditing, facilitating, and consulting.
Cascone et al. (2010) recommend that “Internal auditors may

also consider adding value to management by educating them
on the externally recognized sustainability frameworks, guide-
lines, or standards, such as the Global Reporting Initiative’s
(GRI’s) G3 Guidelines, AccountAbility’s AA1000 Standards, or
the International Organization for Standardization’s ISO 9000.”
These documents could be reviewed in light of developing green
IT services.
51
APPENDIX A:
DEMOGRAPHICS
This appendix provides more demographics on the participants in

the green IT survey.
Responding Organizations
To solicit IIA members to complete the survey, emails were sent
to those members of the North America jurisdiction who classi-
fied themselves as internal auditors (as opposed to consultants,
students, etc.). As a secondary method, requests were posted on
Facebook and in IIA newsletters.
A total of 652 people completed the survey. As would be expected

because of the email invitations, 80.2 percent of the respondents
were from the United States or Canada. The remaining nearly 20
percent were distributed over many other countries. The number
of participants from the individual countries was not adequate
to statistically analyze country differences. As Table 20 indicates,
the organizations represented in the survey covered a wide range
of sizes in terms of annual revenue. As Table 21 indicates, the
respondents also included a wide variety of industries, with the
most (14.5 percent) from the financial services/real estate industry
classifications.
53
Table 20
Annual Revenue of Responding Organizations
Annual Revenue Percent

Less than US $50 million 19.6%
US $50 million to US $100 million 7.7%
US $100 million to US $500 million 17.4%
US $500 million to US $1 billion 12.4%
US $1 billion to US $5 billion 20.3%
US $5 billion to US $10 billion 8.5%
US $10 billion or more 14.0%
54
Appendix A: Demographics
Table 21
Industries Represented
Industries Percent
Aerospace and defense 2.5%
Agriculture/forestry/fisheries 0.2%
Communication/telecommunication services 2.3%
Construction 0.9%
Consulting services 5.2%
Educational services 5.2%
Energy/oil and gas 2.6%
Financial services/real estate 14.5%
Gaming/lotteries 2.1%
Health services 4.9%
Insurance carriers/agents 5.8%
Local government 6.7%
National/federal government 5.4%
Manufacturing 7.0%
Mining 0.2%
Nonprofit sector 2.6%
Public accounting/accounting services 2.1%
State/provincial government 9.2%
Technology 2.1%
Transportation 2.5%
Utilities 4.1%
Wholesale/retail 2.8%
Other (please specify): 9.0%
55
Internal Audit Departments

The internal audit departments of the respondents ranged in size
from one to 2,000 auditors, with an average of 35 auditors. In terms
of IT auditors, the staffing size ranged from zero to 500 auditors,
with an average of 5.6 auditors.
The Respondents
Table 22 shows the respondents’ distribution of job positions. In
response to a separate question, 14.5 percent of the respondents
consider themselves to be IT auditors (no matter what their current
position is, as illustrated in Table 22).
Table 22
Current Position
Positions Percent
Internal audit staff 40.3%
Internal audit manager 20.2%
Internal audit director 9.3%
Chief audit executive 8.2%
IT audit staff 5.6%
IT audit manager 3.6%
IT audit director 0.8%
External public accountant providing internal audit
1.4%
services
Audit services contractor providing internal audit
2.0%
services
Other 8.7%
56
Appendix A: Demographics
The number of years of experience as an internal auditor ranged

from less than one year to 45 years, with an average of 8.8 years.
Total work experience ranged from one year to 54 years, with an
average of 18.6 years. Most (85.8 percent) of the respondents indi-
cated they were career auditors as opposed to being temporally
rotated into internal auditing from other departments. As Table
23 shows, a little more than half (54 percent) of the respondents
selected accounting as their primary education. As shown in Table
24, almost half (48.5 percent) of the respondents came into internal
auditing from other business disciplines.
Table 24
Table 23
Primary Job/Position
Primary Education or
Before Becoming an
Training Background
Internal Auditor
Education Percent Prior Position Percent

Accounting 54.0% External auditing 26.0%
Information
technology/
8.0% IT/IS (nonaudit) 9.9%
information systems
(IT/IS)
Joint accounting Other business-
6.8% 48.5%
and IT/IS related
Other business area 16.2% Engineering 3.6%
Nonbusiness or
Engineering 5.2% 2.6%
engineering
None of the above
Nonbusiness or
1.4% (I’ve only worked as 9.4%
engineering
an internal auditor)
Other 8.3%
57
Tables 25 and 26 show the general (non-green IT) and green IT

experiences of the respondents. Regarding general green experi-
ence, a little more than a quarter (26.1 percent) of the respondents
had no experience. On the other hand, almost half (42.5 percent)
had no specific green IT experience. Of those who indicated general
and green IT experiences, the majority had those experiences as
internal auditors (either at their current or past organizations).
Table 25 Table 26
Personal Experiences With Personal Experiences With
General Green Activities Green IT Experiences

None. 26.1% None. 42.5%
As an internal As an internal
auditor at auditor at
44.5% 34.2%
my current my current
organization. organization.
As an internal As an internal
auditor at another 12.2% auditor at another 8.0%
Something Something
other than an other than an
internal auditor 23.2% internal auditor 17.3%
at my current at my current
Something other Something other
than an internal than an internal
14.7% 9.9%
auditor at another auditor at another
Other. 3.1% Other. 2.2%
58
REFERENCES
Baliga, J., A. R. W. Ayre, K. Hinton, and R. S. Tucker, “Green

Cloud Computing: Balancing Energy in Process, Storage and
Transport,” Proceedings of the IEEE (2010): Volume: PP, Issue:
99, 1–19.
Baroudi, C., J. Hill, A. Reinhold, and J. Senxian, Green IT Dummies

(Indianapolis, IN: Wiley Publishing, Inc., 2009).
Cascone, J., John DeRose, and Anna Nefedova, “Equipped to

Sustain,” Internal Auditor: December 2010, 49–52.
CFO Publishing Corp., The Next Wave of Green IT (prepared in

collaboration with Deloitte Touche Tohmatsu, 2009).
Daim, T., J. Justice, M. Krampits, M. Letts, et al., “Data Center

Metrics: An Energy Efficiency Model for Information Technology
Managers,” Management of Environmental Quality (2009):
Bradford: Vol. 20, Issue 6, 712.
Deloitte & Touche, Green IT: The Fast-track to Enterprise

Sustainability (2007).
Ernst & Young, Climate Change and Sustainability: Five Highly

Charged Risk Areas for Internal Audit (2010).
Force 10 Networks, Managing Data Center Power and Cooling.

White paper published by Force 10 Networks, Inc., San Jose, CA,
2007.
Forge, S., “Powering Down: Remedies for Unsustainable ICT,”

Foresight (2007): Emerald Group Publishing Limited Vol. 9 (4), 3–21.
59
Gabriel, C., “Why It’s Not Naïve to Be Green,” Business Information

Review (2008): SAGE Publications Vol. 25 (4), 230–237.
Gray, G. L., Changing Internal Audit Practices in the New Paradigm:

The Sarbanes-Oxley Environment (Altamonte Springs, FL: The
Institute of Internal Auditors Research Foundation, 2004).
Hignite, K., “Low-Carbon Computing,” EDUCAUSE review

(1527-6619) (2009): November 1: 44 (6), 35.
KPMG, The Rise of ‘Sustainable IT’ (2010).
Lamb, J., The Greening of IT: How Companies Can Make a

Difference for the Environment (International Business Machines
Corporation, 2009).
Mitchell, R. L., “Ice Balls Help Data Center Go Green,”

Computerworld (2010): October 13.
Murugesan, S., “Harnessing Green IT: Principles and Practices,”

IEEE IT Professional (2008): January-February, 24–33.
Oblinger, D. G., “Making the Case for ROI in Sustainable IT

Projects,” EDUCAUSE review (1527-6619) (2009): November 1:
44 (6), 6.
Pensabene, T., “College Creates ‘Green’ Data Center Program,”

Baseline (2010): New York: Jan/Feb, Issue 102, 16.
Plant, R., “Sustainability; How Green Should My Tech Be? To

decide whether an eco-friendly IT idea makes sense, first place it in
one of four categories,” Wall Street Journal (Online): New York:
Jan 25, 2010.
Scaramella, J., and M. Eastwood, Solutions for the Datacenter’s

Thermal Challenges. White paper #205113 published by IDC
Information and Data, Framingham, MA, 2007.
60
References
Solomon, G., “Industry Can Help World Reduce Carbon

Footprint,” Global Telecoms Business (January 2010): London.
Sumners, G. E., and J. S. Soileau, “Addressing Internal Audit

Staffing Challenges,” Information Systems Management (2008):
Spring, Vol. 25, Iss. 2, 1.
Symantec, Green IT Global Results (2009).
T-Systems, White Paper, Green ICT: The Greening of Business

(Leinfelden-Echterdingen, Germany: T-Systems International
GmbH, 2009).
U.S. Environmental Protection Agency (EPA), Report to Congress

on Server and Data Center Energy Efficiency Public Law 109-431
(2007).
Velte, T. J., A. T. Velte, and R. Elsenpeter, Green IT: Reduce Your

Information System’s Environmental Impact While Adding to the
Bottom Line (McGraw-Hill, 2008).
61
The vision of The IIA Research Foundation is to understand, shape,
and advance the global profession of internal auditing by initiating
and sponsoring intelligence gathering, innovative research, and
knowledge-sharing in a timely manner. As a separate, tax-exempt
organization, The Foundation does not receive funding from IIA
membership dues but depends on contributions from individuals
and organizations, and from IIA chapters and institutes, to move our
programs forward. We also would not be able to function without
our valuable volunteers. To that end, we thank the following:
Research Sponsor Recognition

Research Sponsors
IIA–Chicago Chapter
IIA–Houston Chapter
IIA Netherlands
IIA–New York Chapter
IIA–Philadelphia Chapter
Strategic Principal Partners
ACL Services Ltd.
CCH® TeamMate
Principal Partners
CaseWare IDEA Inc.
Ernst & Young LLP
PricewaterhouseCoopers LLP
Visionary Circle
The Family of Lawrence B. Sawyer
Chairman’s Circle
ExxonMobil Corporation
Itau Unibanco Holding S.A.
JCPenney Company, Inc.
Lockheed Martin Corporation
Southern California Edison Company
Diamond Donor
IIA–Central Ohio Chapter
IIA–San Jose Chapter
63
THE IIA RESEARCH FOUNDATION
BOARD OF TRUSTEES
President: Patricia E. Scipio, CIA, PricewaterhouseCoopers LLP

Vice President-Strategy: Mark J. Pearson, CIA, Boise Inc.
Vice President-Research and Education: Philip E. Flora, CIA,
CCSA, FloBiz & Associates, LLC
Vice President-Development: Wayne G. Moore, CIA,
Wayne Moore Consulting
Treasurer: Stephen W. Minder, CIA, YCN Group LLC
Secretary: Douglas Ziegenfuss, PhD, CIA,
CCSA, Old Dominion University
Neil Aaron, The McGraw-Hill Companies

Richard J. Anderson, CFSA, DePaul University
Urton L. Anderson, PhD, CIA, CCSA, CFSA, CGAP,
University of Texas-Austin
Sten Bjelke, CIA, IIA Sweden
Michael J. Head, CIA, TD Ameritrade Holding Corporation
James A. LaTorre, PricewaterhouseCoopers LLP
Marjorie Maguire-Krupp, CIA, CFSA,
Coastal Empire Consulting
Leen Paape, CIA, Nyenrode Business University
Jeffrey Perkins, CIA, TransUnion LLC
Edward C. Pitts, Avago Technologies
Michael F. Pryal, CIA, Federal Signal Corporation
Larry E. Rittenberg, PhD, CIA, University of Wisconsin
Carolyn Saint, CIA, Lowe’s Companies, Inc.
Mark L. Salamasick, CIA, University of Texas at Dallas
Susan D. Ulrey, CIA, KPMG LLP
Jacqueline K. Wagner, CIA, Ernst & Young LLP
Shi Xian, Nanjing Audit University
65
THE IIA RESEARCH FOUNDATION
COMMITTEE OF RESEARCH
AND EDUCATION ADVISORS
Chairman: Philip E. Flora, CIA, CCSA, FloBiz & Associates, LLC
Vice-chairman: Urton L. Anderson, PhD, CIA, CCSA, CFSA, CGAP,
University of Texas-Austin
George R. Aldhizer III, PhD, CIA, Wake Forest University

Lalbahadur Balkaran, CIA
Kevin W. Barthold, CPA, City of San Antonio
Thomas J. Beirne, CFSA, The AES Corporation
Audley L. Bell, CIA, Habitat for Humanity International
Toby Bishop, Deloitte & Touche LLP
Sezer Bozkus, CIA, CFSA, KPMG LLP
John K. Brackett, CFSA, RSM McGladrey, Inc.
Adil S. Buhariwalla, CIA, Emirates Airlines
Thomas J. Clooney, CIA, CCSA, KPMG LLP
Jean Coroller
Mary Christine Dobrovich, Jefferson Wells International
Susan Page Driver, CIA, Texas General Land Office
Donald A. Espersen, CIA, despersen & associates
Randall R. Fernandez, CIA, C-Force, Inc.
John C. Gazlay, CPA, CCSA
Dan B. Gould, CIA
Ulrich Hahn, CIA, CCSA, CGAP
John C. Harris, CIA, Aspen Holdings/FirstComp Insurance Company
Sabrina B. Hearn, CIA, University of Alabama System
Katherine E. Homer, Ernst & Young LLP
Peter M. Hughes, PhD, CIA, Orange County
David J. MacCabe, CIA, CGAP
Gary R. McGuire, CIA, Lennox International Inc.
John D. McLaughlin, Smart Business Advisory and Consulting LLC
Steven S. Mezzio, CIA, CCSA, CFSA, Resources Global Professionals
Deborah L. Muñoz, CIA, CalPortland Company
Frank M. O’Brien, CIA, Olin Corporation
Michael L. Piazza, Professional Development Institute
Amy Jane Prokopetz, CCSA, Farm Credit Canada
Mark R. Radde, CIA, Resources Global Professionals
Vito Raimondi, CIA, Zurich Financial Services NA
Sandra W. Shelton, PhD, DePaul University
Linda Yanta, CIA, Eskom
67
Green-IT
Opportunities for Internal Auditors
Green IT
H
Glen L. Gray, PhD, CPA Opportunities for Internal Auditors
C
demands on organizations regarding corporate social responsibility (CSR)
and sustainable development. A key component of CSR is reducing an
Internal Audit Capability Model (IA-CM) For the Public Sector

organization’s environmental impact and “green information technology”
(green IT) can play a critical role in this effort.
R
The report summarizes what organizations and internal auditors are currently
doing in the green IT domain and what they should be doing in this area.
Selecting the best green IT solutions — and prioritizing those solutions — for
A
an organization requires careful analysis of all the lifecycle costs (front-end
and ongoing), benefits, and risks before selecting the appropriate solutions.
Green IT: Opportunities for Internal Auditors identifies significant
E
opportunities for internal auditors to provide a wide variety of value-added
green IT services in auditing, facilitating, and consulting.
R
S
C
E Glen L. Gray, PhD, CPA

Order No. 5017.dl
H
IIA members US $0
R
Nonmembers US $25
ISBN: 978-0-89413-707-5
5/11349/PM/GS

Green-IT FINALwCover

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Green-IT FINALwCover

Uploaded by

Copyright:

Available Formats

Green-IT

Opportunities for Internal Auditors

Internal Audit Capability Model (IA-CM) For the Public Sector

Green IT: Opportunities for Internal Auditors identifies significant

E Glen L. Gray, PhD, CPA

Glen L. Gray, PhD, CPA

Copyright © 2011 by The Institute of Internal Auditors Research

The IIARF publishes this document for informational and educational

The Institute of Internal Auditors’ (IIA’s) International Professional

The mission of The IIARF is to expand knowledge and understanding

Vendor Green Requirements and Audits............................... 35

The IIA Research Foundation Sponsors.................................. 63

Figure 1: Green IT Domain and Value Chain............................ 9

Table 1: Summary of Assumptions for Analysis of

Table 11: Considering All the Computers in Your

The leadership and staff within The IIA Research Foundation

Glen L. Gray, PhD, CPA, is a professor in the Accounting and

He has been a member of the San Fernando Valley Chapter of

In 2006, Dr. Gray was part of a team that prepared a research

He has written academic and trade articles related to his research

Two years ago, I attended a presentation where a partner from a

many other books. http://www.alvintoffler.net/

sustainability is becoming mainstream for organizations — and,

Although the specific metrics and key performance indicators

Glen L. Gray, PhD, CPA

See The IIA’s Practice Guide, Evaluating Corporate Social

Government regulators and other stakeholders are increasing their

• Designing IT equipment manufacturing processes to minimize

• Designing IT equipment to maximize recyclable components

• Designing IT packaging to minimize storage and transportation

• Selecting IT acquisition and deployment approaches to

• Designing IT infrastructure to minimize energy, cooling, and

• Using IT to minimize environmental demands, such as:

• Designing software to minimize IT hardware demands and

• Reducing the number of computers and reducing infrastructure

• Disposing of IT equipment to maximize reuse and recycling,

This report summarizes a survey of The IIA’s membership to explore

Based on the survey, the experiences of internal audit departments

Considering the low involvement in green IT activities by internal

A good place to start exploring green IT opportunities is to

in formulating value-added green IT services that internal auditing

In February 2010, The IIA published a Practice Guide titled Evaluating

…the study and practice of designing, manufac-

Green IT is a good idea from an economic perspective as well

published by T-Systems, in the aggregate, IT causes the same

Some non-IT green projects, such as retrofitting the electrical

Approach 1: Replace boxes with newer boxes. If an organization simply

Approach 2: Replace boxes with smaller boxes. By replacing tradi-

Approach 3: Replace boxes with fewer boxes. By implementing virtual-

Approach 4: Eliminate boxes. Organizations could shut down

Note that this report is not promoting any green IT alternatives

The green IT domain is almost boundless. Exploring green IT

IT Acquisition and Deployment

According to a frequently quoted EPA study (EPA 2007), just

To develop a better understanding of energy-efficiency opportuni-

• The “improved operation” scenario includes energy-efficiency

• The “best practice” scenario represents the efficiency gains that

• The “state-of-the-art” scenario identifies the maximum

Details of the key energy-efficiency assumptions used in the EPA’s

Data Center Subsystem

Data Center Subsystem

Source: EPA (2007)

Electrical and Cooling Management