Understanding and Working with Auditors
- Written by: Dave Nelson
An IT Manager’s Guide to a Successful Audit [PART 2 of 5]
Understanding and Working with Auditors
Not all audits are equal. There are different reasons to audit, so it would be reasonable to assume that audits would be initiated by various groups. We’ve reviewed a little about how the type of audit can impact you, now let’s look at how the auditor can impact you. Ronald Reagan was famous for using the quote “Trust but Verify” when dealing with Soviet Union in the 1980’s. This can also be an approach to take with auditors. In general, auditors aren’t “out to get you”, however, you should always question the motives of the individuals and strive to understand the details of your audit engagement.
You need to ask questions like, “Who do they work for?”, “What impact does the audit result have on them?”, “Do they have experience in this field?” These types of questions will help you assess the best way to approach and communicate with your audit team. You both have a stake in a successful engagement regardless of whether you “work” for the same company. Your motives for success might be vastly different, but this in no way diminishes the fact that you both need to score a win. An auditor is typically considered successful if they routinely find gaps and provide solid opinions on how an organization can improve. A department is considered to have successfully passed an audit if they have no significant or material gaps that need to be remediated. Acknowledging that we are not perfect, and that we may have room to improve, allows for both the auditor and entity being audited to have a successful engagement.
The first myth that needs to be debunked is that auditors are trolls who live under a bridge and only come out to make your life miserable. Nothing could be further from the truth. In my experience auditors are quite often friendly individuals who have a wealth of knowledge they’re dying to share. All you have to do is ask. They typically have seen many different technologies used in companies of all sizes and in various industries. As an IT manager, that knowledge is invaluable. Tap into it.
Many IT auditors today were at one time very skilled technically. So much that the technology now “bores” them and they are interested in helping improve processes used around the technology. Many IT auditors have become Certified Information System Auditors (CISA) by the Information Systems Audit and Control Association (ISACA). The CISA credential requires 5 years of experience and continuing education. As with all professions and certifications, there are those who slipped through the cracks and shouldn’t be practicing, but those are few and far between in the IT audit ranks.
Another myth about auditors is that they have no interest in your operational goals and objectives. They want to lock down your organization no matter the cost. While this might be true of some external auditors, think about it for a second. Auditors are just as informed about your company’s performance and its impact on their jobs as you are. Typically, bonuses are paid to everyone based on the company’s performance. Auditors don’t get exempted from this. They are just as concerned about your organization succeeding as you. They simply have a different perspective of the impacts that gaps in your organization may create for the company. Once you learn to respect that perspective and work with it, your life will become much easier.
Occasionally I hear discussions were auditors are described as “by the book”, a “Boy Scout”, someone who is inflexible and can’t be reasoned with. The only time I’ve ever seen this is when the IT manager is exhibiting similar characteristics. Then it’s usually a matter of pride on both sides, nobody is willing to back down. Almost every audit I’ve been involved with has resulted in some sort of negotiation as to what is going to be reported as a gap, its criticality, timeline for remediation - the list goes on and on.
Internal Auditors
Internal auditors are probably the easiest to work with because they are your peers. You work for the same company, have the same ultimate boss, understand the company’s culture, etc. They’re one of the gang. You are able to build a relationship with these individuals because they are available to you. You probably work with them at least on a yearly basis, if not more often. It’s like any other relationship. As you spend more time with them you begin to understand their thought process, motivating factors, and communication style. They in turn are learning the same about you and your team. Things get easier with every engagement.
Internal auditors typically have some sort of independent or dotted line reporting structure to the board of directors or other executive management. This helps to ensure a level of objectivity in the audit process. They have a reasonable level of assurance that they won’t be retaliated against for finding gaps in a process with fewer levels of management oversight. Don’t look at this as if everything they know goes straight to the top, it doesn’t. In fact, the board typically only sees the most critical of issues in their reports. This reporting structure is designed to support the integrity of the audit process and not to make sure the head honchos know all of your shortcomings.
Since internal auditors work for your company, their motives are usually somewhat impacted by what’s in the company’s best interest. Auditors, attorneys, information security professionals, just about everyone struggles with this. How do I balance what I think is best versus what is best for the company? It is difficult to find the equilibrium, but we all must do it.
External Auditors
If your company doesn’t have an internal audit group or you are hoping to add a little bit of independent validity to the audit outcome, a company might hire an external audit firm. While this is typically seen as a good opportunity to get an independent validation, be careful. (Side Note: If you are doing due diligence and have been provided an audit report on a company prepared by an audit firm retained by the same company, you should understand the risk. Obviously, there are criminal or civil penalties for false or misleading statements, but when something can go either way…it’s going to go in the direction the money flows. After all, this is an audit firm that is in business to…make money.)
You can still have a level of rapport with your external auditors, but I’d probably be less forthcoming about all of my secrets than with my own internal auditors. Their motives are shared between keeping your business and their obligations, legally and professionally. They also have their own corporate reputation to worry about.
Typically external auditors have very little interest in what happens to your company as a result of this audit. Notice I didn’t say they don’t care, there just isn’t much at stake for them. They are simply there to report on how well you comply with the stated controls. This can be the most dangerous audit to navigate. You typically have very little leverage with these auditors during negotiations so you’ll have to win them over with your charm. Find some common ground with external auditors. Something that makes a human connection. Heck…take them to lunch. Even if they must pay for their own meal to avoid a conflict of interest, it’s harder to have a real disdain for someone with whom you’ve shared a meal.
Be very careful what information you provide to external auditors. Don’t ever hide information, give half the story, or mislead them. Always think of the Miranda Rights. “You have the right to remain silent. Anything you say can and will be used against you…” Do you remember growing up and your little brother or sister just wouldn’t stop rambling on to your mom when you both got caught doing something you shouldn’t have? Your mom learned things she would not have otherwise found out about if they would have just stopped talking. Give auditors what they ask for, but don’t offer up every piece of information you can find. This subject will be discussed further in the scoping and fieldwork section of a later post.
.
.
.
Download the entire guide by visiting the following link.
Never miss a story
Get the latest technology insights from HBS, right in your inbox.
By entering your email, you agree to receive HBS emails and agree to our Terms & Conditions and Privacy Policy.