ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > A view from the other side of the table

A view from the other side of the table

| Posted at 10:49 AM by ISACA News | Category: Audit-Assurance | Permalink | Email this Post | Comments (7)

The cliché is that former auditors make the worst auditees, and I’m probably living proof of that. I’ve spent most of my career as an internal IT auditor, but a few years ago, I made the shift from leading the IT audit department to leading IT operations organizations at my company. As a result, I’ve become the recipient of my former team’s audit activities.


In fact, in a case of poetic justice, as I made the move, my former team was wrapping up an audit of my new team. I had the unique experience of participating in the closing meeting as both the primary customer manager and as the audit manager. Naturally, much like a president pardoning criminals on his last day in office, my last official act as IT audit manager was to waive all findings. (The reality is that I recused myself so as to avoid a conflict of interest—but that doesn’t sound as interesting.)


I’ve always believed that an effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function. By combining an expertise in internal controls with the auditee’s expertise in his/her business and day-to-day operations, together you can best determine what risks need to be addressed. When you’re successful in this area, the people being audited begin volunteering information about potential audit issues. They go beyond just answering the questions posed and brainstorm regarding potential exposures.


Relationships will make or break the audit department’s ability to add value to the company. I feel it’s the auditor’s responsibility to do everything he/she can to minimize negative relationships and foster positive ones. If you don’t have good relationships with your audit customers and if you don’t communicate well, you won’t have credibility and you won’t be effective.


The importance of these concepts has been reinforced now that I’m on the other side of the table. Below are a few tips for auditors, given from the perspective of an audit customer, which can help maximize cooperation and buy-in:


  1. Talk with me and attempt to get my buy-in before scheduling an audit of something within my organization. Don’t just inform me that you’re coming in to do an audit. I want to feel that you’re doing the audit with me, not to me. At the opening meeting, you want me to be nodding my head and telling my organization that I’ve agreed to and am fully supportive of the audit. Also, don’t just tell us what areas will be reviewed during the audit; get my team’s input on the scope. We might have some good ideas for you.


  1. Work with me on scheduling the audit.  If you want to work effectively with my team, don’t arbitrarily schedule the audit without consulting me. We might be in the middle of a key project or we might have key personnel out of the office.  By scheduling the audit in cooperation with me, you’re much more likely to get my team’s full attention and therefore are much more likely to have an effective audit.


  1. Keep me informed of issues found during the audit. This falls into the “no surprises” category of doing business. 


  1. Follow the chain of command. No one likes to be blindsided. Don’t talk to my boss about issues in my organization unless you’ve talked with me first. In fact, even if you have talked with me first, give me a heads up that you’re going to go talk with my boss, so that I can be prepared. Similarly, don’t talk with me about issues that you haven’t already talked with my team about. They don’t want to be blindsided either.


  1. Understand that I have other priorities. Balance the importance of resolving the audit issues with the fact that my team has many other deadlines and time pressures. Prioritize the issues for me. Let me know which ones need to be worked ASAP, and give me the freedom to integrate the lower-priority audit items with the rest of my priorities and set dates that might be a little further out.


  1. Don’t escalate minor issues to senior management without providing context regarding the risk represented. This can lead to a flurry of activity and distractions without adding real value. 


  1. Help me build controls in up front. Be willing to provide input as I’m developing and deploying new systems and technologies, instead of waiting for a formal audit. I’d rather do it right the first time. Conversely, consider letting me help pilot some of your new tools prior to trying to execute them in the production environment for which I’m responsible. And don’t wait until an audit to inform my team about new industry best practices related to internal controls that your team has learned about and wants us to implement. Work with me proactively so that I can consider building them into our policies and procedures. 


Fortunately, we have a great audit team here at Texas Instruments that has always operated with a focus on adding value. My time on the other side of the fence has just accentuated for me the importance of good relationships between the audit and operations teams, and I’ve realized that the above areas are some that are most likely to either enhance or detract from that partnership. 


Remember that we have the same goal: to help the company. Good relationships will help us all achieve that goal.


Mike Schiller, CISA

Director of Global Server, Database and Storage Infrastructure, Texas Instruments

Co-Author of IT Auditing: Using Controls to Protect Information Assets (Second edition published January 2011, available through the ISACA Bookstore)


We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.


To view all blog posts, please click on the ISACA Now button in the blue box on the left.



Thanks for the tips Mike. at 2/3/2011 4:04 AM


Mike, the article is very valuable. it is highly appreciated by me. I learned new tips to do effective audits.  
Zeydulla at 2/4/2011 12:17 AM


Since I find myself in a similar situation, moving from IT Audit to IS/IT Project Management, I find your article very valuable and to the point. Thanks for sharing your thoughts and adding value to the profession.
Giorgos Papoulias at 2/4/2011 8:42 AM

Issues Escalation

I feel its important to note that some audit findings need not be brought to the attention of the operations team before being escalated. This may depend on the value of sensitivity of the findings made. Its inherent on a IT auditor to measure the impact or otherwise of his findings in order to settle on how disclosure should be carried out. However, the piece is quite educative and practical and will enhance my audit relationship. Thank you.
camewu at 2/4/2011 1:23 PM

A view from the other side of the table

It is a nice article. As auditors we are not auditing people -we are auditing processes.. I have passed the article to our audit team. It will surely improve our effectiveness, if the tips are followed...Thanks Mike.
Itti at 2/4/2011 10:44 PM

A good information for ALL IT Auditors.

How  I wish this article can be included in one of the printed Journals being sent to ISACA member aside the fact that it is published online?

This is a very educative article telling an Auditor how to relate and interact with the Auditee.

Unfortunately many Auditors are turning themselves to "Semi-God" during auditing processes.

Thanks Mike for this great exposure!
isaacfala at 2/7/2011 12:25 PM

A good approach to modern IT Audit

Mike, thank you so much. This is a good article indeed
gngunjiri at 2/9/2011 6:30 AM
You must be logged in and a member to post a comment to this blog.