The cliché is that former auditors make the worst auditees, and I’m probably living proof of that. I’ve spent most of my career as an internal IT auditor, but a few years ago, I made the shift from leading the IT audit department to leading IT operations organizations at my company. As a result, I’ve become the recipient of my former team’s audit activities.
In fact, in a case of poetic justice, as I made the move, my former team was wrapping up an audit of my new team. I had the unique experience of participating in the closing meeting as both the primary customer manager and as the audit manager. Naturally, much like a president pardoning criminals on his last day in office, my last official act as IT audit manager was to waive all findings. (The reality is that I recused myself so as to avoid a conflict of interest—but that doesn’t sound as interesting.)
I’ve always believed that an effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function. By combining an expertise in internal controls with the auditee’s expertise in his/her business and day-to-day operations, together you can best determine what risks need to be addressed. When you’re successful in this area, the people being audited begin volunteering information about potential audit issues. They go beyond just answering the questions posed and brainstorm regarding potential exposures.
Relationships will make or break the audit department’s ability to add value to the company. I feel it’s the auditor’s responsibility to do everything he/she can to minimize negative relationships and foster positive ones. If you don’t have good relationships with your audit customers and if you don’t communicate well, you won’t have credibility and you won’t be effective.
The importance of these concepts has been reinforced now that I’m on the other side of the table. Below are a few tips for auditors, given from the perspective of an audit customer, which can help maximize cooperation and buy-in:
- Talk with me and attempt to get my buy-in before scheduling an audit of something within my organization. Don’t just inform me that you’re coming in to do an audit. I want to feel that you’re doing the audit with me, not to me. At the opening meeting, you want me to be nodding my head and telling my organization that I’ve agreed to and am fully supportive of the audit. Also, don’t just tell us what areas will be reviewed during the audit; get my team’s input on the scope. We might have some good ideas for you.
- Work with me on scheduling the audit. If you want to work effectively with my team, don’t arbitrarily schedule the audit without consulting me. We might be in the middle of a key project or we might have key personnel out of the office. By scheduling the audit in cooperation with me, you’re much more likely to get my team’s full attention and therefore are much more likely to have an effective audit.
- Keep me informed of issues found during the audit. This falls into the “no surprises” category of doing business.
- Follow the chain of command. No one likes to be blindsided. Don’t talk to my boss about issues in my organization unless you’ve talked with me first. In fact, even if you have talked with me first, give me a heads up that you’re going to go talk with my boss, so that I can be prepared. Similarly, don’t talk with me about issues that you haven’t already talked with my team about. They don’t want to be blindsided either.
- Understand that I have other priorities. Balance the importance of resolving the audit issues with the fact that my team has many other deadlines and time pressures. Prioritize the issues for me. Let me know which ones need to be worked ASAP, and give me the freedom to integrate the lower-priority audit items with the rest of my priorities and set dates that might be a little further out.
- Don’t escalate minor issues to senior management without providing context regarding the risk represented. This can lead to a flurry of activity and distractions without adding real value.
- Help me build controls in up front. Be willing to provide input as I’m developing and deploying new systems and technologies, instead of waiting for a formal audit. I’d rather do it right the first time. Conversely, consider letting me help pilot some of your new tools prior to trying to execute them in the production environment for which I’m responsible. And don’t wait until an audit to inform my team about new industry best practices related to internal controls that your team has learned about and wants us to implement. Work with me proactively so that I can consider building them into our policies and procedures.
Fortunately, we have a great audit team here at Texas Instruments that has always operated with a focus on adding value. My time on the other side of the fence has just accentuated for me the importance of good relationships between the audit and operations teams, and I’ve realized that the above areas are some that are most likely to either enhance or detract from that partnership.
Remember that we have the same goal: to help the company. Good relationships will help us all achieve that goal.
Mike Schiller, CISA
Director of Global Server, Database and Storage Infrastructure, Texas Instruments
Co-Author of IT Auditing: Using Controls to Protect Information Assets (Second edition published January 2011, available through the ISACA Bookstore)
We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now button in the blue box on the left.