HelpSource Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q I read your previous column with a question based on the book 8 Things We Hate About IT: How to Move Beyond the Frustrations to Form a New Partnership with IT. In your response, you discussed ‘things we hate about information security’; it made a lot of sense and was interesting reading, too. Continuing the discussion along the same lines, can you please list out the things that people ‘hate’ about information systems auditors? Auditors do not necessarily, on all occasions, remain best friends with the people in the business/IT. Please also add what auditors must do to win friends.

A I do not disagree with you—auditors who do a clinical, dispassionate job may win the wrath and displeasure of those in the field and, on some odd occasions, even from leadership of the operational area that gets audited. But that does not mean they are ‘hated’. Hatred can exist when auditors disappoint and fail to do their job. Not being popular can be misconstrued for hatred, but in the long run, good auditors are not necessarily popular per se. The truth of the matter is that by being clinical and dispassionate, with no personal agenda, auditors serve the best interests of their employers and their profession. Here are some areas that can result in auditors being ‘hated’:

  • Auditors who do not choose the right areas for conducting the audits easily earn the displeasure of both operational and organisational leadership. Unless the right domains or organisation units get audited, it will be a waste of resources, both from the audit perspective and from that of the areas chosen for audit. It is essential to develop a ‘risk universe’ consisting of the entire organisation’s various risks—be they legal, compliance, regulatory, operational or IT—and to determine the correct priorities for audit based on the prevalent risk exposures.
  • Auditors must have a defined/structured approach to handle all audits—from identification of areas to execution and reporting. The approach must be able to withstand any independent scrutiny. Undefined and informal approaches obviously invite unhappiness. It is better that they be based on industry standards or benchmarks.
  • The methods used to conduct audits must be totally risk-based to avoid any potential bias. Adopting risk-based approaches will guarantee that each audit addresses all key and relevant risks. All the relevant risks must be identified. Once the relevant risks are identified, the corresponding controls to mitigate those risks must be listed. These lists of controls can be a desired list of controls, rather than a list to reflect the actual list of deployed controls. Once the desired list of controls is prepared, it must be compared with the actual controls on the field and any potential gaps identified. If material gaps exist, they should be reported. Unstructured methods will never be welcomed.
  • At the same time, the controls must be tested for their effectiveness. Controls can be classified as preventive, detective or corrective. The controls should also be reasonable and commensurate to the risks that are to be mitigated. It is essential that the testing clearly identifies the efficiency and effectiveness of the controls in place. The audit must aim to identify clear gaps, if any, in the implementation of controls. If the auditor believes that better and alternate controls exist, the recommendations must clearly capture this need and outline the alternate requirements. However, the proposed changes must be articulated with facts and figures and without emotion.
  • Auditors who produce reports—specifically, lengthy reports—that convey nothing will never be loved. Rather, reports must be produced in multiple formats to suit different audiences or they should encompass different sections, including a summary of issues, giving, in a nutshell, the essence of all the findings or observations.
  • The auditor’s observations must be factually accurate and must not be mere opinions. They must not lack objectivity, and they should not entertain anything subjective. Observations must be supported by adequate evidence gathered during the course of the audit. Observations should not be made if substantiation is not possible at a later date.
  • Management of the areas audited must be given adequate opportunity to respond with their position on the audit report that goes out to leadership. They may differ with the observations made by the auditors; sometimes they may agree with the observations, but differ with the rating in terms of risk assigned to the findings. At times, they may agree with both, but may dispute the practicality or the pragmatic nature of the recommendations made by the auditors. Whatever the case may be, their point of view must be clearly recorded in the audit report, with no editing or alterations made to it by the auditors. Responses to such viewpoints must also be given equal prominence in the audit report. Any auditors who do not provide management an opportunity to respond and who fail to publish their responses are sure to be hated.
  • Above all, it is essential to have auditors in place who do their job because they love to do it and are passionate about it. It should not be seen as a stop-gap arrangement in someone’s career journey. Such agenda-centric auditors will clearly end up as targets for hate.
  • To win better trust and confidence and to act as true business partners, it is essential that auditors follow up their audits with activities to make sure that the key issues get closed in an effective manner. Closure of critical issues must get validated.

Thus, there are a number of reasons why auditors can be hated. Sounds like a good subject for yet another book, right?

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.