Danny M. Goldberg, CISA, CGEIT, CCSA, CIA, CPA
Career progression in any field is dependent on many factors, including skill and experience and, often, being in the right place at the right time. In the audit and risk management profession, there are many high-quality people vying for the same roles. Additionally, the progression of many managers up the proverbial audit ladder is stymied due to one significant distinguishing factor: communication skills.
In the IT audit world, some security and IT auditors tend to use fear, uncertainty and doubt as methods of enforcement. When speaking to nontechnically oriented team members, it is easy to generate fear, which may inadvertently lead to rumors that can damage the credibility of the auditors and/or the audit departments. Such negative methods by auditors will not contribute to success in building long-term relationships with auditees.
For auditors, the focus is on oral and written communication. To be successful, auditors must establish face-to-face relationships with auditees and develop a level of trust. Furthermore, complete and accurate work papers in addition to compelling audit reports are important throughout the audit process.
Auditing skills and ability are extremely important; however, without a high level of communication, all ability is for naught. It has been said that interpersonal skills are more important than auditing skills in this profession.1 Internal audit is comparable to the sales group inside an organization, in that audit must constantly sell its value and role. The need for auditors to constantly sell their value highlights the importance of refined communication skills. Some best practices and key areas of communication include:
Communication, via emails, meetings, phone conversations and instant messaging, for example, is the foundation of all business. The 7 C’s of communication provide a checklist for making sure that all forms of communication, including meetings, emails, conference calls, reports and presentations, are well constructed and clear.
The 7 C’s of communication are:2
One of the major issues with interoffice communication is the separation of personal and professional points of view. Emotion tends to weigh down healthy and straight-forward communication and the comprehension of what is being communicated. Communication should be kept at a professional level; personal feelings should not affect communication. It is important to remember that communication should not be taken personally in the workplace. In certain instances, auditees may take audit findings or recommendations personally. For auditors, communication must be kept on a professional level and emotion must be eliminated as much as possible. The auditor should remain focused on the issue and the root of the problem.
Miscommunication is the number-one cause of unnecessary conflict. Assumptions can take on a world of their own. People who assume let the assumption take over the conversation and, thus, do not fully comprehend the communication. Auditors must not assume anything, must keep an open mind and must be open to conversations. Many miscommunications are bred from assumptions and are affected by the mode of communication. Auditors should ensure that communications to auditees are clear, and they should avoid miscommunication as much as possible.
The mode of communication can significantly change the tone and meaning of communication. Generation Z3 is well-versed in communicating via smartphone and social media (e.g., LinkedIn, Facebook, Twitter); however, the focus on these new modes of communication has decreased Generation Z’s in-person communication skills. There are many different modes of communication, but nothing can replace face-to-face conversation.
Emotions and sarcasm are difficult to interpret via email and on smartphones. All employees should be guarded when communicating via smartphone. Technology has enhanced the speed of communication, but it has also decreased the effectiveness of communication. Generation Z relies heavily on text messaging and emails, but many conversations are better conducted in person or over the phone. Email and texting are sometimes used as modes to avoid in-person conversations. Communications that involve back-and-forth conversation should be done in person rather than via email. Many employees, especially in younger generations, tend to use the wrong form of communication. Email is overused, and not all conversations are effective via email. Emotional conversations should not take place via email. If an emotionally charged email is received, it is best not to respond via email, but to call the sender and discuss the situation offline, regardless of who is copied on the email. In the case of an ongoing audit, it is best not to communicate significant findings via email. Anything that could be significant or construed as personal should be communicated in person.
Confrontation4 can be a healthy exercise when the parties in conflict are transparent and honest. In most cases, discussions of audit findings will have some form of confrontation. Proper management of this communication can determine the successfulness of an audit.
Most people inherently do not like confrontation. The points outlined below can be applied to any type of conflict. Confrontation—due to any conflict, including those within the audit group, between audit and management, or among auditors and auditees—can be optimized by undertaking the following steps:
Listening is a major part of communication. It takes effort to listen and comprehend. Auditors must be good listeners and must focus on the content and meaning of a conversation. When participants lack strong listening skills, audit interviews lose their value. The following points can enable more optimized listening:
Communication is key to an organization’s success. In general, audit skills and talents are very important, and not everyone is capable of becoming a good auditor. On the other hand, interpersonal and communication skills are as, or more, important than general audit capabilities. If an auditor cannot effectively communicate a finding or recommendation, the solution will fall on deaf ears. All the internal and IT audit talents in the world are deemed relatively useless when the auditor lacks the ability to effectively communicate the goals and findings of an audit.
Auditors who strive to advance into managerial roles need strong communication skills to take the next step. This is the missing piece for many auditors, but it can be achieved with training and effort. Auditors must become optimized communicators, and should not assume that the people with whom they interact are not optimized communicators.
1 This statement is based on the author’s experience and his discussions with other audit professionals.2 There are many variations of the 7 C’s of communication. For additional examples, please see: Mind Tools, “The 7 C’s of Communication: A Checklist for Clear Communication,” www.mindtools.com/pages/article/newCS_85.htm, and Reynolds, Roger; “Seven C’s of Good Communication,” Infinisource Payroll, http://abcopayroll.com/news/200610sevencs.php. 3 A term used for individuals born between approximately 1990 and 2000.4 The definition of “confront” (and, in turn, “confrontation”) is not implicitly negative. See Merriam-Webster, “Confront,” www.merriam-webster.com/dictionary/confront.
Danny M. Goldberg, CISA, CGEIT, CCSA, CIA, CPA, is the professional development practice director at Sunera, an international corporate governance, risk management and regulatory compliance firm. Prior to joining Sunera in January 2011, he founded SOFT GRC, an advisory services and professional development firm. Goldberg has more than 13 years of audit experience in the Dallas and Fort Worth, Texas, USA, area, including five as a chief audit executive/audit director at two diverse companies. He has the rare experience of leading or being an integral part of year-one US Sarbanes-Oxley Act compliance efforts at three companies. Additionally, he has assisted in leading the establishment of three internal audit/Sarbanes-Oxley departments.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.