Home / Resources / ISACA Journal / Issues / 2016 / Volume 2 / IS Audit Basics: Is There Such a Thing as a Bad IS Auditor?, Part 2



IS Audit Basics: Is There Such a Thing as a Bad IS Auditor?, Part 2

Author: Ed Gelbstein, Ph.D.
Date Published: 1, March 2016
Download PDF

In Part 1, we discussed the concepts of “good” and “bad” and their many gradations. All of the shades of badness examined (the well-connected, the faker, the lazy, the bureaucrat, the cookbook auditor, the geek and the sociopath), other than the sociopath, are fairly harmless. They are nuisances, definitely, but not individuals who can significantly damage the organization.

In this column, the profiles (other than the timid) represent an increasing level of danger to the organization. There are overlaps among the various profiles.

These negative profiles raise an ethical issue for “good” auditors: the role of organizational policy and whistleblowing. These are big topics, and the intent here is to sensitize the reader to them and raise the question, “Have you thought about this?”

The Argumentative

The argumentative auditor believes that always being right is the appropriate behavior and will insist that his/her findings and observations could not possibly be wrong and/or revised. Audit meetings get “interesting” when the argumentative auditor is dealing with an argumentative auditee; things can readily escalate into open conflict. This is bad news and usually ends up with senior management/chief audit executive (CAE) to resolve.

The “Must Find Something”

This is the knowledgeable, experienced, well-mannered and dedicated auditor who feels that his/her role must be justified all the time. Fundamentally different from the argumentative auditor, this auditor can add much value except when he/she engages in the mindless pursuit of perfection.

One such contracted auditor was proudly telling how his six-week audit resulted in 75 recommendations. The auditee was miffed because many were trivial items they already knew about and had even mentioned to the auditor. Senior management got the impression that the chief information officer (CIO) was not up to the job when, in fact, he is a talented and respected figure. The CAE shares the blame for not controlling the contracted auditor and reviewing the draft report.

In the end, the report was put aside and not acted upon, and this auditor is unlikely to get another engagement at this company.

The Sociopath or “Gotcha” Auditor

Auditors have power in the form of largely unrestricted access to systems, data, senior management, physical facilities, etc., and their reports give them considerable influence. Such power is valuable when used intelligently and only when appropriate. However, there are those who take an aggressive attitude toward the auditee. In one example, the leader of the audit team shouted at an auditee, “If this is the best you can do, I’m not impressed.” Embarrassment (on the part of the auditor) followed, as did a complaint to the appropriate staff representatives and, through them, to the executive level.

The Conflicted

Engaging auditors from a specialist company for a specific task can provide the client organization unique skills and experience. At the same time, the specialist company would probably like to build a long-term relationship with the client organization and may be willing to be flexible just to get a foot in the door.

Is the specialist company’s offer of pro bono work or a project at a highly discounted daily rate a conflict of interest issue? It is when the end result is a contract spanning many years on the basis that a good working relationship has been built and the specialist company has gained a good insight into the business being audited.

Conflict of interest should be anathema in audit. It can take too many forms to discuss here, but examples include, “I could recommend an excellent consultant to help you with this,” or, “Since we are friends, I’ll leave this item out of the report.” The real problem arises when the auditors believe that their biased advice is unbiased.

The Professional Nice Guy

This type of auditor has a psychological need to be liked and will accommodate auditees’ wishes such as avoiding making them look bad. These individuals fail to recognize the difference between being liked and being respected, the latter being a far greater professional asset. They can play political games—the main difference from the proper political player, described in the next section, is a lack of courage. The professional nice guy does not have the wherewithal to stab someone in the back to ensure their downfall.

Ethical Dilemma

Every person lives by a set of values derived from culture and nurture. Betraying such values can become a source of deep unhappiness, and there may be times when the ethical dilemma of doing what an individual feels is the right thing to do and recognizing the consequences of doing so needs to be faced.

For example, in 2010 there was the internationally reported falling-out1 between the undersecretary general (UG) for the Office of Internal Oversight Services of the United Nations (UN) and its secretary general (SG) related to the UG’s end-of-assignment report.2 This report represented an unprecedented personal attack in which the UG accused the SG of undermining her efforts to increase accountability in the organization. It took courage to be so openly controversial and it inevitably marked the end of a notable career.

Other senior auditors whose values collided with those of their executives have been punished by being forced out of their organizations.

The Political Player

It is difficult not to consider this type of auditor unethical. In bad situations, they will compromise their values to get on with their careers by being helpful to someone with political influence and conspiring to bury controversial findings and observations.

The most skilled of them are able to change jobs frequently, sometimes from a client company to a provider of audit services and back, thus creating potential conflicts of interest and doing whatever it takes to grow their career, influence and remuneration. They are dangerous because they have no compunction about destroying someone if it fits their agenda.

Auditor Evaluation Forms: Do They Really Work?

Feedback is valuable when it is objective. The design of a form can influence responses, i.e., the questions asked and their wording may be such that they limit the possible answers (good, needs improvement) to reflect what the CAE wants to hear. Many forms do not provide a space for free and/or anonymous comments.

When auditees must provide a name, title, etc., they are likely to be careful in their replies. There is no long-term benefit in alienating an internal auditor likely to come back in the future.

At the other extreme, there are web sites where individuals can comment anonymously and with a wide range of expression on hotels, cruises, restaurants, etc. While the open nature of these sites is great to consult when seeking certain services, in the corporate world, this approach could be problematic if it conflicts with organizational culture.

There is no right or wrong answer to this issue. The anonymous nature of the feedback is unfair and can be used to be malicious and/or exact revenge.


Because nobody is perfect, it is possible that every auditor has some element of “badness.” The issues are whether they are conscious of it and it impacts their work and relations with the auditees.

A previous column, “Auditor: About Yourself and How Others See You,”3 intended to make readers think about their individual degree of “good” and “bad.” A West African proverb is applicable in this context: “Not to know is bad. Not to wish to know is worse.”


1 Lynch, C.; “Departing UN Official Calls Ban’s Leadership ‘Deplorable’ in 50-page Memo,” The Washington Post, 20 July 2010,
2 Ahlenius, Inga-Britt; “End of Assignment Report,” 14 July 2010,
3 Gelbstein, E.; “Auditor: About Yourself and How Others See You,” ISACA Journal, vol. 2, 2015

Ed Gelbstein, Ph.D., 1940-2015, worked in IS/IT in the private and public sectors in various countries for more than 50 years. Gelbstein did analog and digital development in the 1960s, incorporated digital computers in the control systems for continuous process in the late ‘60s and early ‘70s, and managed projects of increasing size and complexity until the early 1990s. In the ‘90s, he became an executive at the preprivatized British Railways and then the United Nations global computing and data communications provider. Following his (semi) retirement from the UN, he joined the audit teams of the UN Board of Auditors and the French National Audit Office. Thanks to his generous spirit and prolific writing, his column will continue to be published in the ISACA Journal posthumously.