During a particularly challenging audit a few years ago, I thumbed through my dog-eared copy of Sun Tzu's The Art of War. As I read, something clicked. The struggles we face as auditors today aren't so different from the challenges Sun Tzu wrote about 2,000 years ago.
Let me share what I've learned from combining ancient wisdom with 20 years of audit experience.
Start with the Basics
Years ago, I watched a colleague dive into a supply chain audit without proper preparation. It was a disaster. The chief supply chain officer grew frustrated with repeated requests for information, and the audit team spent weeks chasing its tails. Sun Tzu would have shaken his head—he knew victory comes from groundwork.
I've found that successful audits need three things up front: clear purpose, good timing, and deep understanding. Let me give you an example. When auditing a regional branch, we delayed our start by two months to align with their system upgrade. That simple decision saved countless hours and earned management's trust.
Smart Use of Resources
"Supreme excellence consists in breaking the enemy's resistance without fighting," Sun Tzu wrote. In audit terms, I've learned this means working smarter, not harder.
Here's a real-world example: Instead of demanding staff drop everything for audit requests at a manufacturing site, we plugged into their morning meetings. We got better information, and they didn't resent our presence. Win-win.
Technology helps, too. Some years ago, for an audit of a trading company, we used data analytics to review years of transactions in hours instead of weeks. But remember—tools are just tools. They can't replace sound judgment and human insight.
Build Bridges, Not Walls
The worst auditors I know act like police officers looking for violations. The best ones? They're more like trusted advisors.
After repeated cyber incidents in a subsidiary of my then-employer, the CIO requested that my team conduct a thorough investigation. We found they threw money at the problem—stacking tools, hiring consultants, and overextending their IT team. Despite their efforts, vulnerabilities persisted. Our investigation uncovered a lack of asset management practices, multiple endpoint protection solutions when one would suffice, many human errors, a lack of incident tracking, and missing metrics and accountability.
Instead of writing a scathing report, we worked with management to fix the problems before they became crises. The solution: prioritize the crown jewels, streamline the toolset, empower employees, outsource where necessary, adopt and track clear metrics, and increase accountability by making cybersecurity a business risk. The CIO later told us it was the most valuable audit they'd ever had.
Reading the Terrain
Sun Tzu emphasized knowing your terrain. In our world, that means understanding both the business and its people. I once called off an audit because I noticed the auditee department was going through a significant restructuring. Wrong timing would have wasted everyone's time. We returned three months later and completed the work in half the expected time.
Adapting to Reality
Plans are great, but things change. A routine IT audit uncovered potential fraud a few years ago, so we had to shift gears completely. Sun Tzu would have approved—he knew the importance of adapting to changing circumstances.
Getting the Message Across
The finest analysis means nothing if no one understands it. I learned this lesson the hard way early in my career when my technically perfect audit report put the business leaders to sleep. Now, I focus on telling the story behind the findings to get the business executives' buy-in. Money talks—ask any CFO watching the bottom line. Legal is sweating over potential lawsuits down the hall while the marketing folks guard our reputation like a precious family heirloom.
What are the real risks? What keeps management up at night? What practical steps can improve things?
Looking Forward
After twenty years in audit, I'm convinced our role is changing. We're no longer just checking boxes and finding faults. Like Sun Tzu's generals, we need to think strategically, adapt quickly, and add real value.
A few years ago, a CFO told me something that stuck with me: "You guys don't just show us what's wrong; you help us get better." That's what modern auditing should be about. Sun Tzu would probably agree.
Final Thoughts
The principles that helped ancient Chinese generals win battles can help us deliver better audits today. But remember – these aren't just theoretical concepts. They're practical tools that work in the real world. I've seen them transform troubled audits into successes, turning skeptical clients into strong supporters.
The key is applying this wisdom thoughtfully, not mechanically. Every organization is different, and every audit brings new challenges. Our job is to learn from the past while staying flexible enough to handle whatever comes next.
