Good auditor or bad auditor – which are you?
Updated from the original published on July 5, 2010
All auditors expect clients to question their usefulness. Many auditors question their usefulness. Most would accept that their impact on an organisation is generally quiet and incremental, rather than dramatic. Most of all, when you’ve been doing – or putting up with – a lengthy audit, only to find there are no recommendations that management are not already aware of, you have ask whether it’s time well spent.
Time then to remember what auditors are here to do:
Ensure that risks are adequately managed to allow the organisations objectives to be achieved
Report to management and the board where risks are not adequately managed
Ensure actions agreed by management are appropriate, are implemented effectively, and actually address the risk
Demonstrate the value of audit and effective risk management
Provide solutions that support the achievement of organisational goals
Provide an independent view and challenge
Identify over-control or ineffective controls that offer an opportunity for improving efficiency
Identify objective, evidenced findings – and proportionate recommendations
Always say “what’s the risk” before doing anything
Enjoy work (no, seriously!)
And what auditors are not here to do:
Create tick-lists and go through them with interviewees
Tell management what they already know
Record findings ‘for the sake of it’ or where the risk does not justify better control
Ignore risk areas because management don’t want them looked at
Come up with unworkable, inefficient or bureaucratic solutions
Make subjective decisions or ‘hold people to account’
Make life difficult for management
Waste people’s time with unnecessary queries
Ignore things because you don’t understand them
Be a policeman
How do these values reflect your role or understanding? Help others considering a career in IT audit and cyber security assurance by sharing in the comments below.
