As an auditor, I’ve been accused many times of looking for trouble. I have to admit that it’s true, because that’s my job. But too often, trouble comes looking for me. Sure it makes my job easier, but it also makes me scratch my head.
When I was in IT operations, before I got into security and audit, I was always thorough and followed common sense and company policy. However, any projects that I was doing that might draw the eyes of either of those departments, I double-checked prior to delivery. Most bosses don’t like surprises, and I was always a details guy. Besides, why poke the bear?
So it always surprises me, now that I’m an auditor, when I am the recipient of a rushed or poorly done project, or an honest mistake that should have been caught if proper procedures were followed.
At one company where I was an internal auditor, I experienced the following events in a 6-month period:
- My voice mail box on my office phone would not accept messages (not a good way to welcome an auditor to your company).
- The same problem occurred on my new smart phone. Two separate phones, two separate voice mailboxes missing (is Telecom trying to tell me something?)
- Although the server I requested was promptly put in the data center and made available for me (I was going to load and configure some audit software for our department), the server was not up-to-date on its patches. It had the latest service pack, but was missing the 53 critical updates issued after the service pack.
- When I requested temporary admin access to all the audit department laptops to load client software (the companion to the audit server software), the help desk techie told me that he would just add me to the MIS admin group, an admin group created when a laptop is deployed. “Much faster, easier, and cleaner,” he said.
I asked, “Wouldn’t that give me access to everyone’s laptop?”
“Yes,” he replied, obviously irritated with such a stupid question.
“Why would you give me access that I don’t need? I only need access to 5 laptops,” I said. “I don’t need and should not be given access to all.”
“Suit yourself,” he said. “I’ll have it done in 5 minutes.”
- The laptops in my department were not up-to-date on patches. The oldest one had not been updated in 2 years. I was expecting this as I had already noticed that automatic updates were not configured on the laptop I had received on arrival.
- After I took my first vacation, I noticed that my paycheck did not correctly reflect my vacation pay (this company split out regular pay from vacation pay, sick pay, etc., on your pay advice). A quick phone call revealed that a payroll intern had goofed up and the person checking her work did not catch it.
These types of mistakes are unfortunate, but tweaking an auditor’s pay, whether he’s a financial auditor or not, usually receives rapid attention. Even IT auditors love to find financial issues (mostly to tease their financial counterparts by beating them to the punch).
As I mentioned, it always surprises me when these things roll across my desk, as I am not going to look the other way. On the other hand, it’s better than I’m not treated any differently, because that would only prolong the problem.
If you have a similar story to share, I’m all ears.