More on Hating Auditors

Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again.  Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.

Auditors that do the following are “hated”…

  • Choose the wrong areas to audit, not based on risk.

Keep in mind, that like the answer to every certification exam question re: who’s ultimately responsible, it’s management, not auditors.  However, some auditors do stray from the path laid by management a bit too far into mundane areas. Audits are painful enough due to the time they can take, so before you go back to the trough for the 13th time, make sure it’s meaningful.

  • Use unstructured/undefined approaches to audits, including risk ranking and reporting.

Few things irriate auditees than treating issue X one way the first year and totally different the next year, with no rationale behind it.

  • Getting emotional about findings instead of relying on facts and figures.

Be passionate about how you can help, not how all the findings will toot your horn and help you with your next promotion. Everyone has an opinion, but what your auditee needs is your expertise, but only if it’s tempered with objectivity.

  • Present audit reports that try to impress the audience with big words and the importance of the audit rather than the impact of the findings.

You’ve already used a lot of their time gathering and understanding the data. Audit reports are your chance to say, “Good job, everything’s okay” or “Here’s the items that need improvement, and here’s why this audit was critical to improving your operations”. Don’t waste your time pumping things up and their time in having to read your drivel.  Remember, while you’re mostly done once the report is issued, auditees still have to spend more time fixing the issues. Make it as painless as possible.

  • Don’t give auditees adequate time to respond to findings.

Weekly status reports that communicate findings, even if they are preliminary, can save both sides a lot of time. Otherwise you run the risk of doing a lot of last minute changes based on new data that you would have received earlier if you’d communicated the findings in writing early on.

Read Gan Subramaniam’s Q & A here, which doesn’t require an ISACA membership.  Look on the far right of the page.

Also check out my earlier posts:

Why Hate Auditors?

Top 10 Ways to be a Lovable Auditor

IIA Basics for Auditors

How to Pass Certification Exams

Where is the IS in CISA?

Audit Links



Filed under Audit

4 responses to “More on Hating Auditors

  1. coffeeking

    couldn’t agree more.


  2. TT

    I am studying CISA. This post helps me understand IT auditing in real world. Thank you.


  3. TT,
    Not all companies hate auditors..I’ve worked in 2 companies that appreciate them and ask for their help.

    On the other hand, you can’t blame people for distancing themselves from those whose job is to weed out fraud, corruption, poor thinking, honest mistakes, and laziness.

    It’s how you weed that out and treat those who you turn the spotlight on that counts. See my post, Top 10 Ways to be a Lovable Auditor.

    Thanks for commenting.


  4. Pingback: New IT Auditors Should Start Here | ITauditSecurity

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.