Previously I’ve discussed why auditors are hated and how auditors can be lovable. But when I saw a Q & A in the ISACA journal about hating auditors, I had to dive in again. Here’s the gist of the article, with my comments in italics. Although there’s some similarity to the posts I’ve mentioned above, they take a slightly different tack through the audit seas.
Auditors that do the following are “hated”…
- Choose the wrong areas to audit, not based on risk.
Keep in mind, that like the answer to every certification exam question re: who’s ultimately responsible, it’s management, not auditors. However, some auditors do stray from the path laid by management a bit too far into mundane areas. Audits are painful enough due to the time they can take, so before you go back to the trough for the 13th time, make sure it’s meaningful.
- Use unstructured/undefined approaches to audits, including risk ranking and reporting.
Few things irriate auditees than treating issue X one way the first year and totally different the next year, with no rationale behind it.
- Getting emotional about findings instead of relying on facts and figures.
Be passionate about how you can help, not how all the findings will toot your horn and help you with your next promotion. Everyone has an opinion, but what your auditee needs is your expertise, but only if it’s tempered with objectivity.
- Present audit reports that try to impress the audience with big words and the importance of the audit rather than the impact of the findings.
You’ve already used a lot of their time gathering and understanding the data. Audit reports are your chance to say, “Good job, everything’s okay” or “Here’s the items that need improvement, and here’s why this audit was critical to improving your operations”. Don’t waste your time pumping things up and their time in having to read your drivel. Remember, while you’re mostly done once the report is issued, auditees still have to spend more time fixing the issues. Make it as painless as possible.
- Don’t give auditees adequate time to respond to findings.
Weekly status reports that communicate findings, even if they are preliminary, can save both sides a lot of time. Otherwise you run the risk of doing a lot of last minute changes based on new data that you would have received earlier if you’d communicated the findings in writing early on.
Read Gan Subramaniam’s Q & A here, which doesn’t require an ISACA membership. Look on the far right of the page.
Also check out my earlier posts: