It’s getting to the point where some audit directors are saying, “No bad audit reports allowed.” In other words, don’t shoot the messenger, just the message. What follows is an experience from one of my audit colleagues…
First, a couple “I know” statements…I know auditors are supposed to be helpful and friendly. I know auditors are supposed to add value. I know auditors need to be careful about giving only bad news; we should also note in our report what the auditee is doing right (if anything). I know that it’s hard for auditees to get hammered again and again by audit reports.
However, when you audit an area for the first time (e.g., a new technology that was deployed), it usually results in a few more audit issues than normal–and while it’s expected, nobody likes it, even auditors. Because the more issues you have, the more meetings are required to ensure the facts and conclusions are correct and that you’ve assigned the appropriate risk to each issue. And then more meetings so the VPs can weigh in…
In this particular audit, not only a few more audit issues were identified, but lots more than normal. When testing was completed, the dance began: how does IT and audit keep this from being a really bad report, the kind that gets executive VP and audit committee visibility?
The opening attack involves the suggestion to roll several issues into a larger issue, which reduces the total amount of risk assigned–instead of having 4 high-risk issues, you have only 1. The problem is, you can only swallow that so many times, and often, the issue owners are different. When that fails, then the challenging of each issue begins. But when you have this many issues, even reducing the risk level by one doesn’t work (level 5, which is very high, to level 4, high).
Then comes another tactic, which goes like this: Some of these issues are the fault of other technology, not the technology being audited. For example, some software uses code that is licensed from other companies, and THAT code caused the vulnerability or doesn’t allow the recommended configuration, so the audited technology shouldn’t be “charged” with the issues–those issues should be issued under a separate audit report. You’re supposed to ignore the fact that your company included the vulnerable code from the other company in their software.
All of a sudden, you have a manageable (read “swallow-able”) amount of risk because some of the risk was removed and given it to your “little brother”. Oh, the fact that the same VPs own the risk in both audit reports is besides the point. Does that remind you of anything? What was 1 transaction is now 2, and both are below the threshold, so it slides by with much less notice. VPs are happier, managers have less explaining to do, and the audit committee is none the wiser. And IT none the safer.
Ah, but the game was played well, the score is tied, and both lived until the next audit. But that’s what happens when you manage risk levels instead of risk.
What are your experiences?
ITauditSecurity 
This is a pure case of a good auditor bringing good issues to the table but once reported to a level up, these same ‘good issues’ lose their value because they are too dangerous to be good. They can get people in trouble. Audit identifies an issue and get an upper hand on the auditees and then you have the auditees visiting the CIA’s office over and over until the final (sanitized) report is issued.
This is based on personal experience.
It almost makes you think that why audit a certain area if the findings are going to be customized.
LikeLike
Yes, coffeeking, your last statement was the same conclusion that my colleague arrived at. Actually, I think that is the point, at least in some minds.
Audit executives that can’t defend their findings are either wasting company time and money digging up unimportant issues (poor audit supervision) or don’t see the value in their department’s work (no vision). Either way, it reflects poorly on the chief audit executive.
LikeLike
I stopped reading this post half way through. You shouldn’t be trying to bend what you find, e.g. rolling four points into one, or be pretend that it’s the technology that is at fault. Reading the scenario, someone has purchased an incompatible system. You should be reporting what you find and tell it how it is, otherwise you are compromising your integrity as an auditor. Remember the auditee doesn’t give a hoot about you but their own sorry arse. Why should you worry about theirs?
LikeLike
As I mentioned, this is a colleagues’ experience. Perhaps it was unclear that IT was doing the pushing, not the auditor; IT was making the suggestions and putting on the pressure, and the audit director did not stand firm.
The software issue was an example; it was not the issue in this audit. My colleague did not feel comfortable identifying the real issue.
LikeLike
Irrespective of whose experience it is, it sounds like a right balls up or lack of balls up!
LikeLike
AuditMonkey, if you are speaking of the audit director, I agree with you.
However, based on your previous post, I got the impression you are talking about the auditor. If so, are you saying you’ve never encountered anything like this? You’ve never had an audit director tell you change a risk level or drop an issue entirely for reason X or Y, even when you voiced your opinion? So after voicing your opinion and being ignored by the audit director, what do you propose my colleague do? Call the internal fraud hotline? Email the audit committee? Call the newspapers? Raise the queen? Quit?
LikeLike
I think it doesn’t matter whether it is the Audit Director or Auditor. If it’s a bad report, it’s a bad report. If it’s a good report, it’s a good report.
As for being asked to drop items, this boils down to experience; you don’t throw in everything including the kitchen sink. I’ve had Audit Directors consolidate findings, The deeper issue, whether items are being ‘lost’ or ‘suppressed’ is different. This suggests a lack of objectivity on behalf of the Audit Director.
The deeper questions whether to have a ‘discussion’ about it depends on two things; one, whether the issue is worth arguing about, a low versus high finding, second, whether you are in control of the situation.
With reference to the latter, a situation I encountered with regard to a new Head of Audit who wanted reports written his way and discussed his way. I could see that redundancy for me was looming large. Nor was I prepared to kowtow to the Head of Audit being he was an imbecile. So to avoid a lot of unnecessary agro, I went with the flow.
Of course, the third issue is that alot of Heads of Audit to my mind are weak and are prepared to kowtow to get their job and keep it. Do they exercise real challenge to the Board or Senior Management? Probably not. However, as long as I document my work, perform it to a competent standard and highlight the issues (irrespective of whether they make the final audit report) I can go home with a clean conscience.
PS Please read my blog posts, I’ve started blogging again!
LikeLike
Well said, Audit Monkey. I cannot add nor detract.
LikeLike
Reading my previous post back, the grammar wasn’t the best. Also, I think the following line should have read “alot of Heads of Audit to my mind, are weak and are prepared to capitulate…”
ITauditSecurity: Fixed, I think…
LikeLike
Taken as a whole, I get what you are saying. However, there are two sides to every story. The road is littered with auditors who seemingly WANT to issue negatively-toned reports and blast certain individuals of their organizations. IIA standard 1100 about Objectivity cuts both ways. Auditors shouldn’t rosy up a report to avoid bringing forth bad news. But neither should auditors go out of their way to unnecessarily punish individuals and organizational units because they view their function as one charged with “delivering the bad news”.
LikeLike
Rats, I just realized I misspelled “their” as “there”. Too late to edit. Please don’t vilify me in an audit report. :-)
LikeLike
No problem. I fixed it. We’ll all friends here. Everyone feel free to point out my typos and miscellaneous brain leaks.
Keep in mind in this case, it was the audit director that was steering the boat with a heavy hand, not the auditor.
Some might consider it fun to find issues, but in reality I think it’s just fun to add value and/or protect the organization. Also, most auditees don’t realize all the extra work it means for auditors and their management for each issue that is identified.
LikeLike
Chase makes an interesting point. Believe it, or believe it not, I try to be as even handed as possible in my audits and don’t engage in ‘witch hunts’. The truth to be told, life is easier if you don’t drudge up pointless audit findings. I actually think alot of audit findings can be jettisoned as they add very little. However, I’m often castigated as I wish to ‘pen off’ certain findings but some auditors think the kitchen sink should be thrown in.
Sadly, though as Chase touches upon, one Head of Audit I worked for suggested that to promote your own career you need to sabotage the career of another. Needless to say, this isn’t a credo I subscribe to.
LikeLike
Agreed. Especially if you want to move to another area in the organization. You want to be known as a person who does his job, but is fair. Bringing up needless issues or pointing fingers at people instead of the process or technology is not the way to go (yes, sometimes it is people, but I’ve found if you stick to the problems you find, management will figure out when the people are the main problem).
LikeLike