If you’re an IT auditor, how do you describe your job to those who don’t understand technology or auditing? Even more interesting, how do others describe your activities?
Here’s what I say, but I’m not satisfied with it:
I review computer systems and networks to determine whether they are secure and that access to those systems is limited to the appropriate people.
I review the policies and procedures that describe how those systems are used and determine whether those documents make sense, are up-t0-date, and are followed.
I also determine whether business processes meet the requirements of government regulations.
Of course, that’s far from complete, rather dry, and boring. If you’re an IT auditor, what do you tell people, and what reaction do you get?
Usually, the person I’m talking to changes the subject quickly. Once in a while, they ask me about security or how to deal with a problem they’re having on their home network.
Let me know how you handle this… You’ve got to have a better way of putting it.
Here’s what I’d like to say:
I ask IT staff and management questions for which I often already know the answers. I then obtain screenshots and other evidence to prove they’re really lying or incredibly naive.
I help overly confident techies understand that they sometimes make mistakes, are more lazy than they’re willing to admit, and a couple ways exist to sneak a peek at data they insisted was secure.
In addition, I help IT identify time-consuming practices that they don’t need and don’t mitigate any risk.
Finally, I help IT get funding for projects they really need to implement because IT can’t figure out how to put the problem in business language that even a CFO can understand.
What words would you LIKE to use when explaining your worth to others?
Here’s how IT would probably describe my job:
An IT auditor asks questions about systems he doesn’t understand while hoping he’ll find something he can use to pin my backside to the wall.
He criticizes our department for not creating procedures for things we don’t care about and seldom do. He keeps me from doing my real job and the things I could do to earn an extra bonus.
Overall, he spends a lot of time describing all our faults in the worst possible light, forgetting that after dealing with all the daily demands, I go home only to get called back into work in the wee hours of the morning to solve one crisis* after another.
* Which of course, are often caused by items documented in previous audits year over year, which IT management and senior management have ignored.
Okay, I know that was snarky. I’ve met a lot of good IT people out there who really know what they are doing, why, and do it well. Many of them really appreciate what internal audit provides them.
So what’s your experience? Leave me a comment.