- You have to interview experts, ask them for help understanding some items, and then explain to them why their processes and methods create risks that can harm the company.
Most people don’t like their work criticized; I don’t either. Most don’t appreciate it, even when you are really trying to help.
- You are often viewed as a messenger of bad news, instead of a professional who identifies risk and inefficiencies.
- The bad news you bear is usually due to people not following company policies, best practices, and in some cases, common sense.
- You are often told you are making a mountain out of a hill of soggy beans. Then your auditees check and double-check your facts. You had better have checked them first.
- The technical people in other departments tend to watch you like a hawk, waiting for you to make an error, so THEY can pounce on YOU.
That’s what I feared after I stumbled at work, which is described in Mack Falls Prey to Phishing Email.
- You have to help non-technical people (usually management) understand how certain technology, or the way the company has implemented it, has greater risk than reward.
- When you’re ready to move to another department in the company, some people have a hard time forgetting all the risks you identified. They blame you for bringing to light the problems they either created, ignored, or both.
- Sometimes the findings you report result in people getting demoted, walked out the door, or sent to prison.
I described my experience with this in Internal Attacker Detected and Behind Locked Doors. While both of these experiences occurred when I was in the security department, I’ve seen IT audits that had similar effects.
- Keeping your independence means you have to keep your distance from some individuals in the company and can’t take advantage of the perks they can provide.
- When risks are ignored and they become public, everyone asks,”Where was internal audit?” instead of “Why did they ignore internal audit?”
Compare these reasons to my Top 10 Reasons to be an IT Auditor.
If you’re an IT auditor or were one, what were the toughest parts of your job?
What would you add to this list?