When internal auditors (or those pretending to be such) do poor work and don’t follow the appropriate audit and IT standards, they are unprofessional. However, I put the blame at the feed of audit management.
This post is a result of a conversation that my fellow blogger from the UK, Audit Monkey, and I have been having. He commented on my previous post, I responded, and then he posted his thoughts on his own blog, and I responded there. This post is a slightly edited version of my response on his blog, to which I added some additional comments.
My post that started it all is here: https://itauditsecurity.wordpress.com/2017/03/21/how-to-get-an-it-audit-job-with-little-or-no-experience/
Monkey’s blog is here: https://auditmonkey.wordpress.com/2017/04/09/audit-professionals/
Actually, we have been debating this in one form or another for a couple years.
Always Blame Management First!
If you will recall from any certification exams that you’ve taken (and from real life), management is always to blame for poor performance. In the case we are debating (my blog post in which I noted how you can get an IT audit job with little or no experience), I insisted that new, inexperienced, lazy, or just plan stupid auditors should be under what the IIA calls ‘audit supervision’.
(Train up a child in the way he should go, and when he is old, he will not depart from it. Hopefully!)
In other words, audit leads/managers/directors/CAE should be supervising, reviewing, and improving the work of IT auditors, whether they are experienced or not. Audit management is responsible for the work of their auditors.
If they shirk their duty, then the management over internal audit (administrative management and ultimately, the audit committee) is next in line for the responsibility.
Don’t Forget to Blame the Auditor Too
I am not absolving the stupidity and laziness of some auditors. They are responsible to follow standards and use common sense, and learn a heap of a lot of info quickly and apply it appropriately.
But management is responsible, as that is what they are paid the big bucks for.
Now, given the explosion of technology and how it touches almost everything a business does, Hence the need for massive amounts of good IT auditors.
Everyone Wore Diapers in the Beginning
As I like to remind you, my dear monkey, all of us were once new to bananas and needed to learn the ropes (you haven’t denied that yet!). While some people need more beatings and coaching than others, we all learn on the job to a great extent, as we know school and classes do not prepare you for the real world. Those ivory tower wizards only know so much, and usually they have little idea how to apply what they know to the business world.
Lawyers are Sometimes Helpful
I just don’t see any difference between auditors and their management’s failure to ensure good work and highway construction crews, or any other profession. All need some kind of supervision and when that doesn’t happen, then the lawyers bring them back to their senses.
I don’t see internal audit any differently. While we like to think we’re the gatekeepers of all efficiency, monetary integrity, and the like, we’re just another cog in the wheel. We also resist eating our own dog food while insisting everyone else take seconds.
So in the end, if your company has bad IT auditors, it’s your audit management’s fault, not the fault of the auditor wannabe who doesn’t have the knowledge, experience, or desire to do a good job. Audit management hired that person, and now it’s their job to supervise and train them. There’s always plenty of dog food to go around.
That begs the question, what do I do if I’m under sucky management in internal audit (or any other profession, trade, or elsewhere)?
I might or might not write another post about that, although I certainly have years of experience in that area.
Almost everyone has worked under bad management, so I’ll let my readers respond…with suggestions, or their own horror stories.