Audit Management Sometimes Sucks

see no evilWhen internal auditors (or those pretending to be such) do poor work and don’t follow the appropriate audit and IT standards, they are unprofessional. However, I put the blame at the feed of audit management.

This post is a result of a conversation that my fellow blogger from the UK, Audit Monkey, and I have been having. He commented on my previous post, I responded, and then he posted his thoughts on his own blog, and I responded there. This post is a slightly edited version of my response on his blog, to which I added some more comments.

My post that started it all is here:

Monkey’s blog is here:

Actually, we have been debating this in one form or another for a couple years.


Always Blame Management First!

If you will recall from any certification exams that you’ve taken (and from real life), management is always to blame for poor performance. In the case we are debating (my blog post in which I noted how you can get an IT audit job with little or no experience), I insisted that new, inexperienced, lazy, or just plan stupid auditors should be under what the IIA calls ‘audit supervision’.

(Train up a child in the way he should go, and when he is old, he will not depart from it. Hopefully!)

In other words, audit leads/managers/directors/CAE should be supervising, reviewing, and improving the work of IT auditors, whether they are experienced or not. Audit management is responsible for the work of their auditors.

If they shirk their duty, then the management over internal audit (administrative management and ultimately, the audit committee) is next in line for the responsibility.

Don’t Forget to Blame the Auditor Too

I am not absolving the stupidity and laziness of some auditors. They are responsible to follow standards and use common sense, and learn a heap of a lot of info quickly and apply it appropriately.

But management is responsible, as that is what they are paid the big bucks for.

Now, given the explosion of technology and how it touches almost everything a business does, Hence the need for massive amounts of good IT auditors.

Everyone Wore Diapers in the Beginning

As I like to remind you, my dear monkey, all of us were once new to bananas and needed to learn the ropes (you haven’t denied that yet!). While some people need more beatings and coaching than others, we all learn on the job to a great extent, as we know school and classes do not prepare you for the real world. Those ivory tower wizards only know so much, and usually they have little idea how to apply what they know to the business world.

Lawyers are Sometimes Helpful

I just don’t see any difference between auditors and their management’s failure to ensure good work and highway construction crews, or any other profession. All need some kind of supervision and when that doesn’t happen, then the lawyers bring them back to their senses.

I don’t see internal audit any differently. While we like to think we’re the gatekeepers of all efficiency, monetary integrity, and the like, we’re just another cog in the wheel. We also resist eating our own dog food while insisting everyone else take seconds.

So in the end, if your company has bad IT auditors, it’s your audit management’s fault, not the fault of the auditor wannabe who doesn’t have the knowledge, experience, or desire to do a good job. Audit management hired that person, and now it’s their job to supervise and train them. There’s always plenty of dog food to go around.

Now What?

That begs the question, what do I do if I’m under sucky management in internal audit (or any other profession, trade, or elsewhere)?

I might or might not write another post about that, although I certainly have years of experience in that area.

Almost everyone has worked under bad management, so I’ll let my readers respond…with suggestions, or their own horror stories.


Filed under Audit, Employment

7 responses to “Audit Management Sometimes Sucks

  1. Couldn’t agree more


  2. Pingback: Audit Management Sometimes Sucks – Cyber Security

  3. I think it depends on what audit supervisors are tasked with in addition to supervising front line auditors. I’ve been an IT Auditor for just over one year and I’ve learned a lot from my supervisor but I’ve come to learn that they are saddled with reporting, attending meetings, taking questions from business departments and whatever else our CAE throws their way on top of supervising someone like me.


    • Hi Tom,
      I’m trying to decide how much I agree with you. More than I’ll probably let on.

      On one hand, the audit directors and CAE can pile a lot of ‘saddles’ on audit supervisors, and it often flows downhill to their auditors.

      At the same time, the role of a supervisor, IMHO, is to supervise down (auditors) and up (management). Supervisors, managers, and directors sometimes need to protect their people from management; those who ALWAYS say, “sorry, but that’s what the boss wants” are not doing their job.

      Sure, sometimes we all have to suck it up and do stupid stuff, but that should not be everyday normal. A good supervisor / manager / director helps their management see the light on occasion. If a supervisor just protects their own carcass, they are not only hurting their direct reports, their boss (by not providing much needed perspective), and themselves (because they make those below and above them unhappy).

      A skilled supervisors knows when to suggest alternatives, when to fight, and when to comply.

      I am fed up with wimpy supervisors. “Yes-men’ don’t do anyone any good. If you don’t want to lead, don’t become a leader.

      Whew! I broke a sweat. But thanks for letting me get that off my chest. Not directed at you…

      Everyone: The next time your super does something super, make sure you tell them!


  4. Pingback: CISA #1 – How I passed my CISA exam – Kyle Bits

  5. Pingback: IIA Analytics Article Dead Wrong | ITauditSecurity

  6. Melanie Thompson

    great and helpful piece of info.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.