If your department doesn’t track metrics on your analytics, you are probably not doing analytics or you are making little progress in analytics.
In either case, its obvious that analytics isn’t very important to your management.
Which is one of the points I made in my post, 10 Signs Mgmt Doesn’t Really Support Analytics.
So far, I have encountered very few audit departments that track meaningful metrics about their analytics.
Counting the number of projects that include analytics isn’t enough.
When you evaluate the risk of a vulnerability, do you do it in the dark?
Or do you take into account other factors that might affect the risk?
What if one of the factors is an existing audit issue that has not been remediated?
It’s getting to the point where some audit directors are saying, “No bad audit reports allowed.” In other words, don’t shoot the messenger, just the message. What follows is an experience from one of my audit colleagues…
First, a couple “I know” statements…I know auditors are supposed to be helpful and friendly. I know auditors are supposed to add value. I know auditors need to be careful about giving only bad news; we should also note in our report what the auditee is doing right (if anything). I know that it’s hard for auditees to get hammered again and again by audit reports.
Blogs are clamoring for proof that Osama Bin Laden is dead–show us the photos! However, I do not think Osama death photos are needed, at least not to prove he’s dead. I also think that keeping this event in mind can help move your audits along. Let me explain.
A while back, I noted some reasons why people hate auditors. Well, you can hop those hurdles, and be an auditor that people love or at least respect. Here’s how:
A colleague of mine is doing some testing for an audit director that changes her mind frequently on how to deal with audit findings. Occasionally, she is all about nailing control owners who do not have all their ducks groomed and in a row. At other times, she pushes Audit to work as hard as possible to pass all controls.
Yesterday was one of those days where the clock just spins, you get a lot done, and nothing out of the ordinary occurs. You have some meetings, dig into the data, and identify a finding, do a little more research, and fire off an email to get an explanation from the control owner.