From Your Auditor Friends: What We Wish Every Technology Leader Knew
Is your auditor out to get you? Knowing the truth behind common internal audit myths can help you navigate that tricky relationship and spark a strong partnership with your auditor.
We’ll explore some potential myths about auditors and determine what’s true and what’s not. We’ll also tackle the potentially daunting task of repairing your relationship with your auditor, so you can both move forward and enjoy the benefits of a strong partnership… or dare we say… friendship!
Chapters
Full transcript
The complete talk, organized by section.
Host Intro (Gene Kim)
Thank you, Mick.
All right. Over the years, we asked this community about their top obstacles to things that they want to achieve. And almost every year, it is audit that strikes the most frustration, fear, and even dread. And I think it is because of the special power audit has to generate findings that are seen at the highest levels in the organization.
So last year, I was so happy that we had the Big Four audit panel, where we had representatives from each of the Big Four busting DevOps myths, who shared their convictions that DevOps is not only just auditable and possible in their audit clients, but they all believe it is actually necessary, because they all want their clients to still be around in 10 years.
Earlier this year in our London conference, one of my favorite sessions was from the audit team from Nationwide Insurance, the largest insurance mutual company. They gave some amazing and very specific advice to people who work with audit, and they shared very specific techniques on overcoming audit objections concerning separation of duties and change approvals.
So we will be replaying that session for you later in this conference, but because audit is something that every technology leader faces, I asked them if they would be willing to give a quick keynote session to give some more general advice for anyone who has been frustrated dealing with audit. And I am so excited that they said yes.
So presenting up next is Clarissa Lucas. She is an IT audit director at Nationwide Insurance after spending years in investments, finance, and credit. And presenting with her is Rusty Lewis, an IT auditor who joined Nationwide after spending years at PwC. They will continue to bust some commonly held beliefs about audit, some of which may genuinely surprise you.
Here is Clarissa and Rusty.
Clarissa Lucas
Hello, and welcome to today's session. I am Clarissa Lucas, and I am here with my colleague, Rusty Lewis. We are both internal auditors at Nationwide Insurance.
Oh, no. Not the auditors. What are they doing here? They do not care about DevOps or doing things differently. They like to stick to their checklists and do the same thing every year. They really enjoy writing us up for not segregating duties. I heard they even get paid by the finding. Gene, what were you thinking, inviting the auditors here to ruin our fun?
Do not worry. We have heard all of those things about our profession, ourselves, and our peers. And there are probably a few we have not yet heard either. We know we are not always sitting on the same side of the table, even though we do work for the same organization. At times, it might even seem like we are out to get you.
Rusty and I want to explore some of these ideas with you to see if they are truths or just myths. After all, we are auditors, and what we wish every technology leader knew are a few truths about us and how we can work well together. And if those things that I said earlier are how you really feel about your auditor, like they are more of an adversary than a trusted advisor, we will explore what that relationship could look like and how to influence getting there.
Here are some of the things that we have heard about auditors. My favorite one is that auditors get paid by the finding. I have been auditing for nearly 10 years. During those years, I have spent time as an intern, an audit staff, project manager, leader. You name it, I have done it. And I can tell you that my paycheck has never been impacted by the number of issues I have found.
I honestly prefer to deliver reports that are sparkling clean. Delivering good news, like your control environment is really solid, is definitely my preference over delivering a report full of issues. Of course, if the gaps are there, we do want to shed light on that so that they can get addressed, but we truly prefer that there not be any gaps at all. So I think it is safe to say that this myth is officially busted.
Rusty Lewis
Thanks, Clarissa. So to build a bit upon the first myth even more, some may also think that auditors are out to get you. But in all seriousness, we as auditors do not necessarily look any better just because we identify a control gap. Ultimately, we are trying to apply a fresh perspective.
Now, if you will humor me for a moment, I would like to use an analogy. My wife loves to paint. And so often she will spend hours trying to blend the right shade of color or capture that better sense of realism in a character or scenic background she is trying to portray. But once I have a chance to provide my perspective, someone who literally could not paint to save my life, I am able to quickly point out what she could not otherwise see, because she is so focused on that one area of the painting.
Similarly, that is exactly what we are hoping to do with our clients, with technology leaders. During an audit, provide a fresh perspective. Not with the hope or goal of catching something or saying, We got you, but partnering with you and providing a different lens for the landscape you may be in the weeds in every single day, with the goal to address something before it becomes an issue. Or maybe help you identify industry best practices as it relates to mitigating a particular risk.
I think it is safe to say this myth has also been officially busted.
Clarissa Lucas
All right. The next comment that we will look into is that auditors just follow a checklist and do the same thing every year.
In full transparency, I have heard of auditors using a checklist for certain audits. Earlier in my career, some of my colleagues used checklists when auditing bank branches. On the other hand, let us flash forward to today. Our chief auditor is so passionate about not falling victim to this pitfall that he passed out yellow penalty flags for us to quite literally throw onto the field. We can litter our office with penalty flags if necessary, if we find ourselves doing or being asked to do the same thing that we did the last time we did that audit.
This is one, as a profession, that I think we need to keep working on. For now, it is unclear whether this will be our truth or just a thing of the past. We are definitely making progress, but we need your help. Help us by challenging what we are auditing. Ask us to explain our scope to you. Does it align with the risks that you are worried about? Does our testing approach seem reasonable? Are there ways we could improve our approach and add more value to you?
For now, I think we will mark this one as TBD, and we will keep working to bust this myth together.
Rusty Lewis
Now, the two items we have not yet explored are that auditors do not want their findings to be a surprise, and that we want to partner with you. And perhaps contrary to popular belief, these are both true.
During each of our audits, we strive to avoid surprises with our clients, because that ultimately will lead to more headaches and unnecessary contentious conversation. To accomplish this, we hold status meetings throughout each audit where we discuss potential findings as soon as they arise, rather than waiting until the end of the audit. This way, our clients know well in advance what to expect in the final audit report, and it also gives both sides a chance to discuss and better understand the gap identified.
No surprises. In order to avoid these surprises, it is critical that we develop a partnership with our clients. By collaborating with our clients and becoming partners rather than adversaries, we end up with a much stronger audit deliverable and provide more value to the organization. So both of these remaining items are confirmed truths.
Clarissa Lucas
And so to this point, we have clarified some common misconceptions, reinforced some truths, and pulled back the curtains a bit to show you where we have still got some work to do.
But now let us talk about your relationship with your auditor.
Rusty and I can both recount stories where we did not get along with our clients. It is awful for all parties involved. Repairing a fractured or bruised relationship between auditors and technology leaders can be challenging for sure, but let me tell you, it is totally worth it.
When we take the time to listen to each other's perspective and understand where the other side is coming from, it goes a long way in turning a battlefield into a partnership. Suddenly, our clients understand why we are concerned about something. They feel heard. Our final audit report is a much better product than it would be without our clients' partnership. The contents are clear to all readers, not just the auditors that wrote it, and our clients feel that it really helps them focus on things that matter to them, rather than adding a list of ticky-tacky things for them to do just because audit said so.
By the way, if you are doing anything just because the auditor said so, please connect with your auditors. Understand the risk behind the issue. We do not want you to do something just because we said so. We want you to do it because it is the right thing to do for the organization, and we want there to be buy-in on that from you.
Inherently, the relationship between auditors and technology leaders can be difficult. You are trying to meet the needs of your clients as quickly, safely, and efficiently as possible. We are trying to provide assurance to the audit committee. But those two do not have to be mutually exclusive.
If you want to move from adversaries to partners with your auditors, reach out to them. Catch up with them outside of an audit, and encourage them to do the same with you. Get to know them on a personal level. Bring them along for the ride. Teach them about what you do and why you do it. Tell them what is important about what you are doing. Tell them what you are worried about.
When it comes time for the audit, have your auditors provide you with updates along the way. Ask to talk about the findings as soon as they arise, rather than waiting until the end of the audit. Offer your insights on the risks. Challenge the auditors to explain those findings and the risks behind them. Help provide clarity where things are unclear. If the auditors are not seeing the whole picture, help them see it.
Another way you can partner with your auditor friends is to have them perform some consulting work. So in addition to your traditional audits that you may be used to, a lot of audit shops will do advisory services or consulting work. This is where we can come in when you are implementing a process and you are not sure what controls you want to put in place, and we can help give you the answers to the test before we come in and do an audit.
This will help convince management and upper leadership that you need to put these controls in place. It will provide support for that and might be able to give you some of the resources that you need to accomplish that. Even if we are performing our regular audits, our assurance audits, sometimes those findings, when we are all on the same page and we can all have buy-in on it, can help get you the resources you need to accomplish what you need to accomplish.
We want the partnership just as much as you do. Sometimes we might need some help bridging the gap.
Rusty Lewis
Now, as our presentation comes to a close, I will not go down the list of each myth we have busted or truth we have confirmed. But just a few key reminders that we hope you walk away from this presentation remembering.
The first of which is that we enjoy telling your leaders about the great things you do day in and day out, far more than we do telling them that there are problems requiring fixing. We also never want our audit reports to be a surprise. We want a strong partnership with you, the technology leaders of your organizations, and there is no way a relationship can move from strictly professional to personal without mutual trust. Help us to help you in becoming your trusted advisors.
On behalf of both Clarissa and I, we want to extend a very special thanks to each and every one of you that joined us today for our mini keynote presentation. We are tremendously grateful to have had the opportunity to present virtually at the London DevOps Summit earlier this summer, and a special thanks to Gene Kim and everyone at IT Revolution for allowing us to present again here at the Las Vegas DevOps Summit. As we noted in our other presentation, we do not want the conversation to end here. Our contact information is listed here, and we would encourage you to reach out directly via email with any questions you may have.
Thanks again. Stay safe, and enjoy the rest of the DevOps Summit