Welcome. Uh, this is an interesting topic for all of us in the DevOps community. So, Norman, uh, thank you very much for, for doing this for us. Um, I know that you had a, a session with Jane Kim in the main stage.

Uh, I was there and I was like, okay, this is like music to my ears. So as a part of this, I would like to ask you some basic, almost stupid questions, if you will. There's No such thing as a stupid question, right? And, and purely from a, a developer perspective, you know, with regards to DevOps and all that.

So I'm basically a developer and I want to know what auditors do in a, in an enterprise or, Well, very good. That's a, that's a good, that's a very good question. And of course there's no canned answer. What internal auditors are supposed to be doing is helping those in leadership with assurance that the systems, the process, the organization, the controls, the technology is working the way in which it should, the way in which they're relying upon to run the business effectively.

So there's different aspects of that. We talk about providing assurance, that's the first part. And, and the way in which I describe this is, is to imagine your parent and your young child comes running into you, your, your bedroom in the middle of the night and says, mommy, daddy, I'm scared there's a monster under my bed. And of course, you get up and you go with your child and you show him there's no monster under the bed.

You're providing them assurance so they can sleep well at night. That is assurance, right? That is telling them that yes, things are actually working right. And of course, if there really is a monster under the bed, then you help that child get rid of the monster because you're actually helping the, in this case, the organization, eliminate any issues and problems by talking to them and sharing and agree upon the best solution.

Right? So that's the first part is the assurance, right? Then we also talk about advice and insight. So there's advice in terms of there may be a better way to do this.

Right? One of the, one of the concerns I've had as, as an, as an internal auditor and writer, um, blogger about internal auditing and in fact organizations in general, is that they don't know how to use new technology. Mm-hmm. They understand in theory that there's new technology out there, but they dunno how to apply it in their business.

They dunno how to tailor it and make the best use of it in their business. So this is something, actually something that I've been pushing. Um, so basically you've got the advice side. How can we do this process better?

How can we implement these controls better? Right? Even, um, for example, using ai, um, advanced analytics to replace some of the manual processes or even old technology and to do things more efficiently, more effectively. So there's the advice and the other, the last part is of assurance advice is insight.

Mm-hmm. And that is just like any professional, we have the ability to, to rely upon and, and fall back on our experience and our intelligence because we are not part of the management team. We can be totally objective about what we see, and they share that with management so they can understand. And sometimes this is, this is one of the things that I'm pushing, uh, internal auditors to do.

And some of them would do it reluctantly, which is to share perspectives and thoughts, even if they can't prove it. And I come back to, there was one situation I had at one of my companies where by accident they didn't do this deliberately, instead of sending an invoice for I think $20,000, they sent an invoice for two and a half billion. Mm-hmm. That's a mistake.

And it could have had some really dramatic consequences in terms of upsetting our partner, um, and, and having them willing to do business with us. And what I found was that it came down to one vice president in finance that didn't trust his people and didn't know how to delegate, didn't know how, frankly, didn't know how to manage a team. I could I prove that. No, but this was insight that I then shared with his boss and the c e o of the division.

I said, I can't prove it, but this is what I think, this is what I'm hearing from his team. This is my judgment. I'm not gonna put this in the audit report. Right.

Because he can't. Right, right. Um, and when I talked to them about it, they said, you know, we were thinking about that as well, and what you have done is you have confirmed to us something we were thinking all the time. And so there's, there's a role for that.

And when it comes to things like DevOps, it's a matter of internal auditor can help the organization move more efficiently and embrace the concepts involved in DevOps, and at the same time provide a, a little bit more skeptical view on whether they are taking too much of a risk, moving too fast, moving too slow. Right. And whether they're actually gonna be successful in this, whether there are some obstacles, perhaps some user departments are not on board, um, and they can run interference. They can, they can be that partner Okay.

With you. So it's, it's basically there to help you succeed. That, that's, that's, that's very helpful. I do have two follow-up questions on that.

So you mentioned about internal audit. So as a developer, immediately I think about then who is the external audit and what do they do? The external auditor there is there, in the United States, it's different around the world, but in the United States and most of the world, the primary focus is to provide opinion as to whether the financial statements that are filed with the regulators, the United States as the s e c mm-hmm. Um, reflect materially correct results in financial condition of the organization.

But in order to do that, they will sometimes need to confirm that the controls and processes and the systems, the technology that the company is relying upon to produce those financial statements is in fact doing so well. Okay. Now, if they're smart, they, they work with the internal audit function, so, you know, there's no duplication, but sometimes they're not so smart and they want to do things themselves. And so one of the challenges for all of us is to avoid duplication of effort there.

But that's the, the difference in the role. The external auditors are totally independent to the company they're paid for and work, work for the board. And they're there to provide an independent opinion on the financial statements. Whereas internal audit is looking at all the operations of the organization, all the areas where something could go wrong, where something needs to go Right.

For the company as a whole to be successful. Got it. So, and that second question, um, based on your original, uh, response is around that monster under the bed. Yes.

Uh, in that animation, You have a monster under the bed. I'm sorry to hear that. Yeah. Uh, the, the, the immediate question that comes to my mind is that most of the time when a monster is found, the developers are quote unquote dinged for that monster because as if we got the monster in now, now, is there a way to present that in a, in a manner that it does not become a fault of the development team or whoever is, is, is or just treated as a monster that somehow got in, There are multiple behaviors that can be changed.

Um, so for example, here's, here's an ex example of bad behavior. Um, my team did an audit in Malaysia. Mm-hmm. And one of my team found that individuals had the ability in the system to set up a new vendor, raise a purchase order, approve an invoice, and get it paid.

Not a good situation. Right, right. Very, very easy for somebody with that combination of access to commit fraud. They met with the, this lady auditor's very smart person.

She met with the, the application support manager who said, no, that does, that can't happen. That can't be, and just refused to admit that the world was not flat. Okay. And so I encouraged her to escalate that to the c I O for Asia.

And she had a meeting with the c i o at a gentleman I'm still in touch with mm-hmm. Years later. In fact, I sent him a message just yesterday. And in that meeting with the, with the C I o and again, with the application support manager, the, the manager now changed her tune a little bit and said, there's no risk, because we don't tell anybody they have all that access.

So if you're going to lie, if you're going to hide things from your total audit mm-hmm. You're gonna get dinged. Right. Right.

And sometimes you, you're so afraid of getting dinged that you refuse to acknowledge that there's a problem. So there, there's that Right. Of hiding things. Right.

Right. The other thing is not allowing them to come in. Years ago, um, my, the bank that I was, I was in, was doing some very significant major upgrades to, to its a t m systems. Right.

And, uh, I and my team wanted to be involved as advisors and help them understand whether the, the controls in the new system were gonna be effective, um, whether they had the right ones or whether they were working well with the users who were not included in the discussions as on an ongoing basis. They did the, you know, they reviewed the requirements document and then they, they went away while the developers got on with their work. Right. Uh, so we were there trying to do that, and it managers said, you're not welcome in our meeting because people will not be open if you're there.

And I, I put my foot down and say, we have to be there. Give us a chance. And we went into the meetings, we contributed, we were silent when we didn't have anything positive, constructive to say. Right.

And it became just routine. Right. And if you recognize that the internal auditor can actually help you by providing that objective, challenging when it's needed to be, uh, questioning of what you're doing, and maybe even suggesting there's a different way of doing things based upon places they've been. Right.

Uh, systems and experiences that they've, they've gone through. They can be your help, but if you want to shut them out, they're not gonna be able to help. I, I strongly encourage you to sit with them, sit with the auditor, the external auditor, the the manager, the, the, the vice president, the internal Auditor, The internal auditor, and explain what you're trying to do and why it's helpful, and then ask for their help. Explain to them where your challenges are.

Right. So, for example, if you cannot get, I've seen this where the applications, people couldn't get the systems people to attend the meetings. Yes. Right.

So the internal auditor then goes to the C I o mm-hmm. And say, this is a problem. Yep. Right.

I've seen it where the, the user won't, the user manager won't allow the 10, the, the, the technical, um, the, the specialist on that system from a, the user department to get involved 'cause they're too busy, so the auditor can go to management and get that changed. Right. Right. Right.

So there's an awful lot that the auditor can do to help you, but you gotta give them a chance. And, but also make sure you understand what their end product is going to be. Now, if you've got a good one, their end product is gonna be a report to you and as, as the leader of the project. But in, in those situations where they feel that they need to report to management and the board, make sure you understand and work with them to make sure it's, it's presented and communicated objectively and fairly.

Right. So, thank you. Uh, the last question, um, is, is, uh, you know, this whole DevOps movement is going on for 10 plus years now. Uh, for us, people who kind of latched onto it earlier on, we faced a lot of trouble in, in big enterprises, uh, convincing the, convincing the auditors that, Hey, this is, this is good, this is software and all that.

A lot of things have changed since then. Do you see overall there's much more acceptance of DevOps in the audit community? Or was there even a, a pushback to start with? So I have not been involved myself in, in DevOps, um, other than working with Gene behind the scene on, on his first book.

But, um, I was involved at one company where they were implementing Agile, and frankly, they were messing it up. Mm-hmm. Uh, they were doing it in a way which was, they were, they were losing control and they were actually spending far too much money on, on the, on developing a system which only had limited R O I and that this was taking away from their ability to work on other things. So they were working on, on the good, at the expense of the great mm-hmm.

Right. And they, they, they didn't have control of what they were doing. So I, I think that every internal auditor, every manager, every human being except that young baby mm-hmm. Doesn't like change.

Right. So, but once they understand how exciting it is and what, how it's empowering is gonna be to the people involved and how much value it's gonna be to the organization as a whole, you'll bring them on board. Now, one of the things I didn't tell in, in my presentation today is that from time to time I have had, and others have had auditors who cannot change. And frankly, I've had to let them go.

And so, but that, that involved my, as, as a leader of the internal audit team and management, recognizing our mutual dependence, that we were working towards the same goal and they could help me and I could help them. And they recognized that and they valued this, and they wanted the culture of both organizations to be of one of mutual trust and working towards shared goals. That Is so good. And So when, when they saw somebody on my team that they were getting bad reaction to, they felt that was working to a different agenda, and they felt reluctant to try and trust them, they came to me and we had a discussion, and I tried to turn the situation around.

That particular individual admitted to me they couldn't, it was not in their nature to be that independent friend. It was in their nature to be a critical person. And so I said, well, this is not that environment. And my impression of internal audit these days is that most of them want to be part of change for the better.

Yeah. They recognize that we live in a different environment. We live in a disruptive, um, dynamic environment, and everything needs to be changed, including the way in which they've done business. That's Awesome.

I will remember the monster story and, uh, actually I, I will, and actually I like that idea that let's, uh, tackle the monster together in a collaborative way. With that, we'll end this. Thank you. Thank you.