Too many organizations use internal audit results to drive priorities for the IT function, which can have a devastating effect on morale. This approach sets an example for the entire organization about how to get systems-related objectives met. Initially, this can be benign as leaders try to do the right thing and help uncover systems issues that need attention. Eventually, pointing the auditors to real or suspected issues allows them to elevate any project to the highest priority, whether it is strategic or not.
For example, a software company starved back-office systems in favor of product development. As a result, IT fell seriously behind in patching internal production systems. Because the organization was audit-driven, at the next opportunity, management pointed auditors at patching, and the inevitable findings in patch management became the flag around which any desired project was wrapped to secure new funding. Step one: Hold IT accountable for not patching that system. Step two: Secure funding to “fix IT’s mess.”
Allowing audits to drive strategy wastes time and money, and robs management of the audit’s real value — helping management validate that it is appropriately addressing risks to business processes. When the audit becomes the key objective, performing audits becomes an essential business process on its own. This mistake creates the potential for a wildly inappropriate scope that gives the IT staff the sense that audits are never-ending and self-serving.
Fear and Loathing
These issues can lead to audit fatigue and poorly executed audit activities. Before long, management is spending its time and attention fixing problems with audits instead of fixing problems found by audits.
In another example, a large financial services company purchased a much smaller company in an adjacent but highly regulated space. As is often the case, the smaller company had a much lower profile than the larger company, but that changed once it was part of a larger organization. The new management, lacking experience as a highly regulated entity, began to ramp up audits to get ahead of the regulators. As operational requirements competed with audit requests, “just get it done” replaced “do it right.” At some point in this dysfunctional downward spiral, “do whatever the auditor says to get this over with” became the strategy to end the pain.
This example provides context for the skepticism, distrust, and outright fear senior executives and IT staff members have about audits. Some worry about getting in trouble for doing something wrong. Many view the time spent on audit requests as wasted time or busy work. The fear and distrust for audits is naturally extended to the auditors, and this leads to an “us versus them” mentality. Both sides dig in and spend more time protecting their flank than solving their problems.
Some IT departments assign auditors “handlers” to choreograph activity, coach process owners to provide guarded answers, and quickly escalate issues, causing a bottleneck within leadership. Inexperienced auditors bring poor time management skills, poorly thought-out evidence requests, and negative attitudes to audits that put everyone on guard. Auditors then spend extra time gathering overwhelming evidence of control failure, and IT staff fabricates control evidence.
In addition to driving poor decision-making when used unwisely, audits often veer off track. In such cases, people too close to the situation sometimes focus on the audit as the key objective rather than managing the business process under audit. Besides these strategic mistakes, scope creep, poor communication, distrust among teams, and inexperience can plague any project and amplify any problems with an audit because of the extra scrutiny on the outcome.
In some organizations, IT may be severely underfunded and so far behind in resolving previous audit findings that the department gets accustomed to adding the next set to its ever-expanding project list. This forces leadership to spend so much time prioritizing and re-prioritizing work that audit failure becomes the de facto driver for funding. This, more than control failures, may be the finding that the audit should reveal.
The Path to Peace
It doesn’t have to be like this. When used appropriately to validate assumptions and uncover blind spots, the audit program is a crucial asset for management and plays an essential role in governance. Here are 10 tips to help internal auditors, management, and IT employees get on the right track.
Audit team The audit team can become better partners to IT by taking these steps:
- Agree with senior leadership on the strategy and priorities of the audit program. Establish priorities and understand where to focus audits based on the risks presented by the critical business processes.
- Ensure each audit focuses on making the business process better, not finding problems. Internal audit should keep this goal in mind as it sets audit objectives, determines scope, and frames findings. Always solicit recommendations for improvement from management.
- Help the organization navigate audits and examinations by external organizations (within the limits of independence). This is particularly important as it pertains to audit scope. For example, it’s not helpful to have nonregulated businesses examined by regulators. It wastes time and exposes the organization to inappropriate jeopardy. Auditors should make sure all parties agree to the scope before the audit starts.
- Agree up front on the criteria for identifying the required evidence. These criteria include sample selection criteria, the duration of the assessment, and the amount of evidence required to validate each test objective.
- Agree on the process and tools to be used for requesting and receiving the evidence. Agree on how quickly evidence is to be gathered once requested.
Management IT management can demonstrate transparency and respect for the audit process by:
- Avoiding assigning junior people to handle examiners or auditors. When management tries to offload audit responsibility to the least useful resource, it almost always has a negative impact.
- Not coaching employees on how to be coy with auditors. Internal auditors are trained to spot inconsistency and lack of transparency. Trying to hide details from auditors is unprofessional and causes them to dig deeper in that area.
Employees IT staff members who are asked to support audit activities can establish trust by taking these steps:
- Don’t assume your competence is being questioned. “I don’t know, but let me find out for you” is a better answer than guessing.
- Don’t try to sound like a lawyer. The best way to be understood is for employees to use the language and style that is comfortable to them. The surest way to get management’s attention — and not in a good way — is to call a minor testing deviation a “material weakness.”
- The auditor is not a whistleblower hotline. Managers should remind employees to bring internal issues to their manager or a neutral member of the management team.
Look in the Mirror
Internal auditors should ensure their organization doesn’t take a dysfunctional audit approach. They should review their audit strategy to make sure it addresses business process risk, provides the necessary governance assistance to management and the board, and addresses the organization’s regulatory requirements. They shouldn’t let audits drive the business.