I.T. Auditors are Worthless: How to Establish Credibility with the I.T. Guy (or Gal)

“I.T. Auditors don’t know anything about I.T.” – Anonymous Client

On the first day of almost every project I have ever been involved with I have had to overcome the perception that as an “Auditor” (I prefer Consultant because I’m usually there to do a lot more than just audit) I lack any understanding of technology. From a client’s perspective I think the assumption that I’m ignorant to I.T. is a fair one based on their previous experiences.

I.T. professionals I’ve spoken with have shared the same story: Constant turnover of fresh-out-of-college  IT Auditors from various accounting firms – all without the slightest understanding of how even the largest and most common I.T. platforms, say Active Directory, function. Throw in a custom application or two and the inexperienced IT Auditor is lost forever – and so is their credibility with the client.

Competency Test: Want to find out how much your I.T. Auditor knows? Ask them to explain group policy in Active Directory. This is a basic concept and if they can’t explain, then you have a noob on your hands!

The Dirty Little Secret

The reality is that in most Public Accounting firms, everyone with experience is so overworked that sometimes there is almost no choice but to send the unexperienced employee to the client’s site to “figure it out” – especially when it comes to IT. That explains the blank stares and lack of client service many industry professionals complain about. As result, this has created an industry-wide perception (or reality?) that most I.T. Auditors are pretty worthless. So the question becomes: How does the I.T. Auditor establish credibility?

Establishing Credibility

Establishing credibility to the client isn’t about “faking it”. The key is showcasing your existing skills and knowledge to the client in an effective way that builds trust and rapport, while learning how to ask for explanations and clarifications when you need them. Here’s a quick list of things that have worked for me along the way.

1. Dress like a Professional – Even if this is your first day on the job and you don’t know the first thing about I.T. you can always look the part. First impressions and a little effort go a long way.

2. Be Current – Never underestimate the value of being able to talk about current trends, recent security breaches, and events with I.T. professions. This goes a long way toward proving that you are “plugged-in” to the I.T. community. Check out the sidebar to the right for other blogs and websites to stay current on I.T. Audit and I.T. Security topics.

3. Share Experiences – The true value of a consultant is their ability to bring their knowledge of the industry and “what’s worked at other clients” to the table in the form of real life examples and solutions. Relaying anecdotes, previous solutions, and suggestions (and building on those previous experiences) give the client a reason to trust you. It also adds real value and experience to the client they would otherwise not have.

4. Give a little extra –  You were paid to do a certain job, but that doesn’t mean you can’t do a little extra. One thing that has taken me a long way with I.T. professionals is understanding what is important to them and finding a solution. Sometimes it is as easy as communicating their concerns to management – other times it might be creating a long list of process improvements “for their eyes only”. Either way, by showing you are there to help (and listening!) you build trust and credibility.

5. Don’t be afraid to be a geek – If you are in fact a former IT professional or love working on networking and computers in your spare time, don’t be afraid to share those experiences. The quickest path to building meaningful relationships with anyone is to find common interests. And there is no better way to learn from the real experts in the field than to give them a reason to open up to you and share about their passions and interest!

Most of this stuff is pretty basic, but I think it is worth reinforcing from time to time. We welcome further suggestions and stories in the comments.

6 thoughts on “I.T. Auditors are Worthless: How to Establish Credibility with the I.T. Guy (or Gal)

  • Great post! As a fresh graduate, I often found it difficult to make sense of how an I.T. environment works, let alone comment on its appropriateness.

    I read a suggestion in one of the comments that I.T. auditors should spend some amount of time working in operations and I could not agree more to that. However, with the resource crunch, no one gives a second thought to actually grooming an individual on this front. Consequently, we are left with a patchy understanding of basic technical concepts and end up delivering sub par services.

    I’m glad to have stumbled upon this blog. It is easy to understand and covers relevant topics in every post. Thank you for your efforts!

  • @Madhura

    Agree another great post on this blog. Starting to feel like a groupie.

    I think building up your IT competency is key – but developing those core auditing skills is critical. I think there is a misnomer that IT auditing = IT. Unfortunately many of the IT skills or activities don’t translate to auditing. Auditing involves a lot of analysis, talking, to people and documentation. It is those softer skills that aren’t as obvious or developed in IT staff. In my experience, it has been more difficult for folks to develop auditing skills. And you need those skills so you can explain to your clients what you are doing and why it is important. Transparency with an IT client can go a long way. In many cases, once they know what I’m trying to do and why, they are more willing to assist. I’ve had clients get really excited about my work because it was something they had been worried about for years.

    That said – I would be interested in your thoughts about some of the more “mundane” auditing tasks like planning, documenting or reporting IT audits.

    • @Steve –

      Just an FYI that we have a whole series (and templates) coming up on ideas around planning, documenting, and reporting (including some unique ideas behind internal audit value add reports) coming up in the coming weeks and months. Stay tuned!

  • Good post.

    A couple ideas….when sharing about how you’ve seen it done in other companies, I’d shy away from statements like: “at my last company, they did this…” Instead, relay the same info by asking, “Have you considered this?” (where ‘this’ is the idea you’re sharing). I shy away from talking about other companies unless asked, as I found it puts others on edge.

    Don’t expect/ask for something until you need it. If you need something by Friday this week, don’t demand it by Wednesday. Along the same lines, don’t ask for something by Friday if you’re out of the office Friday. Push your request until Monday.

    Give IT a heads up on bad news. If you management made a decision or you’re going to release a report that’s unfavorable, give IT a heads up; don’t ever surprise them. No one wants their boss hunting them down because audit sent out a tough audit report. Explain why it’s happening and any suggestion you have. This builds credibility and demonstrates you’re not out to get anyone.

    Ask good questions. When you don’t know something, Google it; learn the easy stuff yourself and ask IT about the rest. IT hates to explain simple things to auditors.

    Read the previous workpapers for background info. When you ask whether details have changed (e.g., we still only have 2 Windows domains, Acme and AcmeTest?), you look like you know what you’re talking about, even if you don’t. And you’ll figured out what has changed, and can ask why, and the impact of those changes (good questions).

    When looking for common ground, check out the IT staffer’s cube when he’s not around. Find a picture, conference, trophy etc. that you can start the conversation with. Check their LinkedIn page for other common ground or conversation starters.

    • Great additions as usual. I really like the idea behind looking for common ground for casual conversation. That’s a good tip.

      One thing I missed in the post, that you mentioned is reading last year’s workpapers so you can understand the client’s environment. That is essential as well.

      Regarding asking for things when you need it – I usually play this by ear based on a client’s habits. If I know that they are always late or that I will have follow up requests (because what they provide may not fully meet my needs) I might give myself a little cushion and ask for it a little early than I need it. That’s one are where experience with the client and their culture helps a lot.

Leave a Reply