I Hate My Auditor: Building Better Client Relationships

Image courtesy of Kiplinger.com

I never tell anyone that I am an “auditor”. Usually the word “auditor” conjures up images of the IRS knocking at your door asking for money. Besides, “auditor” hardly scratches the surface of what any good IT auditor does for his company.

For me, I market myself as a consultant. Most of my time goes into building relationships, specialty consulting projects, researching information security trends, and working with a great team of professionals to reduce our company’s overall risk profile.

None of my time is spent trying to find meaningless audit issues for the sake of finding something to put into an audit report.

As an IT auditor working in an internal audit department I have to overcome the hurdle (and fear) that comes with the job and my title. Here are a few approaches I have taken over the years to build a better relationship with my clients and co-workers and to earn the reputation as a valuable opinion.

Building Better Relationships

1. Develop a relationship before the first project or audit – One of the things that have served me well over the years is making the time to call, have lunch, and meet key contacts for future projects – prior to the project.

For example, when I first launched the IT internal audit group in my current position I spent the first few weeks calling, having lunches, and visiting the office of almost anyone with a manager or IT-related job title in the company (this process is always ongoing). Now I have a working relationship with dozens of potential project owners that value my opinion – and do not see me as a threat.

You also learn a lot from other professionals!

2. Communicate the Audit Process – Consider that most people have never been through an audit before so they do not know what to expect. So it is important to be clear about the audit process from start to finish. I usually put together a project management “one-pager”. Here are a few things I include:

– Project Scope (Applications, Dates, Locations, etc.)
– Project Timeline and Milestones (Dates on-site, Report Dates, Request Dates, etc.)
– Project Deliverable (agreed upon by both parties)
– Project Contacts (both the consultants and the clients)

3. Give away free consulting – People stop by my office (or call, email, or comment on this blog!) all the time to ask simple questions. Most of the things people want require little-to-no effort on my end to help, but create a great rapport. Sometimes  I even create value-add documents (like information security training), flow diagrams, or security reports. People tend to be very appreciative of freebies that make their life easier.

4. Don’t play “Gotcha” – As an auditor you will inevitably find an issue that people are sensitive about (or that could cost someone their job). This is why it is important to be very transparent about the audit process as well as findings. Never be a “gotcha” auditor – meaning you spring findings on the auditee at the last minute to make them look bad (intentional or not).

When you have audit findings I suggest the following steps:

– Communicate the audit findings verbally and in writing prior to formal presentation.
– Articulate the associated risks to the Company (a finding means nothing if there are no risks).
– Understand and communicate mitigating controls that may affect the overall risk.

5. Establish credibility with IT – IT auditors have a bad reputation with IT professionals for not knowing anything about IT. I wrote an entire post on this. You can check it out here.

 6. Be creative and market your deliverables – The value of a beautiful report is under-rated. I strive to make my reports read and feel like marketing material. Clear communication, smooth transitions, helpful graphics, and logical design. Your products are an extension of your reputation and often the only contact some people have with you. So it is important to consider what your deliverables say about you and the quality of your work.

What creative ways are you building relationships and overcoming the title “auditor”?

4 thoughts on “I Hate My Auditor: Building Better Client Relationships

  • Great ideas and far too often overlooked by auditors.

    Something that has helped me: Respecting business priorities and culture. Understand what is important to the client and realize they have competing priorities. It’s never a good time for an audit, but we don’t need to get in the way of critical business. I always tell my IT clients that Production comes first. If there is an outage, incident, etc, I need to back off and let them do their jobs. I’m also not there to be the traffic cop (#3 – Gotchas). I’m there to help then recognize and prioritize their issues against their business priorities.

    Consulting can be tricky and come back to bite. I can advise and recommend, but it is ultimately management’s decision. I never want a process/control implemented because “audit said so”.

    This blog is great, by the way. My daily stop for auditing guidance and inspiration.

  • spot on! i always view my job as a “consultant” who provides value-add to the client through meaningful insights and recommendations that can mitigate identifiable and potential risks within the company; not an “auditor” who comes bugging the client every year to police any issues just so he can have something to write down for his management letter of comments.

  • Overall, I do things to show that auditors are a human beings, not people with tasers who love to hurt people.

    I ASK if they can get me the info I need by such and such date. And I don’t ask to get things earlier than I actually need them. And when they have down systems and have to cancel appts or delay getting me info, I understand and agree that keeping the business running is more important. I treat THEIR job and time as important.

    I go to meet with them rather than have them come to me, which is thoughtful if you work at different buildings or locations.

    Also, when I can, I scope out their office in advance so that 1) I can find it on time and 2) I can view pictures, drawings, awards, etc. hanging on their office walls–that gives me something to open the conversation with when we meet and establishes common ground/interests. I also check their Linkedin Page to see where else they have worked, who we know in common, which school they went to, etc.

  • Christian,

    Great article. Sorry for being a little late to the party, but I thought I’d add my two cents.

    In in addition to communicating the audit process (point #2), I / our team strives to communicate why the area is being audited, and also set expectations on we handle issues identified in testing.

    Regarding the why, I usually explain to our audit customer that what they are responsible for helps or fully mitigates one of the organization’s enterprise risks. Otherwise, we wouldn’t (and shouldn’t) be auditing that process.

    Regarding expectations, I attempt to highlight what type of information will be discussed if an issue is found (e.g. could something happen that would negatively impact the company, and by how much) and what the process would be if we disagree on an issue (e.g. attempt to vet with higher levels of management, and if still no resolution, explain both sides to the Audit Committee).

    By helping set expectations early and often, our customer should be at ease (and perhaps impressed!) when dealing through items already discussed.

    Thanks for sharing your insights!

Leave a Reply