I never tell anyone that I am an “auditor”. Usually the word “auditor” conjures up images of the IRS knocking at your door asking for money. Besides, “auditor” hardly scratches the surface of what any good IT auditor does for his company.
For me, I market myself as a consultant. Most of my time goes into building relationships, specialty consulting projects, researching information security trends, and working with a great team of professionals to reduce our company’s overall risk profile.
None of my time is spent trying to find meaningless audit issues for the sake of finding something to put into an audit report.
As an IT auditor working in an internal audit department I have to overcome the hurdle (and fear) that comes with the job and my title. Here are a few approaches I have taken over the years to build a better relationship with my clients and co-workers and to earn the reputation as a valuable opinion.
Building Better Relationships
1. Develop a relationship before the first project or audit – One of the things that have served me well over the years is making the time to call, have lunch, and meet key contacts for future projects – prior to the project.
For example, when I first launched the IT internal audit group in my current position I spent the first few weeks calling, having lunches, and visiting the office of almost anyone with a manager or IT-related job title in the company (this process is always ongoing). Now I have a working relationship with dozens of potential project owners that value my opinion – and do not see me as a threat.
You also learn a lot from other professionals!
2. Communicate the Audit Process – Consider that most people have never been through an audit before so they do not know what to expect. So it is important to be clear about the audit process from start to finish. I usually put together a project management “one-pager”. Here are a few things I include:
– Project Scope (Applications, Dates, Locations, etc.)
– Project Timeline and Milestones (Dates on-site, Report Dates, Request Dates, etc.)
– Project Deliverable (agreed upon by both parties)
– Project Contacts (both the consultants and the clients)
3. Give away free consulting – People stop by my office (or call, email, or comment on this blog!) all the time to ask simple questions. Most of the things people want require little-to-no effort on my end to help, but create a great rapport. Sometimes I even create value-add documents (like information security training), flow diagrams, or security reports. People tend to be very appreciative of freebies that make their life easier.
4. Don’t play “Gotcha” – As an auditor you will inevitably find an issue that people are sensitive about (or that could cost someone their job). This is why it is important to be very transparent about the audit process as well as findings. Never be a “gotcha” auditor – meaning you spring findings on the auditee at the last minute to make them look bad (intentional or not).
When you have audit findings I suggest the following steps:
– Communicate the audit findings verbally and in writing prior to formal presentation.
– Articulate the associated risks to the Company (a finding means nothing if there are no risks).
– Understand and communicate mitigating controls that may affect the overall risk.
5. Establish credibility with IT – IT auditors have a bad reputation with IT professionals for not knowing anything about IT. I wrote an entire post on this. You can check it out here.
6. Be creative and market your deliverables – The value of a beautiful report is under-rated. I strive to make my reports read and feel like marketing material. Clear communication, smooth transitions, helpful graphics, and logical design. Your products are an extension of your reputation and often the only contact some people have with you. So it is important to consider what your deliverables say about you and the quality of your work.
What creative ways are you building relationships and overcoming the title “auditor”?