One of the biggest mistakes made by internal audit departments is distancing themselves from the rest of the company under the auspices of independence. Again, the question comes back to one of mission. If the department's mission is to promote and improve the state of internal controls at the company, then the more informed you are about what's going on, the more effective you'll be. Unfortunately, too many companies take the approach of doing "drive by" audits. They decide what they want to audit with little input from management. They decide when they want to perform the audit and inform the auditees, sometimes with very little notice. They then swoop in, perform the audit, throw the issues over the wall to be fixed, tell senior management how screwed up the area is, and disappear. They are then only seen again when they are beating people up for not addressing the issues by the due dates (which often were dictated by the auditors).
How receptive and open do you think people are going to be to the auditors under this approach? The answer is, "Not very." When audits are conducted in this way, it's a painful and unpleasant experience, and people are just trying to get it over with. They're likely to take the "just answer their questions and don't volunteer any information" approach. After the auditors leave, the people they have been auditing laugh about all the big, gaping internal control holes that the auditor missed. Was that audit effective? Absolutely not. It was an adversarial exercise in which the auditors had to fight their way through to the end, usually missing important issues.
An effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function. An effective audit department is involved year round with key functions and does not just swoop in and out when performing audits. The audit should be just an occasional event in an ongoing relationship.
By combining your internal controls expertise with the auditee's expertise in their business and day-to-day operations, together you can best determine what risks exist that are worth addressing. When you are having success in this area, the people you are auditing begin volunteering information about potential audit issues in their area. They go beyond just answering the questions you've posed and are brainstorming with you regarding where they might have exposures. You have credibility, and when you raise potential issues, their first reaction is not to fight you on them but instead to accept them and try to understand the reasons behind your concern.
At the end of an audit, the people you've been auditing should look back and realize that it was a helpful experience and was not unpleasant. Of course, there will be exceptions. On rare occasions you actually will find people who are uninterested and unwilling to implement the internal controls necessary for their area. There still will be occasional conflicts, but they should be extremely rare if the auditors know what they're doing and bring a customer-oriented approach to the job.
It is important to point out that advocating positive relationships does not abdicate the auditor of his or her responsibility to be objective. The auditors still must bring healthy skepticism to the job. However, this can be done in a negative way or in a positive way. You can choose to give the customer the impression that you don't believe anything he or she says and therefore must verify it, putting him or her on the defensive. Or you can bring an attitude to the table that says, “Look, I trust and believe what you're saying, but the standards of my profession require me to independently validate it-can you help me get access to the information I need to do so?' Very few people will be offended or defensive about the latter approach (unless, of course, they're among the small percentage of truly dishonest employees).
Adversarial relationships get in the way of the core objective of the audit department, which is to improve the state of internal controls at the company. It is the responsibility of the audit department to do everything it can to minimize those negative relationships and foster positive ones.
In order to arrive at these results, the relationship between the IT auditors and the IT organization must be a cooperative, collaborative one. The auditors must have credibility and trust within the IT organization. This requires an investment of time and some patience as the relationship develops. Below are some basic steps that can be taken to start the journey:
Be intentional about regular updates and meetings with IT management.
Establish formal audit liaisons with different IT organizations.
Get yourself invited to key meetings.
Cultivate an attitude of collaboration and cooperation.
Select the IT managers over key areas, and get on their calendars. During those meetings, get their input on the audits they want you to perform. Get an understanding of upcoming activities in their area, and see if there are opportunities for you to help and consult on internal control needs for those activities. This information will aid in identification of the early-involvement opportunities discussed earlier in this chapter.
Assign an auditor (or the IT audit manager) to be the relationship manager for each significant IT organization. These relationship managers will have the responsibility of maintaining contact and relations with the management and key contributors of their assigned organization. This could involve regular (e.g., monthly, bimonthly, or quarterly) meetings with those contacts in order to keep up with their activities and understand their concerns. It could involve attending department meetings. It could involve getting their input as each year's audit plan is developed in order to obtain their recommendations for formal or informal audit activities.
Get yourself invited to key meetings, such as project reviews, strategy sessions, and IT communications meetings. They are a great way to keep up with what's going on and are also excellent networking opportunities. As people get used to seeing you as part of their normal routine, they become more comfortable with you and much more likely to call you when they have internal control concerns or questions. Maintain a presence in the IT community. There are IT groups that support the network and some that support business applications. You're the IT group that provides internal control assurance. You're part of the overall team and have a unique and important function, just like they do. When invited to key meetings, don't take the "fly on the wall" approach that many auditors do, where you feel that your role is to just observe. Be vocal, join in the discussion, and provide your perspective as an auditor to the proceedings. This is a more value-added approach than just sitting against the wall. Similarly, look for opportunities to present at staff and department meetings on relevant internal control concepts. This is an excellent vehicle for spreading the word.
Cultivate an attitude of collaboration and cooperation among the IT audit team. Do not allow team members to take the old-fashioned heavy-handed approach to auditing, where the audit department is the police department coming in to beat people into submission for not following the rules. Small things such as calling people customers instead of auditees can do wonders for altering the mind-set of team members and fostering the right attitude. The audit team should avoid "gotcha" tactics and language in its communications, instead presenting its concerns in an open way that shows respect and fosters discussion. The ability to work well with customers should be a part of each auditor's performance evaluation.