H
Hi - YES … I can relate to this as I’ve worked with external Audit firms as well as internal auditors throughout my 30 year IT career.
Am I wrong to have assumed this?
No - However, there are always ‘lessons learned’ The key tactic next time is to formally document your meeting to your manager and the lead auditor for all of your responses to the issues Secondly, assume every audit point will be presented to management ‘as is’ , even if you have the best explainations possible.
I am really annoyed with our KPMG audit Manager for having verbally accepted items and then reported otherwise to my Director.
In some respects this may seem to appear as though the auditor is unethical, but I’ve learned otherwise that it’s more of the ‘nature of the beast’
Over the years, I learned that external auditors are paid to render a service. I’ve had the exact same scenarios, where I though we had good IT controls in place as we discussed findings to the auditors. Even though they somewhat agreed, they still presented the findings to management (without explainations of current controls).
I’m suspecting some reasons many auditors share ‘less relevant’ findings or even fully ‘solved issued’ might be in the points below:
They accept your explaination fully and may agree somewhat with the way you are controlling the audit exposure. However, they still may believe the control is better solved otherwise .
Most auditors I’ve worked with will leave out any mitigating controls, workarounds, or best practices you may have related to the audit point. Indeed, their job is to find weaknesses in controls, but as a constructive comment, it would be beneficial to share ‘the rest of the story’.
In providing a service, I’ve seen some auditors who are out to ‘score points’ and are eager to look under every rock, nook, or cranny for something that could be better controlled. In most cases an audit firm will not want to go away empty handed without anything to present to Senior Management, as it might look like they didn’t do their job. That’s their job role, plus it’s human nature for folks to want to do a good job. I have a lot of respect for audit professionals and there are a wide range of styles and personalities like any other profession.
Finally, I’d recommend writing your own formal response (email is fine) to your Director in response to all audit points. I would briefly document point-by-point how the current controls operate. You might include that they were discussed with the external audit team, but I’d probably not copy the auditors directly. Also, I’ve always done this in a professional and even courteous manner as it’s a sharing of your perspective of controls.
The director is then empowered to assess both sides fairly. If needed current controls can be enhanced. If it’s felt that the external auditors didn’t present their findings as accurately as they should, then they can be counciled from a services rendered context