Is your auditor out to get you? Knowing the truth behind common internal audit myths can help you navigate that tricky relationship and spark a strong partnership with your auditor. We’ll explore some potential myths about auditors and determine what’s true and what’s not. We’ll also tackle the potentially daunting task of repairing your relationship with your auditor, so you can both move forward and enjoy the benefits of a strong partnership… or dare we say… friendship!
IT Auditor, Nationwide Insurance
IT Audit Director, Nationwide Insurance
Thank you, Mick. All right. Over the years, we asked this community about their top obstacles to things that they want to achieve. And almost every year it is audit that strikes the most frustration, fear and even dread. And I think it's because of the special power audit has the generate findings that are seen at the highest levels in the organization. So last year I was so happy that we had the big four audit panel, where we had representatives from each of the big four busting DevOps myths who shared their convictions. That ops is not only just auditable and possible in their audit clients, but they all believe it's actually necessary because they all want their clients to still be around in 10 years earlier this year in our London conference, one of my favorite sessions was from the audit team from nationwide insurance, the largest insurance mutual company.
They gave some amazing and very specific advice to people who work with audit. And they should very specific techniques on overcoming audit objections, concerning separation of duties and change approvals. So we'll be replaying that session for you later in this conference, but because OD is something that every technology leader faces. I asked them if they'd be willing to give a quick keynote session to give some more general advice for anyone who has been frustrated, dealing with audit. And I'm so excited that they said yes, so presenting up next is Clarissa Lucas. She's an it audit director at nationwide insurance after spending years in investments, finance and credit and presenting with her is rusty Lewis, an it auditor who joined nationwide after spending years at PWC, they will continue to bust some commonly held beliefs about audit. Some of which may genuinely surprise you. Here's Clarissa and rusty.
Hello and welcome to today's session. I'm Clarissa Lucas. And I'm here with my colleague rusty Lewis. We're both internal auditors at nationwide insurance. Oh no, not the auditors. What are they doing here? I don't care about dev ops are doing things differently. They like to stick to their checklists and do the same thing every year. They really enjoy writing us up for not segregating duties. I heard that even get paid by the finding gene. What were you thinking? Inviting the auditors here to ruin our fun. Don't worry. We've heard all of those things about our profession ourselves and our peers. And there's probably a few. We haven't yet heard either. We know we aren't always sitting on the same side of the table, even though we do work for the same organization at times, it might even seem like we're out to get you rusty. And I want to explore some of these ideas with you to see if there are truths or just myths after all we are auditors and what we wish every technology leader knew, or a few truths about us and how we can work well together. And if those things that I said earlier, or how you really feel about your auditor, like they're more of an adversary than a trusted advisor. We'll explore what that relationship could look like and how to influence getting there.
Here are some of the things that we've heard about auditors. My favorite one is that auditors get paid by the finding I've been auditing for nearly 10 years. During those years, I've spent time as an intern and audit staff, project manager, leader, you name it, I've done it. And I can tell you that my paycheck has never been impacted by the number of issues I found. I honestly prefer to deliver reports that are sparkling clean, delivering good news, like your control environment, and is really solid is definitely my preference over delivering a report full of issues. Of course, if the gaps are there, we do want to shed light on that so that they can get addressed, but we truly prefer that there not be any gaps at all. So I think it's safe to say that this myth is officially busted
And Clarissa. So to build a bit upon the first myth, even more, some may also think that auditors are out to get you, but in all seriousness, we as auditors don't necessarily look any better just because we identify a control gap. Ultimately, we're trying to apply a fresh perspective now until humor me for a moment. I'd like to use an analogy. My wife loves to paint and it's so often she'll spend hours trying to blend the right shade of color or capture that better sense of realism and a character or scenic background she's trying to portray. But once I have a chance to provide my perspective, someone who literally couldn't paint to save my life, I'm able to quickly point out what she couldn't otherwise see, because she's so focused on that one area of the painting. Similarly, that's exactly what we're hoping to do with our clients. With technology leaders, during an audit, provide a fresh perspective now with the hope or goal of catching something for saying, we got you, but partnering with you and providing a different lens for the landscape. You may be in the weeds in every single day with the goal to address something before it becomes an issue, or maybe help you identify industry best practices as it relates to mitigating a particular risk. I think it's safe to say this myth has also been officially busted.
All right. The next comment that we'll look into is that auditors, just follow a checklist and do the same thing every year in full transparency. I have heard of auditors using a checklist for certain audits earlier in my career. Some of my colleagues use checklists when auditing bank branches. On the other hand, let's flash forward to today, our chief auditor is so passionate about not falling victim to this pitfall that he passed out yellow penalty flags for us to quite literally throw out of the field. We can litter our office with penalty flags, if necessary. If we find ourselves doing or being asked to do the same thing that we did the last time we did that audit. This is one as a profession that I think we need to keep working on for now. It's unclear whether this will be our truth or just a thing of the past. We're definitely making progress, but we need your help help us by challenging what we're auditing. Ask us to explain our scope to you. Does it align with the risks that you're worried about? Does our testing approach seem reasonable? Are there ways we could improve our approach and add more value to you for now? I think we'll mark this one as TBD, and we'll keep working to bust this myth together.
Now, the two items we haven't yet explored, or that auditors don't want their findings to be a surprise. And then we want to partner with you and perhaps contrary to popular belief. These are both true. During each of our audits, we strive to avoid surprises with our clients because that ultimately will lead to more headaches and unnecessary contentious conversation to accomplish this. We hold status meetings throughout each audit, where we discuss potential findings, as soon as they arise, rather than waiting until the end of the audit this way, our clients know well in advance, what to expect in the final audit report. And it also gives both sides, a chance to discuss and better understand, understand the gap, identified no surprises in order to avoid these surprises. It's critical that we develop a partnership with our clients by collaborating with our clients and becoming partners rather than adversaries. We end up with a much stronger audit deliverable and provide more value to the organization. So both of these remaining items are confirmed truths. And so to this point, we've clarified some common misconceptions, reinforced some truths and pulled back the curtains a bit to show you where we still got some work to do. But now let's talk about your relationship with your auditor
Rusty. And I can both recount stories where we didn't get along with our clients. It's awful for all parties involved, repairing a fractured or bruised relationship between auditors and technology leaders can be challenging for sure, but let me tell you it is totally worth it. When we take the time to listen to each other's perspective and understand where the other side is coming from, it goes a long way in turning a battlefield into a partnership. Suddenly our clients understand why we're concerned about something they feel heard or final audit report is a much better product than it would be without our client's partnership. The contents are clear to all readers, not just the auditors that wrote it and our clients feel that it really helps them focus on things that matter to them rather than adding a list of ticky, ticky, tacky, things for them to do, just because audit said so, by the way, if you're doing anything, just because the auditor said, so please connect with your auditors, understand the risks behind the issue.
We don't want you to do something just because we said, so we want you to do it because it's the right thing to do for the organization. And we want them to be buy-in on that from you inherently have the, between auditors and technology leaders can be difficult. You're trying to meet the needs of your clients as quickly, safely and efficiently as possible. We're trying to provide assurance to the audit committee, but those two don't have to be mutually exclusive. If you want to move from adversaries to partners with your auditors, reach out to them, catch up with them outside of an audit and encourage them to do the same with you. Get to know them on a personal level, bring them along for the ride, teach them about what you do and why you do it. Tell them what's important about what you're doing.
Tell them what you're worried about when it comes time for the audit. Have your auditors provide you with updates along the way. Ask to talk about that findings as soon as they arise, rather than waiting until the end of the audit, offer your insights on the risks. Challenge the auditors to explain those findings and the risks behind them help provide clarity where things are unclear. If the auditors aren't seeing the whole picture, help them see it. Another way you can partner with your audit or friends is to have them perform some consulting work. So in addition to your traditional audits that you may be used to, a lot of audit shops will do advisory services or consulting work. This is where we can come in when you're implementing a process and you're not sure what controls you want to put in place, and we can help give you the answers to the test.
Before we come in and do an audit, this will help convince management and upper leadership that you need to put these controls in place. It'll provide support for that. It might be able to give you some of the resources that you need to accomplish that even if we're performing our regular audits or assurance audits, sometimes those findings, when we're all on the same page and we can all have buy-in on it can help get you the resources you need to accomplish what you need to accomplish. We want the partnership just as much as you do. Sometimes we might need some help bridging the gap
That was her presentation comes to a close. I will go down the list of each myth. We've busted our truth. We've confirmed, but just a few key reminders that we hope you walk away from this presentation remembering the first of which is that we enjoy telling your leaders about the great things you do day in and day out, far more than we do telling them that there were problems requiring fixing. We also never want our audit poor reports to be a surprise. We want a strong partnership with you, the technology leaders of your organizations, and there's no way relationship can move from a strictly professional to personal, without mutual trust, help us to help you and becoming your trusted advisors on behalf of both Clarissa and I, we want to extend a very special things to each and every one of you that joined us today for a mini keynote presentation, we are tremendously grateful to have had the opportunity to present virtually at the London DevOps summit earlier this summer, and a special thanks to gene Kim and everyone at it revolution for allowing us to present again here at the Las Vegas dev ops summit.
As we noted in our other presentation, we don't want the conversation to end here. Our contact information is listed here, and we would encourage you to reach out directly via email with any questions you may have. Thanks again, stay safe and enjoy the rest of the DevOps summit.
Unlimited users from organization
Gene Kim's Audit and Security Playlist
Matt Bonser, PricewaterhouseCoopers LLP; Yosef Levine, Deloitte; Jeff Roberts, Ernst&Young; Michael Wolf, KPMG; Gene Kim, IT Revolution
How Fannie Mae Uses Agility to Support Homeowners and Renters
Kimberly H. Johnson, Fannie Mae; Tim Judge, Fannie Mae; Christopher Porter, Fannie Mae; Ramon Richards, Fannie Mae
From Your Auditor Friends: What We Wish Every Technology Leader Knew
Clarissa Lucas, Nationwide Insurance; Rusty Lewis, Nationwide Insurance