From Your Auditor Friends: What We Wish Every Technology Leader Knew

Is your auditor out to get you? Knowing the truth behind common internal audit myths can help you navigate that tricky relationship and spark a strong partnership with your auditor.

We’ll explore some potential myths about auditors and determine what’s true and what’s not. We’ll also tackle the potentially daunting task of repairing your relationship with your auditor, so you can both move forward and enjoy the benefits of a strong partnership… or dare we say… friendship!


Clarissa Lucas

IT Audit Director, Nationwide Insurance


Rusty Lewis

IT Audit Specialist, Nationwide Insurance



Each year we ask the community about the top obstacles to things they want to achieve, and almost every year it is audit that strikes the most fear, dread, and frustration <laugh> because of the special power they have to generate findings that are seen at the highest levels in the organization. I had mentioned yesterday that I was so happy that we had the big four audit panel in 2019 where we had representatives from each of the big four busting DevOps myths who shared their convictions at DevOps is not only auditable and possible in their audit clients, but it's actually necessary because they want their clients to still be around in 10 years. At the DevOps Enterprise Summit last year, one of my favorite sessions was from the audit team at Nationwide Insurance, which is based in the United States and is the largest insurance mutual company. They gave some amazing and very specific advice to people who work with audit, and they shared specific techniques on overcoming audit issues, especially concerning separation of duties and change approvals.


So they'll be presenting again with part two of that presentation later in this conference. But because audit is something that every technology leader eventually faces, I asked if they would be willing to do a quick keynote mini lecture to give more general advice for anyone who has been frustrated dealing with audit, and I was so excited that they said yes. Clarissa Lucas is an IT audit director at Nationwide Insurance after spending years in auditing investments, finance and credit, and Rusty Lewis is an IT auditor who joined Nationwide. After spending years at pwc, they will continue to bust some commonly held beliefs about audit, some of which who may, which may genuinely surprise you. Here is Clarissa and Rusty.


Hello and welcome to today's session. I'm Clarissa Lucas and I'm here with my colleague Rusty Lewis. We're both internal auditors at Nationwide Insurance. Oh, no, not the auditors. What are they doing here? They don't care about DevOps or doing things differently. They like to stick to their checklists and do the same thing every year. They really enjoy writing us up for not segregating duties. I heard they even get paid by the finding. Jean, what were you thinking? Inviting the auditors here to ruin our fund. Don't worry. We've heard all of those things about our profession ourselves and our peers, and there's probably a few we haven't yet heard either. We know we aren't always sitting on the same side of the table even though we do work for the same organization at times, it might even seem like we're out to get you Rusty, and I want to explore some of these ideas with you to see if they're truths or just myths. After all, we are auditors and what we wish every technology leader knew are a few truths about us and how we can work well together. And if those things that I said earlier are how you really feel about your auditor, like they're more of an adversary than a trusted advisor, we'll explore what that relationship could look like and how to influence getting there.


Here are some of the things that we've heard about auditors. My favorite one is that auditors get paid by the finding. I've been auditing for nearly 10 years. During those years, I've spent time as an intern, an audit staff, project manager leader, you name it, I've done it, and I can tell you that my paycheck has never been impacted by the number of issues I've found. I honestly prefer to deliver reports that are sparkling clean. Delivering good news like your control environment is really solid, is definitely my preference over delivering a report full of issues. Of course, if the gaps are there, we do want to shed light on that so that they can get addressed, but we truly prefer that there not be any gaps at all. So I think it's safe to say that this myth is officially busted.


Thanks, Clarissa. So to build a bit upon the first myth even more, some may also think that auditors are out to get you, but in all seriousness, we as auditors don't necessarily look any better just because we identify a control gap. Ultimately, we're trying to apply a fresh perspective. Now, if you'll humor me for a moment, I'd like to use an analogy. My wife loves to paint and it's so often she'll spend hours trying to blend the right shade of color or capture that better sense of realism and a character or scenic background she's trying to portray. But once I have a chance to provide my perspective, someone who literally couldn't paint to save my life, I'm able to quickly point out what she couldn't otherwise see because she's so focused on that one area of the painting. Similarly, that's exactly what we're hoping to do with our clients with technology leaders during an audit provide a fresh perspective, not with the hope or goal of catching something or saying We got you, but partnering with you and providing a different lens for the landscape. You may be in the weeds in every single day with the goal to address something before it becomes an issue or maybe help you identify industry best practices as it relates to mitigating a particular risk. I think it's safe to say this myth has also been officially busted.


All right. The next comment that we'll look into is that auditors just follow a checklist and do the same thing every year. In full transparency, I have heard of auditors using a checklist for certain audits earlier in my career. Some of my colleagues use checklists when auditing bank branches. On the other hand, let's flash forward to today our chief auditor is so passionate about not falling victim to this pitfall that he passed out. Yellow penalty flags for us to quite literally throw onto the field. We can litter our office with penalty flags if necessary, if we find ourselves doing or being asked to do the same thing that we did the last time we did that audit. This is one as a profession that I think we need to keep working on. For now, it's unclear whether this will be our truth or just a thing of the past. We're definitely making progress, but we need your help. Help us by challenging what we're auditing. Ask us to explain our scope to you. Does it align with the risks that you're worried about? Does our testing approach seem reasonable? Are there ways we could improve our approach and add more value to you? For now, I think we'll mark this one as TBD and we'll keep working to bust the myth together.


Now, the two items we haven't yet explored are that auditors don't want their findings to be a surprise and that we want to partner with you and perhaps contrary to popular belief. These are both true. During each of our audits, we strive to avoid surprises with our clients because that ultimately will lead to more headaches and unnecessary contentious conversation. To accomplish this, we hold status meetings throughout each audit where we discuss potential findings as soon as they arise rather than waiting until the end of the audit. This way, our clients know well in advance what to expect in the final audit report, and it also gives both sides a chance to discuss and better understand, understand the gap, identified no surprises. In order to avoid these surprises, it's critical that we develop a partnership with our clients. By co collaborating with our clients and becoming partners rather than adversaries, we end up with a much stronger audit deliverable and provide more value to the organization. So both of these remaining items are confirmed truths, and so to this point, we've clarified some common misconceptions, reinforced some truths, and pulled back the curtains a bit to show you where we've still got some work to do. But now let's talk about your relationship with your auditor.


Russie and I can both recount stories where we didn't get along with our clients. It's awful for all parties involved. Repairing a fractured or bruised relationship between auditors and technology leaders can be challenging for sure, but let me tell you, it is totally worth it. When we take the time to listen to each other's perspective and understand where the other side is coming from, it goes a long way in turning a battlefield into a partnership. Suddenly our clients understand why. We're concerned about something they feel heard. Our final audit report is a much better product than it would be without our client's partnership. The contents are clear to all readers, not just the auditors that wrote it, and our clients feel that it really helps 'em focus on things that matter to them rather than adding a list of ticky ticky tacky things for them to do just because audit said so.


By the way, if you're doing anything, just because the auditors said so please connect with your auditors. Understand the risk behind the issue. We don't want you to do something just because we said so. We want you to do it because it's the right thing to do for the organization, and we want there to be buy-in on that from you. Inherently, the relationship between auditors and technology leaders can be difficult. You're trying to meet the needs of your clients as quickly, safely, and efficiently as possible. We're trying to provide assurance to the audit committee, but those two don't have to be mutually exclusive. If you wanna move from adversaries to partners with your auditors, reach out to them, catch up with them outside of an audit and encourage them to do the same with you. Get to know them on a personal level. Bring them along for the ride.


Teach them about what you do and why you do it. Tell them what's important about what you're doing. Tell them what you're worried about when it comes time for the audit. Have your auditors provide you with updates along the way? Ask to talk about that findings as soon as they arise. Rather than waiting till the end of the audit, offer your insights on the risks. Challenge the auditors to explain those findings and the risks behind them. Help provide clarity where things are unclear. If the auditors aren't seeing the whole picture, help them see it. Another way you can partner with your auditor friends is to have them perform some consulting work. So in addition to your traditional audits that you may be used to, a lot of audit shops will do advisory services or consulting work. This is where we can come in when you're implementing a process and you're not sure what controls you wanna put in place, and we can help give you the answers to the test before we come in and do an audit.


This will help convince management and upper leadership that you need to put these controls in place. It'll provide support for that and might be able to give you some of the resources that you need to accomplish that even if we're performing our regular audits, our assurance audits, sometimes those findings when we're all on the same page and we can all have buy-in on it can help get you the resources you need to accomplish what you need to accomplish. We want the partnership just as much as you do. Sometimes we might need some help bridging the gap.


Now, as our presentation comes to a close, I will go down the list of each myth we've busted or truth we've confirmed, but just a few key reminders that we hope you walk away from this presentation. Remembering the first of which is that we enjoy telling your leaders about the great things you do day in and day out, far more than we do, telling them that there are problems requiring fixing. We also never want our audit port reports to be a surprise. We want a strong partnership with you, the technology leaders of your organizations, and there's no way a relationship can move from strictly professional to personal without mutual trust. Help us to help you in becoming your trusted advisors.


On behalf of both Clarissa and I, we wanna extend a very special thanks to each and every one of you that joined us today for our mini keynote presentation. A special thanks to Jean Kim and everyone at IT revolution for allowing us to present it here at Health Summit. As we noted in our other presentation, we don't want the conversation to end here. Our contact information is listed here, and we would encourage you to reach out directly via email with any questions you may have. Thanks again. Stay safe and enjoy the rest of the DevOps summit.