Welcome to the SecAware blog

I spy with my beady eye ...

21 Dec 2017

NBlog December 21 - auditor independence [LONG]

Over on the ISO27k Forum, we've been discussing one of my favourite topics: auditing, or more precisely the question of auditor independence. 

How independent should an auditor be? What does that even mean, in this context? 

SPOILER ALERT: there's rather more to it than reporting lines.

My experienced IT auditor friend Anton posted some relevant definitions from ISACA, including this little gem:
"Independence of mind: the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism."
While I agree this is an extremely important factor, I have a slightly different interpretation. 'Independence of mind', to me, is the auditor's mental capacity to examine a situation free of the prejudice or bias that naturally afflicts people who have been in or dealing with or managing or indeed suffering from the situation, plus all that led up to it, and all the stuff around it (the context), including all the 'constraints' or 'reasons' or 'issues' that make it 'a situation' at all. It's more about the auditor making a back-to-basics theoretical assessment, thinking through all the complexities and (hopefully!) teasing out the real underlying reasons for whatever has happened, is happening, and needs to happen next. The ability to report stuff (ISACA's "expression of a conclusion") is only part of it: figuring out how the situation ought to be in theory, then looking at it in practice, gathering objective, factual evidence, doing the analysis, probing further and focusing on the stuff that matters most (the 'root causes'), are at least as important audit activities as reporting.

Here's a little exercise to demonstrate why independence matters: next time you drive or are driven on a familiar route, make an extra special effort to spot and look carefully at EVERY road sign and potential hazard along the way. Concentrate on the task (as well as driving safely, please!). Say out loud everything you see. Chances are, you will notice stuff that was there all along but you had long since tuned-out - big and bright road signs, plain as day, that you would not have recalled or mentioned if someone had previously asked you to describe your journey in detail from memory. You'll see road markings, potholes and rough surfaces that you might have been subconsciously avoiding for ages ... but 'subconscious' is the point: prior to the exercise, they didn't register in your conscious thoughts. This is a natural biological process, essentially a mental mechanism that de-emphasizes the regular/static stuff that is there all the time (it 'fades into the background'), in order to focus more energy and attention on the differences (e.g. a new road sign warning of roadworks, or a cow in the road). 

In terms of auditing the journey, as a regular traveller you can clearly make an extra-special conscious effort to spot and assess everything, but even so there will still be things you will miss, hazards that simply don't register as noteworthy in your mind. It takes effort, too: try it and you'll see what I mean. It's tiring! In contrast, a competent driver who had seldom if ever been down that route before would probably spot even more things, especially if they had been specifically trained to do so and were well practiced and highly skilled at the exercise (e.g. an advanced driving instructor or road safety specialist). The depth and breadth of technical knowledge, coupled with the audit competencies capabilities, is what makes experienced IT audit professionals worth their pay!

'Independence of mind' can also go further: competent auditors tend to be naturally cynical or doubtful or dubious about things, especially the things that we are told by naive, reluctant or hostile auditees but which seem at odds with reality. We are actively encouraged to challenge, to probe, to explore and find out what's really going on. That, in turn, leads to the perception that we only ever see the worse of every situation, that in our eyes everybody is guilty unless/until proven innocent, and that we gleefully enjoy bayonetting the wounded. Being totally honest, there is a tiny grain of truth in that ... which is why structured audit methods and practices are designed to temper our innate cynicism and bloodthirst with reality-checks, fact-checks, quality-checks, audit file reviews and so on. Auditors don't report everything: we filter-out the irrelevant and less important stuff in order to emphasise the key issues and persuade management to focus on those. In a sense, we're consciously doing what our brains would do subconsciously, but with a very clear purpose in mind which is to support and further the organization's best interests. Doing so competently, thoroughly, independently, objectively, impartially, with the support of management, within the constraints of resources and the business and technology and personal contexts etc., in a way that ultimately achieves positive organizational change, is tough

There's another important factor to mention, a little word that ISACA slipped quietly into their definition: integrity. An employee's decision to take a serious issue as far as possible, insistently escalating it up the line despite strong resistance (maybe even direct threats) from management, all the way to resigning if necessary, perhaps even disclosing it externally, takes guts. In my experience, auditors are gutsy people, willing to stand up and be counted, to speak out when something deserves to be said. We'll blow the whistle on impropriety. When backed into corners by powerful, egocentric, belligerent senior managers, we come out fighting! There is a downside to this, personally, in that it takes energy, fortitude and a willingness to pull the pin on a successful assignment or position. We are strong-willed, hard to manage, and can come across as abrasive, stubborn, egocentric, cantankerous, self-opinionated, socially inept and assertive. Some of us are overly fond of the sound of our own voices, and write far too much (guilty as charged!). However, we need to be demonstrably correct in our assessments and advice, which is where the factual evidence, careful analysis and all those audit process checkpoints earn their keep. We also need to be sufficiently self-aware, competent and experienced to know when we are stepping out of line, moving from facts to assumptions, from objectivity to subjectivity. We have our limitations - we are only human after all. There are times when it is totally appropriate and necessary to back down, for instance when a senior manager privately acknowledges audit issues but asks for 'a little breathing space to handle it my way'. Integrity extends to auditees too - it's very much a matter of understanding and trust between the parties, and trustworthiness, mutual respect and solid reputations.

Oh and negotiation - that's yet another set of skills to add to the competent auditor's bulging toolbox. More on that another time.

No comments:

Post a Comment