In Part 1, we discussed the concepts of “good”
and “bad” and their many gradations. All of the
shades of badness examined (the well-connected,
the faker, the lazy, the bureaucrat, the cookbook
auditor, the geek and the sociopath), other than
the sociopath, are fairly harmless. They are
nuisances, definitely, but not individuals who can
significantly damage the organization.
In this column, the profiles (other than the
timid) represent an increasing level of danger to
the organization. There are overlaps among the
various profiles.
These negative profiles raise an ethical issue
for “good” auditors: the role of organizational
policy and whistleblowing. These are big topics,
and the intent here is to sensitize the reader to
them and raise the question, “Have you thought
about this?”
THE ARGUMENTATIVE
The argumentative auditor believes that always
being right is the appropriate behavior and will
insist that his/her findings and observations
could not possibly be wrong and/or revised.
Audit meetings get “interesting” when the
argumentative auditor is dealing with an
argumentative auditee; things can readily escalate
into open conflict. This is bad news and usually
ends up with senior management/chief audit
executive (CAE) to resolve.
THE “MUST FIND SOMETHING”
This is the knowledgeable, experienced, well-mannered and dedicated auditor who feels
that his/her role must be justified all the time.
Fundamentally different from the argumentative
auditor, this auditor can add much value except
when he/she engages in the mindless pursuit of
perfection.
One such contracted auditor was proudly
telling how his six-week audit resulted in 75
recommendations. The auditee was miffed
because many were trivial items they already
knew about and had even mentioned to the
auditor. Senior management got the impression
that the chief information officer (CIO) was
not up to the job when, in fact, he is a talented
and respected figure. The CAE shares the blame
for not controlling the contracted auditor and
reviewing the draft report.
In the end, the report was put aside and not
acted upon, and this auditor is unlikely to get
another engagement at this company.
THE SOCIOPATH OR “GOTCHA” AUDI TOR
Auditors have power in the form of largely
unrestricted access to systems, data, senior
management, physical facilities, etc., and their
reports give them considerable influence. Such
power is valuable when used intelligently and
only when appropriate. However, there are those
who take an aggressive attitude toward the
auditee. In one example, the leader of the audit
team shouted at an auditee, “If this is the best
you can do, I’m not impressed.” Embarrassment
(on the part of the auditor) followed, as did a
complaint to the appropriate staff representatives
and, through them, to the executive level.
THE CONFLICTED
Engaging auditors from a specialist company for
a specific task can provide the client organization
unique skills and experience. At the same time,
the specialist company would probably like to
build a long-term relationship with the client
organization and may be willing to be flexible just
to get a foot in the door.
Is the specialist company’s offer of pro bono
work or a project at a highly discounted daily
rate a conflict of interest issue? It is when the end
result is a contract spanning many years on the
basis that a good working relationship has been
built and the specialist company has gained a
good insight into the business being audited.
Conflict of interest should be anathema in audit.
It can take too many forms to discuss here, but
examples include, “I could recommend an excellent
consultant to help you with this,” or, “Since we are
friends, I’ll leave this item out of the report.” The
real problem arises when the auditors believe that
their biased advice is unbiased.
Ed Gelbstein, Ph.D.,
1940-2015, worked in
IS/IT in the private and public
sectors in various countries
for more than 50 years.
Gelbstein did analog and
digital development in the
1960s, incorporated digital
computers in the control
systems for continuous
process in the late ‘60s and
early ‘70s, and managed
projects of increasing
size and complexity until the
early 1990s. In the ‘90s, he
became an executive at the
preprivatized British Railways
and then the United Nations
global computing and data
communications provider.
Following his (semi)
retirement from the UN,
he joined the audit teams of
the UN Board of Auditors and
the French National Audit
Office. Thanks to his generous
spirit and prolific writing,
his column will continue to
be published in the ISACA®
Journal posthumously.
Is There Such a Thing as a Bad IS Auditor?,
Part 2
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article and choose
the Comments tab to
share your thoughts.
Go directly to the article:
