What Do IT Auditors Really Do?

by Matt Palmer on November 14, 2020

To operations, technology and cyber security leaders, auditors are often seen as a necessary evil. As a result, how audits are actually delivered often feels like witchcraft. So what exactly do they do all day?

Understanding the IT audit process is valuable to operational leaders. Photo by Scott Graham on Unsplash

If you’ve ever sat at your desk wondering what exactly the bunch of outsiders hanging out in the audit room find to do with their time, or if you’re thinking of a career in audit but just can’t figure out what you will actually be doing all day, this is the article for you.

Planning audits

This means reviewing files, researching the company, reading board minutes, accounts, and news articles — trying to gain an understanding of where the company is at the time of the audit, and also so that during the audit you can assess it’s plans, direction and risks, and also consider whether their IT infrastructure and strategy are fit for purpose.

Arranging meetings

Harder than it sounds, arranging audits, planning meetings, liaising with clients and management. If you’re asked for meetings by your auditor in advance, it’s best to get them in the diary. What’s not done during the audit fieldwork stage can often drag for weeks or months as auditors go from project to project. Help them help you.

Holding meetings

For most operational staff being audited, this is the visible bit. Auditors hold meetings with relevant staff to understand systems, processes and controls and to obtain evidence to support their operation. They may have a checklist to make sure all key controls are covered, but must likley this will be a narrative discussion, with some questions and possible a request for a demonstration or process walkthrough.

Interrogating systems and analysing data

Interviews in other words, but with machines rather than people. This is generally carried out by specialist IT auditors, or possibly general auditors using CAATs — Computer Assisted Audit Techniques.

Writing notes

Everything must be documented. That means plenty of paperwork — often 70% of the total time. Writing up meetings, writing up fieldwork and testing, referencing files, copying documentary evidence, writing audit reports, and preparing files for review. Auditors generally have electronic working papers rather than paper files, which can make things easier — but not always. Paper files were easier to review.

Audit management

Communicating with you as the client, building annual audit plans, planning future audits, reviewing files, solving problems, removing roadblocks, and other such tasks.

Closing audits

Holding ‘exit meetings’ to go through findings with management, and dealing with audit file review points. This was always my favouite part, as 90% was preparation — by the time it gets to the exit meeting there should be few surprises.

Reporting

The key deliverable for auditors is a report which normally goes to the board audit committee. First there is a draft report, for discussion with management. Responses from management, setting out what action they intend to take, are then incorporated into a final report.

Learning

Undertaking training, whether formal or informal. ANew auditors often start with little or no hands on experience but are expected to understand everything you do in minutes — remember, it took you months or years to get good at it. Learning ‘on the job’ with someone more experienced, and bringing more junior colleagues up to speed, are critical activities.

Travelling

Auditors are often road warriors. Unless you work for a large centralised company, auditors often have to travel nationally and occasionally internationally to visit clients and conduct fieldwork. When you arrive at the travelodge in Swindon at midnight after 5 hours driving through roadworks on M6 and tailbacks on the M4, it’s not as glamourous as it sounds.

Follow ups

Following up on findings and action plans. Good companies have a process internally to monitor audit findings, and make sure that what has been agreed gets done. Bad companies let them slide. It usually is that simple, and your audotr knows it. Problems following up findings usually lead to more intrusive audits in the future as auditors seek comfort over the risks.

Delays to audit fieldwork timescales, meeting cancellations, management defensiveness on audit scopes, and regular requests for extensions on implementation are usually all seen together, and are often more indicative of a company in trouble than the underlying audit findings. If you’re an exec, this is a signal to listen to.

Overall, it’s about producing evidenced, objective findings and communicating them effectively and constructively to both audit management and the client, so that the right actions can be taken.

There is value in audit for everyone, but whether you are the auditor or auditee, no-one would pretend that every task will have you rooted to the edge of your seat. However, a good audit is not painful, it’s valuable. It either tells you things you needed to know but didn’t, or gives you confidence that your understanding of your internal control posture is correct. That’s useful insight either way.

Of course if you value communicating, think before acting, have an eye for detail, and don’t mind being organised, you might just be a good auditor too.

About the author

Matt Palmer is a former auditor, and a technology and cyber risk leader. He has led global technology and cyber security functions across banking, insurance and capital markets through innovation, change, and M&A. He is director of cyber strategy and risk advisory firm Cyberclaria, a board advisor to several fintech startups, and a board member of a financial services regulator. Both an accountant and a technologist, Matt has presented at many international conferences and was awarded Security Leader of the Year in 2018.

Connect with Matt on Medium, Linkedin and Twitter

What Do IT Auditors Really Do? was originally published in The Startup on Medium, where people are continuing the conversation by highlighting and responding to this story.