IT auditing is more about people than technology

Bookmark This (opens in new window)

I was recently asked the following question in one of my forums:

“Some of the challenges I face pertain with the anxiety system administrator’s face before I come on-site. They are defensive from the time I walk in to the time I leave. They don’t take too well to people telling them a control may not have been properly implemented .”

IT auditing is not *really* about the technology at all, but about the *people* who design, build, and operate the technology. Servers don’t have feelings and egos, but people certainly do.

My advice is to do what I do – have a good “bedside manner” and put the patient at ease. Explain why you are there in a non-confrontational manner as possible. Say things like, “I’m here to help understand how things are done here and how I can help with these compliance needs.” Explain that the standards and audits have gotten a lot harder these days, which requires a lot of changes. Empathize with them, be there as a guide who is also learning.

I also suggest that you take the approach of your being there to learn what they do. Make yourself “less good” than them, in order to not be a threat to them. Say things like, “I’m here to learn about these systems that you built and manage,” not “I’m here to see what you’re doing wrong.”

Have a gentle touch. Be confident and friendly, but non-threatening.

I meet new colleagues all the time. This works, as long as your heart and your mind are in the same place. People can see through a facade and will distrust an auditor who is acting.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.