I was recently asked the following question in one of my forums:
“Some of the challenges I face pertain with the anxiety system administrator’s face before I come on-site. They are defensive from the time I walk in to the time I leave. They don’t take too well to people telling them a control may not have been properly implemented .”
IT auditing is not *really* about the technology at all, but about the *people* who design, build, and operate the technology. Servers don’t have feelings and egos, but people certainly do.
My advice is to do what I do – have a good “bedside manner” and put the patient at ease. Explain why you are there in a non-confrontational manner as possible. Say things like, “I’m here to help understand how things are done here and how I can help with these compliance needs.” Explain that the standards and audits have gotten a lot harder these days, which requires a lot of changes. Empathize with them, be there as a guide who is also learning.
I also suggest that you take the approach of your being there to learn what they do. Make yourself “less good” than them, in order to not be a threat to them. Say things like, “I’m here to learn about these systems that you built and manage,” not “I’m here to see what you’re doing wrong.”
Have a gentle touch. Be confident and friendly, but non-threatening.
I meet new colleagues all the time. This works, as long as your heart and your mind are in the same place. People can see through a facade and will distrust an auditor who is acting.
Peter H. Gregory 