control, and governance
A Question of Relevancy: Communicating IT Issues to Non-IT Stakeholders
Simplifying non-IT audits can pay off for IT auditors and stakeholders.
Vaughn R. Christie, CISA
Information Systems Auditor
The Dow Chemical Co.
In the context of an integrated audit — one that combines information systems (IS) steps as well as operations and financial steps — the primary stakeholders of IS issues may be business managers, supply chain specialists, tax experts, etc. In short, they’re often not IT savvy, and thus vetting, writing, and reporting IS issues brings a new complexity not found in more traditional IS audits.
It’s through these integrated audits that relevancy and its importance to the IS auditor become known. For example, a production manager is accountable for receiving raw materials, producing something meaningful from them, and shipping those products to customers all over the world. Their goals are straightforward; they want to purchase materials meeting specific criteria at good prices, produce quality products at reasonable efficiency, ship them at excellent costs, and sell them to their customers to make a sufficient profit. They know shipping and receiving processes, they understand balance sheets, and ledgers, and they have experience in marketing and selling. But in the integrated internal audit, they’re also accountable for drafting and implementing responses to issues regarding their IT. Thus it’s no wonder their heads spin, and they comment that “IT should just work” or “IT is too confusing” when they hear that their external firewall is set up to allow SYN flood attacks and Internet Control Message Protocol redirects, or that their SQL server is vulnerable to SQL-injection threats. Simply stated, these terms mean nothing to them — they aren’t paid to understand them. They see IT as a black box, a commodity that should work like the flip of a light switch.
Thus, the job of IT auditors is terribly important. First, they are tasked with making IT relevant in the eyes of their audit stakeholders, the responder of business issues, and in the example above, the product manager. To do that, IT has to be shown as an enabler to their business success. But how?
The first step toward gaining relevancy is getting a sense of what’s important to audit stakeholders. Understanding what their goals are, how they align with the organization’s strategic themes — vision, mission, and value statements — and overall business strategy will help auditors arrive at the topics of interest to them. This information can come from a variety of sources such as the business unit’s goals, metrics they collect, and Internet and intranet pages. Perhaps the best sources of information are the people involved in the day-to-day activities of the business unit. Where are they spending their time? When they make decisions, what are the criteria and relative weightings used to evaluate their choices?
The next problem IT auditors face is not a matter of IT, but how it’s communicated. Auditors have to put IT in terms that are relevant to the audit stakeholder. And in doing so, they should consider risk, and specifically, the audit stakeholder’s appetite for risk. Start with simple questions like:
These are questions that audit stakeholders will likely understand and should help auditors gauge their appetite for risk. Using IT industry jargon and norms doesn’t work in these types of audits. As IT professionals, technical jargon, diagrams, process flow charts, threats, and acronyms are all very common. Unfortunately, they put non-IT stakeholders on edge. It makes sense that such things be avoided on integrated and non-IT audits, where one of the objectives should be to drive technical simplicity in writing, email, and conversation. Further, auditors might try to limit discussion about deeply technical details with the non-IT audit stakeholders that, while interesting and gives support for identified issues, is of little relevance to them or their business.
In driving simplicity, there are a variety of techniques available. First, use peers and colleagues as sounding boards. Second, try to draft issues as if you were explaining them to your closest non-IT savvy friend or relative. Third, when addressing non-IT or integrated audits, think of them as acronym free zones. Finally, and perhaps most important, use these opportunities to learn and educate. IT auditors gain education and a broader skill set in a completely different business unit and/or process. They also have an opportunity to educate the audit stakeholder by showing them how IT can enable their business strategy. These are motivators, and hopefully encourage auditors to simplify the complexity of IT and tie issues back to relevant business objectives.
SIGNS OF RELEVANCY
Making IT issues relevant to the audit stakeholders is a challenge, made even more difficult if auditors don’t have the luxury of working one-on-one or face-to-face with the audit stakeholder. Some clues that auditors have reached the right level of awareness — and made the issues real, tangible, and relevant in the eyes of the audit stakeholder — include nonverbal and verbal signs. The following examples are based on U.S. customs and vary around the globe.
Nonverbal clues to watch for:
Verbal clues from the stakeholder:
Relevancy is not easy; it requires an understanding of the objectives of each business or unit being reviewed, and it demands a consistent and dedicated assessment, evaluation, and commitment to simplify technology. But it is an attainable goal. Auditors will know they’ve got it when the non-IT stakeholder is actively engaged, working with them to form appropriate action plans, and working to execute those plans in a timely, effective manner.
Vaughn Christie, CISA, is an information systems auditor with The Dow Chemical Co. in Midland, Mich.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.