My volume 1, 2015, IS Audit Basics column (h04.v6pu.com/archives) focused on what it takes for an audit to be successful. Hard skills, i.e., the acquisition and maintenance of the knowledge and qualifications needed to be a credible professional, will only be touched upon in these articles given that ISACA makes available standards and guidelines,1 best practices,2 training courses, conferences and publications such as this journal.
On the other hand, the soft skills of human interaction do not appear in the topics covered in the Certified Information Systems Auditor (CISA) examination. Audits, however, are carried out by people interacting with other people, and, thus, a successful audit is strongly dependent on the quality of these interactions.
This article begins an exploration of some of the human factors that play a role in an auditor’s success.
How Well Do You Know Yourself and How Do You Perceive Others?
“Know thyself” was one of the aphorisms engraved in the Temple of Apollo in Delphi in ancient Greece. More recently, it has become integrated into the science of emotional intelligence.3
Answering the question, “How well do you know yourself?,” with, “I do not know,” and/or “I do not care,” is likely to result in many dysfunctional relationships and very likely to result in a failed career as an auditor.
But beware: We often rely on self-assessments that may not be entirely objective. William Shakespeare said, “Men’s faults do seldom to themselves appear.”4
To assist in self-assessment, there are several well-established tools, such as the Myers-Briggs Type Indicator,5 the Keirsey Temperament Sorter6 and the Enneagram Test,7 all of which are readily available online and supported by qualified testers.
In itself, it is good to have an understanding of your personality profile, but this is not enough. What really counts is how others see you. Feedback from others—friends, family, colleagues, bosses and more—is important. This requires you to accept what may be interpreted as criticism; something that is not always easy.
And, of course, perception works both ways. However rational, well-adjusted and careful we are, our brains judge others, ranging from the “I admire this person” to “#@&#*$!” and everything in between. All of this happens even before we get to know the person properly. And, others are doing the same to you.
Similarities and Diversity
While in nature all humans are 99.9 percent similar to other humans, no two are genetically identical. Diversity makes life interesting and complex at the same time. Figure 1 shows some of the factors that make every one of us a genuine “individual.”
If you add to this nurture factors, such as education, the result is that interpersonal communications are neither self-evident nor easy. Getting them wrong is just too easy within a single culture and even easier in the multicultural environment that is increasingly found in the corporate world.
The Key to Success is Credibility
How others perceive you matters because it will influence all interactions.
The first set of attributes that support credibility relate to professional matters such as experience, achievements, qualifications, certifications, engagement in continuous education and, on the softer side, an individual’s awareness of what they know they know and what they know they do not know. We must assume that the domain of “what we do not know, we do not know” is not only nearly infinite, but that it keeps growing.
Sometimes, auditors with limited experience are handicapped by a belief that they already know everything they need to know, and they make this clear to everyone who is willing to listen. It is difficult to recover from a loss of credibility in the eyes of the auditees.
Soft skills include personal attributes that make interactions with others work well, i.e., those things that reduce friction, anxiety and suspicion, and those that support effective communication and avoid misunderstandings.
A minimum set of soft skills involves the art of listening, writing and presenting, working with others (including teamwork), time and stress management, negotiations, conflict resolution, conducting interviews, and problem solving. The art of listening is especially important. In fact, the etymology8 of the word “auditor” derives from the Latin word “auditor” meaning a hearer.
A future column will explore a range of soft skills in more detail. Given that we have to work with the brain we have, there are likely to be obstacles to overcome and other limitations, particularly when these involve changing the way we are and how we operate.
Bad Signs
A sensitive person will be quickly aware of how others react to them, both socially and professionally. If, at the planning stage of an audit, the reaction from the target entity includes an explicit wish that a particular individual not be involved, the signs are clear: failure to be recognized as a professional.
Other bad signs include auditees challenging the auditors’ findings as irrelevant or erroneous and/or making recommendations that describe how the corrective actions should be implemented. It is entirely possible that either party may be in the wrong.
The same is true when auditees express concerns—officially or through the informal grapevine—of a lack of confidence, lack of trust or a suspicion of bias. If this should be the case, there is something fundamentally wrong, and if this is escalated to senior management and/or the audit committee, the chief audit executive may be held accountable for such failures.
Good Signs
An auditor who finds the right balance can establish long-term relationships with the auditees, based on mutual respect, trust and a clear understanding of the need to maintain independence, objectivity and confidentiality.
A best-case scenario would see IS/IT professionals feeling comfortable with seeking the advice of their auditors (e.g., on how to conduct an audit-style self-assessment, on how to best prepare for an audit, on what other auditees have done on comparable issues).
Auditees can be encouraged to ask auditors for independent advice as well as to watch and learn and, subsequently, use the knowledge gained to conduct a self-assessment of IT systems, operations and controls prior to the next audit. This self-assessment should be brutally honest and be shared with the IS/IT team. Sharing this with auditors would help considerably in scoping and focusing future audits.
Conclusions
Technical expertise is necessary, but not sufficient to be or become a successful auditor. That is, a successful auditor is one who is credible, respected and personable enough to be considered a valuable source of information and advice.
Having a good knowledge of oneself and the soft skills that facilitate human interaction is just as important as professional knowledge and, probably, harder to acquire. Being sensitive to how others perceive us is at least as important. “O would some Power with vision teach us to see ourselves as others see us! It would from many a blunder free us, and foolish notions.”9
Endnotes
1 ISACA, ITAF, 3rd Edition, USA, September 2014
2 ISACA, COBIT 5 family of products, USA
3 Daniel Goleman, “Emotional Intelligence,” www.danielgoleman.info/topics/emotional-intelligence/
4 Shakespeare, William; The Rape of Lucrece, 1594
5 The Myers & Briggs Foundation, www.myersbriggs.org/
6 Keirsey Temperament Sorter, www.keirsey.com
7 The Enneagram Institute, www.enneagraminstitute.com/
8 www.etymonline.com
9 Burns, Robert; “To a Louse,” 1785
Ed Gelbstein, Ph.D., has worked in IS/IT in the private and public sectors in various countries for more than 50 years. He did analog and digital development in the 1960s, incorporated digital computers in the control systems for continuous process in the late 60s and early 70s, and managed projects of increasing size and complexity until the early 1990s. In the 90s, he became an executive at the preprivatized British Railways and then the United Nations global computing and data communications provider. Following his (semi)retirement from the UN, he joined the audit teams of the UN Board of Auditors and the French National Audit Office. He also teaches postgraduate courses on business management of information systems.