Qualities of a Trusted Information Systems Auditor

The information systems auditor’s journey is one of exploration because each time we encounter new risks, processes and controls, they become a part of our work. The days in 2021 are winding down, which triggered me to take stock of the profession and internalize the qualities that a trusted IS auditor needs to have in the ever-changing profession as we move into 2022.

As the profession evolves, IS auditors’ roles in organizations have become indispensable, which calls for all IS audit practitioners to reinvent their qualities to stay relevant. This reminds me of the history of dinosaurs, who no longer walk the earth as they did during the Mesozoic Era. I am writing this so that IS auditors do not become like dinosaurs, too. Other than leading audits, assurance, and advisory engagements to provide technical advice to management and board, a trusted IS auditor in any organization – and one that can expect longevity and success – should demonstrate the following attributes:

• Become certified if you’re not yet because having the CISA certification is proof of an IS auditor’s credibility and expertise in IS auditing, control, and security and being among the most qualified in the industry. Holding the CISA certification is proof of having the relevant full-time work experience from the CISA exam content outline.
• Possess high-level technical knowledge. With the explosive surge of big data, no one will be immune from disruption, so take this opportunity to embrace and expand your technological capabilities for the long run. This requires accelerating plans to expand the use of technology in your practice. Now is the time to enhance your technical skills and develop new ones. In other words, use this time to ramp up plans for the use of expanded technology solutions. According to John Bednarek, “AI Will Not Replace Auditors, but Auditors Using AI Will Replace Those Not Using AI.”
• Master digital body language skills. Most audits have moved from being conducted onsite to remote. This requires an auditor to master how to engage audit clients in the entire audit engagement. Remote auditing calls for re-imagining how we collaborate. I had an opportunity to attend an event hosted by ISACA on digital body language, and here were my key takeaways:
  • Reading messages or documents is the new listening
  • Writing is the new empathy
  • Make it a norm to send an email recap immediately after a virtual meeting together with action items
  • Be mindful before using emoticons
  • Join a meeting on time
  • Inform others when you are dropping off the call
  • Ask audit clients about their comfortable communication modes
  • Avoid the confusion of copying too many people in an email
  • Avoid the pressure of communicating back quickly
  • Avoid unnecessary meetings – instead, request a quick chat with your audit client. Finally, learn to differentiate clear communication from brief communication (i.e., choose to be clear and understand before you respond).
• Show the ability to apply fresh thinking to existing best practices to tackle emerging issues, especially when making recommendations. Current and future employers no longer want to hire auditors who will wait to be told what to do because the roles and processes of auditing for practicing auditors are and will remain the same, but the way audits are conducted is changing to address these new realities. For example, audits are automated, there is an increase in agile and remote audits, audits have shifted from traditional methodologies to agile, etc.
• Advocating for the company’s brand. It is easier for someone to transact business with someone who they know. Employers no longer believe that customer service, relations or success is a departmental responsibility – they hope to have an auditor who will be able to build an understanding of client business and markets to assist in the development of client relationships and developing a commercial mindset on how work performed impacts profitability at the engagement and practice levels. This is considered with the view that the auditors should have the objectives of the business at the heart of everything and be ready to go above and beyond with a positive attitude in achieving what this role requires.
• Develop an auditor instinct. Although auditor instinct doesn’t show up in job descriptions, it is a competency that hiring leaders are evaluating when they interview candidates and that managers think about when evaluating job performance. Developing this skill will be hugely beneficial to your career whether you are in the first, second or third line of defense.
• Have organizational skills. In my experience with various IS audit engagements, understanding that audits are deadline and output-driven was something I took seriously through being organized, time management, being able to multi-task, agility, flexibility, defining priorities to finish what matters, meeting deadlines, being transformative, and having the courage to think and act boldly.
• Analytical skills. To thrive in audit, you should be a detail-oriented person, or you may fall into a risk that we refer to as “detection risks” (Detection risk is the chance that an auditor will fail to find material misstatements that exist or give a wrong conclusion on audit findings). An audit requires a lot of analysis and documentation review. It is said that “the devil is always in the detail,” and “the smartest person in the room happens to be the one who reads,” so ensure that you read and can understand the full context of the content. Paying attention to details will help you to gather facts instead of faults in your audit reports and avoid bias.
• Continuous learning and adaptability. Always be ready to learn new things – for example, knowledge of ESG (Environmental, Social, Governance) initiatives. Although there are no ESG standards yet, this is an area that will be essential for IS auditors to know about and to become a role model for other staff. Learning requires one to be open-minded, self-aware, and be vulnerable enough to ask questions in areas where you need more information because, in some scenarios, you may find that the audit clients know more about the systems and processes than you do as the auditor. Don’t be afraid to say you don’t know or that you aren’t sure how something works in detail, even if you have a hint about it. It is important to adapt your thinking when facts change.
• Communication skills. Learn different communication styles that encourage intentional communication to foster better relationships with audit clients and always listen carefully before you respond. Additionally, apply critical thinking before making an audit opinion.
• Be ever curious. Shake up learned patterns, always go on a mission of discovery, and always ask “why?”
• Ethical resilience. IS auditors should have the capacity to restore and sustain integrity in response to moral or ethical adversity and offer a path forward.

Striving for excellence
You achieve all these attributes with time and experience by the values and behaviors that you reinforced in previous years of hard work and dedication to the profession. These attributes will enable you to strive for professional excellence. So, when it comes to the future of your career in audit, don’t just prepare for it, change it. In very simple terms, Be the Best Information System Auditor You Can Be.