It’s Internal Audit’s Fault That An Issue Was Found!

A friend of mine from many years ago shared the three stages of an audit and how people try to rationalize findings. I’ve been on the receiving side of many internal audit findings, and I’ve seen individuals react the ways described below to unfavorable reviews. The friend said that they had seen the same behaviors so often that they categorized the behaviors. The three categories or stages operated in the same sequence (step 1 then step 2 then step 3) the majority of the time. I have seen these behaviors throughout my career in Information Security. Once I understand that this was the order things would happen, I could create strategies for the next stage that was inevitably coming in my work as an Information Security professional

1. Deny the finding 

Audit example – The conclusion is inaccurate, or the auditor got incomplete/incorrect information from the staff.

InfoSec example – InfoSec reporting is inaccurate, not contextualized or overhyped. Example statement – “the report is not accurate because you didn’t consider all the controls that we didn’t tell you about when we were talking.”

2. Deny the significance of the finding (or argue about the nuances of risk, etc.)

Audit example – The audit finding isn’t a high or moderate risk because of <insert reason>.

InfoSec example – The reporting from Information Security is exaggerated or the use case would never occur in the company. Example statement – “The attack you presented would never happen to our organization. You are overhyping the issue as I’ve never seen that in my career.”

3. Question the motivation of the auditor

Audit example – This auditor is unrealistic and doesn’t like us, so we are only getting audit findings because it’s personal.

InfoSec example – Information Security wants us to look bad, or they want more budget, so they aren’t looking out for the interests of the company. Example statement – ” Information Security has never liked our team and is only focused on calling out what’s wrong.”

Continuous improvement-focused leaders understand that criticism, audit findings, or honest feedback help an organization grow and improve. When I first started in the Information Security field, I dreaded audits as I saw them as a criticism of my work. I took great pride in my work, and to have someone come in and tell me it wasn’t perfect was a miserable experience. I saw that management placed a lot of value on Internal Audit reports, so I decided to understand the function and the role that Internal Audit plays. I went to get my Certified Information Systems Auditor (CISA) certification to help me focus my training and understand my colleagues. I am incredibly grateful that I did this because it completely changed my perspective. From that point on, I saw Internal Audit as a partner who could help me and my teams improve and a group we could partner with to secure an organization. That small perception change has helped me have a better career. The bottom line is that Internal Audit and Information Security are tightly aligned in their missions of reducing risk to an organization, which is what we all want in the end.

Did you have an early experience that changed your perspective completely? Have you experienced the three stages of audit grief? What suggestions would you have when you see this behavior?

The opinions in this article or that I post are my own and do not necessarily represent the opinions of my employer.