A Letter to a young IT Auditor

To a young IT Auditor, and to those who are new to the profession. Heck, I think this article will be useful to experienced auditors, if only as a reminder for things which may have been forgotten.

I’ve always felt that the profession does not get enough out of the young IT auditors. Causes for this phenomenon are many. Newbies may lack confidence. They may lack purpose and clarity. Managers don’t know how to develop. Stakeholders, and the extent of their experience intimidates. The path to growth is not clear. At the end of the day, the root cause is there is not enough PUSH (from the young IT Auditor), and not enough PULL (from management) to get the young IT Auditor to create more value, and grow professionally.

So I wanted to write something for the young IT Auditor. I want to provide you with a set of Maxims to get the best out of you. To grow your skills, to gain more confidence in your capability, to increase the value you add in your work everyday.

I strongly believe in these Maxims. I’ve been doing this for over 20 years now. Knowledge of these maxims have furthered my career and capability. That was not always the case! Many points of my career have stagnated, primarily due to lack of knowledge of certain maxims. So all the more important for me to share them with you, wherever you are in your career journey.

The Maxims for a Young IT Auditor

1. Fear No Subject Matter: You must believe you are smart. That you are capable of learning anything. You have to drop any limiting beliefs in your ability to add value in any context or situation you may be needed in. Just remember, and think about something you already learned in the past, something that seemed ungraspable when you first started learning it. You can easily repeat the success of that learning experience on any new subject matter you choose. Be confident in your ability to learn and understand. Then apply your auditor skills to the areas you learned.

2. Knowledge is Power: You must take it upon yourself to learn something new every day. You have to really enjoy learning. You also have to continuously get better at how you learn. Leverage all of your resources. Pull people aside and ask them to teach you. Read books. Listen to Podcasts. Read other peoples work. You have to have a system of continuous learning. You must also have a system of learning that is efficient and effective in terms of time. Time, meaning you need to be armed with the knowledge at the time you need to apply it. Thus you must anticipate what you need to know, and thus learn (for tomorrow? for next week? next month? next year?) and learn them, on time. You need to know the business, the IT environment, the players, their roles, and what’s important to them. You need to know the risks, the best practices. You need to know what you need to know when you need to know i, and have a system to learn it on time so you can apply it to your work effectively.

3. See the forest from the trees: Newbies jump from branch to branch. That is to be expected, but you must also continuously develop your knowledge of the forest. It won’t happen overnight. But you must keep awareness of the fact that you are in a forest, and you must build out your knowledge of the forest’s details. You're a cog in a larger system, and the more knowledgable you are of that system, the more impactful, and valuable, you will be. So set aside some time in your workdays to continuously learn, and map out the forest. Leverage other people to help you understand the forest. Get a pen and paper and draw the forest out as you continue to explore, and learn about it.

4. Know your roles, and play them well: What do you do? What service do you provide? And For who? What do you not do, for someone who needs you to do it? Maybe today you think you have one role. But take a step back and think about this. There is potential for many roles. Many valuable roles for you to take on and play. Maybe today you are just testing controls. Maybe you design tests. But there are many other roles. You can be a thought leader in a new/emerging topic. You can be a re-designer of audit processes. You can be a go to person for urgent information needs that come from your boss. You can be a strategic advisor to certain stakeholders. You can be a teacher, coach, and motivator of other auditors. So take a step back, and think about the different roles you play. Then think about how you're playing them, and what you can do to play them better. Then strive to make yourself the best at playing those roles.

5. An expert at Murphy’s Law: Stop thinking you have to be an expert at how your business or technology works in order to be effective. Do not be intimidated by this lack of expert knowledge. You're here to think about what can go wrong. You're here to be an expert at understanding and assessing the risk of what could go wrong, as well as what can be done to reduce the risk of the wrong’s occurrence. Look, you still have to have some good knowledge of business and technology. But you MUST be an expert at what can go wrong. So, for each audit you are working on, you have to spend time thinking, learning about, and applying risk management to things that can go wrong. Systems fail. Data is lost or stolen. Humans take risks. Humans make mistakes. Data is wrong. Attackers take action with malicious intent. This is what you're always learning and thinking about. Strive for expertise here, share that knowledge, and apply it to your work. If you think about it, this expertise is paramount to success. I mean, how can you effectively audit if you don’t have a comprehensive picture of what can go wrong?

6. Imagination is Everything: Imagination is the root of all creation. The genesis. All things created by humanity in the physical world were first ideas born in the imagination of humans. Realize this tremendous power, and use it to create valuable outcomes. Spend time to THINK about what you want and need to accomplish. See it in your “minds eye”. Close your eyes and think about what it is going to take to get there. Close your eyes and experience the achievement of the outcome. Also realize that imagination has, and will continue to bring non-ideal things to you. If you think you can’t, you won’t. If you think your boss won’t promote you, it won’t happen. If you think you cannot influence a stakeholder, they won’t be influenced. So take inventory of what you’ve been thinking, what you’ve been imagining, both good and bad. Get rid of all the bad and replace it with nothing but the good. Then, use this powerful tool as the initial point of creation of all the outcomes you want to achieve.

7. The Future Depends on What you Do Today: You must take hold of how you will spend each and every day. I call this concept the “Ideal Day”. One of the biggest professional anti-patterns is being pulled around through your workdays without any rudder. A ship, lost at see, without sails or rudder. If this is you, stop it. Step back, look at tomorrows calendar, and fill it up with nothing but value add things. Base it on the key roles you play. Base it on the key things your boss wants you to be doing. Then follow it closely, with limited exception. What might an ideal day look like for a new IT auditor? Execute an audit test. Write and vet a finding. Teach a teammate about a new technology. Provide risk and control advice to a stakeholder. Take a 1 hour training course. Write up an initial scope for next months audit. Have a continuous monitoring meeting with a stakeholder. Tell your teammates how much you appreciate them. These are the types of things that should be on your calendar today. And when you end your day, create your calendar for tomorrow, and do it again.

8. If Opportunity Doesn’t Knock, Build a Door: You cannot fall trap to waiting on others, on waiting on your manager to provide you with growth opportunities. Maybe you have a great manager who is helping you with this, but nothing will help you grow faster, and in alignment with your capabilities, then taking it upon yourself to build the doors. You have to know where you are on your career trajectory. You have to know what you're good at. And more importantly, where you need to improve. Improving requires learning and opportunity for experience. Think about what you are not good at. Think about what you aren’t experienced at. Then build the doors and break through them. Build the door to manage an audit. Build the doors to manage stakeholder relationships. Build the doors to take on a strategic initiative for the department. Build the doors to take on people management responsibilities. Also, make this topic a continuous dialogue with your manager. Show them that you want to grow professionally, that you are aware of the areas you need to improve in. Show them that you are eager to get better, and to take on challenges / opportunities to show your capabilities.

9. Speech is to Persuade, To Convert, To Compel: Your ability to influence is of paramount importance to your ability to add value, and to grow in your career. So you have to think scientifically about the messages you want to get across to other people, day in and day out. It requires preparation. It requires imagination. It requires thinking and fine tuning. It requires repetition. It requires an understanding of the people you want to influence, persuade, convert, and compel. The more prepared you are, the more confident you will be in delivering the message. The more you believe the message, the more others will believe it. Realize the importance of this maxim and remain conscious of it as you plan and execute on the key messages you need to deliver every day.

10. Everybody Can Be Great, Because Everybody Can Serve: All too often do we fall into the trap that we are owed something. We develop this mindset and belief that the world, our companies, our bosses, and our teammate owe us something. If you find yourself believing this at times, you must shift your mindset. You must adopt a mindset of service. Service to the world. Service to the company. Service to your management. Service to your team. Service to your stakeholders. Serve others through the roles you play. Keep service on top of mind through your days. The more you serve, the more you will be served.

11. I Touch the Future: The world continues to turn. You will soon graduate from your newbieness. You will have greater responsibilities. Greater challenges. Greater problems to solve. The less challenging problems will still be there, taken up by a new class of newbies. Many of these newbies will be looking up at you, looking for guidance, help, advice. They will want to grow, and become like you. But will they? Maybe. Maybe not. Much of it depends on you. A big part of the value they add, and the growth they experience, falls on your shoulders. What are you going to do about it? Well, this is just a new role you play. A teacher, a developer of people, a motivator. A door builder, an opportunity provider. A leader, a visionary. A creator, and breather of culture. You must take on, and embrace, being a visionary of the future, by developing those who will play a big role in building and sustaining that vision.

I hope you find these Maxims useful. I hope they help you recognize bad mental habits and blockers that are impacting your professional growth. I hope they help you see the light towards improving your capabilities. I hope they give you a sense of empowerment in taking the next step in your career. I hope you become a better auditor because of them.