The Lack of awareness and misconceptions about the Role of IS Auditors

Today, I want to address the misconceptions surrounding the role of an Information System (IS) auditor in organizations. It is not uncommon for some individuals to view IS auditors as faultfinders, while others expect them to fix all problems. During my visit to Addis Ababa last May, I had the opportunity to meet a government organization seeking an IS audit for their data center. Despite the limited time, I engaged in a discussion with them to understand their expectations and needs. It became apparent that they were looking for an auditor to assess their data center infrastructure and resolve all deficiencies, particularly focusing on security and data protection. However, it is important to clarify that an IS auditor's role is not that of a faultfinder or problem solver, but rather to evaluate controls, processes, and systems, uncover weaknesses, and mitigate risks related to data breaches, system failures, and non-compliance with regulations. They carry out these assessments independently, responsibly, and impartially.

Now, I will highlight five reasons why some individuals have incorrect perceptions about IS auditors, followed by five reasons why organizations may expect auditors to fix problems.

While it is unfortunate that some individuals may perceive IS auditors as "faultfinders" due to various factors, it is crucial to address these misconceptions. This can be achieved by fostering improved communication, emphasizing the positive contributions of IS auditors, and highlighting their role in enhancing security, compliance, and operational effectiveness. The Ethiopian Information System Audit Association (EISAA) aims to promote a collaborative and constructive mindset to dispel the notion of auditors as faultfinders. Instead, the association seeks to emphasize the vital role of auditors in ensuring the integrity and resilience of information systems.

1. Misunderstanding of Role

The role of an IS auditor is often misunderstood or oversimplified by those outside the field. IS auditors are responsible for assessing the effectiveness of controls, identifying risks, and making recommendations for improvement. Unfortunately, this focus on identifying weaknesses and vulnerabilities can be misconstrued as solely looking for faults, rather than a constructive and proactive approach to enhance security and compliance.

2. Resistance to Change

Auditors often recommend changes to existing systems, processes, or controls to mitigate risks and improve efficiency. However, some individuals may be resistant to change or perceive it as an implication that their current practices are inadequate or flawed. This resistance can lead to negative perceptions of IS auditors as faultfinders rather than recognizing their role in driving positive change.

3. Fear of Consequences

Audits can uncover deficiencies or non-compliance with regulations, which may have consequences for individuals or departments involved. This fear of potential repercussions can result in a defensive attitude towards auditors, painting them as faultfinders who are out to criticize or penalize rather than improve processes and controls.

4. Lack of Communication and Understanding

Communication gaps and a lack of understanding between auditors and the individuals being audited can contribute to the perception of auditors as faultfinders. If auditors fail to clearly explain the purpose and objectives of the audit, or if those being audited do not fully comprehend the auditor's role, it can create a misalignment of expectations and foster negative perceptions.

5. Negative Past Experiences

Previous encounters with auditors who had a purely fault-finding approach, lacked empathy, or failed to understand the nuances of the organization's operations can influence perceptions. Negative experiences can create biases and perpetuate the belief that IS auditors are solely focused on finding faults rather than providing valuable insights for improvement.

Based on my experience in May, it is evident that certain organizations may hold the expectation that IS auditors possess the ability to fix problems. However, it is crucial to emphasize that the primary role of IS auditors is to assess and evaluate controls, identify risks, and offer recommendations for improvement. While auditors can provide insights and guidance on potential solutions, the responsibility for implementing fixes typically rests with the relevant IT teams, management, or external consultants. Effective collaboration between auditors and these responsible parties is essential to ensure that identified problems are appropriately addressed and resolved.

1. Expertise and Knowledge

IS auditors are highly skilled professionals with specialized knowledge in information systems, controls, and risk management. Their expertise in assessing and evaluating IT processes and controls may lead organizations to believe that auditors can not only identify problems but also provide solutions to address them. The perception is that auditors possess the necessary technical knowledge to implement fixes effectively.

2. Holistic Understanding

IS auditors have a holistic understanding of an organization's IT environment. Through their assessments, they gain insights into various systems, processes, and interdependencies. This broad view of the organization's information systems can make auditors appear capable of identifying the root causes of problems and proposing comprehensive solutions.

3. Efficiency and Effectiveness

Organizations may expect IS auditors to fix problems because they want audits to lead to tangible improvements quickly. Auditors are seen as individuals who can provide actionable recommendations and implement necessary changes efficiently. This expectation stems from a desire to address identified issues promptly and minimize potential risks.

4. Trust in Expert Opinion

Organizations often trust the opinions and recommendations of external auditors. The perceived independence and objectivity of auditors, along with their experience working with various organizations, can contribute to the belief that auditors have the capability to fix problems effectively. Organizations rely on auditors as trusted advisors who can guide them towards optimal solutions.

5. Overlapping Roles

In some cases, IS auditors may have overlapping responsibilities with other IT functions, such as internal IT teams or consultants. This overlap can create expectations that auditors not only identify issues but also take responsibility for implementing solutions due to their involvement in the audit process.

The aforementioned perceptions arise due to a lack of awareness regarding the importance of IS audit and the role of IS auditors. It is crucial to address this gap in understanding. The Ethiopian Information System Audit Association recognizes its responsibility and purpose in creating awareness. The association is committed to collaborating with relevant government entities to foster an IS audit culture and highlight the value it brings not only to individual organizations but also to the broader Ethiopian ICT ecosystem.

In my upcoming blog, I will delve into the significance of IS audit in any organization. Until then, I wish you an enjoyable reading experience and blessed weekend! Contributor @Teddy Guday, Chairman of EISAA