Turning Heads and Changing Minds

Turning Heads and Changing Minds: Transcending IT Auditor Archetypes

CHONG EE
Copyright Date: 2013
Published by: IT Governance Publishing
Pages: 158
https://www.jstor.org/stable/j.ctt5hh6nd
  • Cite this Item
  • Book Info
    Turning Heads and Changing Minds
    Book Description:

    Turning Heads and Changing Minds provides the IT auditor (student or practitioner) with an understanding of soft skills. It takes a hard look at common auditor perceptions that can hinder an audit and offers practical techniques for overcoming them. Rather than issue a list of ‘should dos’, the book offers the reader an intuitive, organic approach, with real-life IT scenarios involving general computer, application and third-party controls at various stages of an audit life cycle.

    eISBN: 978-1-84928-475-2
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. ABOUT THE AUTHOR
    (pp. 5-5)
  3. ACKNOWLEDGEMENTS
    (pp. 5-6)
  4. Table of Contents
    (pp. 7-7)
  5. INTRODUCTION
    (pp. 8-15)

    The idea for this book came to me when I was doing the conference circuit. Several times a year, I scheduled time away from work to speak at audit and compliance conferences. Starting in the local San Francisco Bay Area, I branched out to out-of-state locales. My focus was IT audits: I covered anything from general computer and application controls to audit communications and client delivery. Countless red-eye flights (and sleepless nights) later, it occurred to me that participants from varied industries often voiced the same need: how can IT auditors evolve from traditional finger-pointing roles to become convincing partners...

  6. Part I: Archetypes
    • CHAPTER 1: THROUGH THE EYES OF THE SKEPTIC
      (pp. 17-28)

      Our journey begins with the Skeptic archetype (see Figure 2). The first step is arguably the hardest. To step into the unknown requires an equal measure of foolhardiness and willingness to let go. What of, you ask. Old habits, fixations, and illusions, though in no particular sequence; controls that appear to operate year after year; reviews performed even as no exceptions ever get identified. Management signs off on the dotted line and the company attains an A on the audit scorecard. The auditor as Skeptic questions this status quo: how can controls remain static in spite of organizational, system, and...

    • CHAPTER 2: FORGING AHEAD WITH THE SLEUTH
      (pp. 29-40)

      As a kid, I was entranced by Miss Marple and Hercule Poirot. I spent summer vacations cooped up in my room combing through Agatha Christie’s detective novels. Little did I know then that I would be manifesting a Sleuth archetype when auditing in the not so distant future. Whilst the Skeptic archetype is characterized by openness to uncertainty and ambiguity, the Sleuth archetype takes this a step farther, bridging an open disposition with tangible, concrete action. In this regard, the Sleuth archetype is about gathering clues, wading through seeming paraphernalia, piecing together parts of a puzzle to make a whole...

    • CHAPTER 3: SAFETY UNDER THE PROTECTOR
      (pp. 41-54)

      When you turn the page in an IT audit or security textbook, words like attackers, hackers, cyber criminals pop up on almost every page. Budding IT auditors are trained to spot suspicious malicious insiders and guard against phishing, brute force, and other network attacks. The Protector archetype emerges when the Sleuth archetype identifies an area that needs securing (see Figure 4). Are our backups effective? Do we have a rollback plan for emergency program changes? Are controls in place for administrators or superusers? If not, what can be done? Management looks to auditors to propose a course of action and...

    • CHAPTER 4: MAKING STRIDES WITH THE PARTNER
      (pp. 55-68)

      Most of us, clients and auditors alike, do not view auditors as partners. When we do, we are more likely to think of audit partners, owners joined by their pooled interest in the audit firm, rather than individuals with whom we can form strong symbiotic relations. In fact, the archetypes covered earlier – Skeptic, Sleuth, and Protector – are more likely used to characterize an auditor. Auditors are often perceived to be a stuffy lot, more at home with sifting and cataloging control paraphernalia than driving any real change or improvement in how things work. Yet, by assessing a process...

  7. Part II: Transcendance
    • CHAPTER 5: IN SEARCH OF ESSENCE
      (pp. 70-84)

      We started this book by looking for the essence behind various roles that auditors play (see Tables 1 and 2). In undertaking this journey, we covered the Skeptic Sleuth, Protector, and Partner archetypes, yet how close have we come in truly understanding each of these images? Might each in turn yet constitute a form given rise to by an underlying essence, a puppet, as it were, manipulated by an invisible hand?

      Take openness in a Skeptic archetype. What can give rise to openness? How about its polar opposite: segregation, an insistence on clarity of boundary, right versus wrong, the very...

    • CHAPTER 6: SHADOW-WORK
      (pp. 85-99)

      As auditors, we often find ourselves in circumstances that are different, confounding the very best practices or checklists at our fingertips.

      Employees should not be set up as vendors in the system, yet there were no other means of reimbursing expenses.

      Backups have been configured to run nightly, but the recent slew of notification emails revealed failures over the course of multiple days.

      A newly implemented intrusion detection tool has been disabled due to an overwhelming number of false negatives.

      An augmented round of approvals has yet to preclude errors from arising in submitted transactions.

      When tested, we take on...

    • CHAPTER 7: INTEGRATING INDIVIDUAL AND COLLECTIVE
      (pp. 100-116)

      In working with archetypes and their shadows, it can be easy to personalize specific archetypes. Yet, as Jung points out, archetypes are located in the collective unconscious, where experiences shared by humankind are collected and organized in a similar way. There is also a larger shadow at hand: the collective shadow (see Figure 8). Professor of Comparative Literature, Steve Walker, remarks on how the collective shadow rears its head when we project our collective shadow onto another group, political party, or nation.30Originating in the late nineteenth century, the Yellow Peril was used to characterize the threat to Western living...

    • CHAPTER 8: AWAKENING TO OUR TRUE POTENTIAL
      (pp. 117-137)

      Most of us are familiar with integrated audits where auditors, in addition to opining on financial statements, express an opinion on the effectiveness of a company's internal controls over financial reporting. Yet, how many of us are familiar with integrating our shadows?

      As auditors, we are familiar with control self-assessment, where process owners perform tests of operating control effectiveness. Yet, how many of us perform periodic self-assessments of the archetypes we embody?

      In Buddhism, kleshas are mental states that cloud the mind and manifest in unwholesome actions. Referred to as the three poisons in the Mahayana tradition, or three unwholesome...

  8. Part III: Postscript
    • CHAPTER 9: NO SCRIPT
      (pp. 139-154)

      Audit originates from the Latin wordaudītus, which means the sense or act of hearing. Yet, how many of us, in the face of looming deadlines and countless checklists, take the time to actually listen to our clients? Auditors and auditees need each other. Auditees rely on auditors to provide an honest, unbiased perspective on the current state of affairs. IT auditors, in particular, can provide a unique insight into the inner workings of a system that auditees in business and accounting domains are not privy to. In thinking about the role of auditors, I’m reminded of thekōan:

      If...

  9. ITG RESOURCES
    (pp. 155-158)