How IT Auditors Can Avoid Becoming Prey in the Corporate Jungle

IT Auditors Corporate Jungle
Author: Ookeditse Kamau, MBA, CDPSE, CEH, CIA, CISA, CRMA, ISO 27001 Practitioner
Date Published: 4 August 2021

“Survival of the fittest,” a phrase first coined by Herbert Spencer after reading Charles Darwin’s On the Origin of Species, describes what may be called the cardinal rule of the jungle. Darwin used it to describe the process of natural selection.

Coming from Botswana, a country that is rich in wildlife, I once sat in the relative security of a tour van with an experienced tour guide at the wheel, watching a majestic lion at the Chobe National Park. Despite the composed look on my face, the rapid beating of my heart betrayed the vulnerability that I felt that afternoon. The lion, however, sat relaxed under the shade of a tree. It was clear who in that jungle was the fittest between us.

Closer scrutiny of this law of the jungle reveals that it is based primarily on two principles: self-interest and self-preservation. According to Merriam-Webster:

  • What is self-interest? – A concern for one’s own advantage and well-being.
  • What is self-preservation? – A natural or instinctive tendency to act so as to preserve one’s own existence.

Sometimes the corporate world resembles the jungle and the rules that come along with it – only the fittest companies make it in this jungle. This world can, without apology, purge the weakest. If one wants to stay in the game – or in business – one has to be “fit.”

In the midst of this jungle, we find the IT auditor, whose values typically oppose the ideologies of self-interest and self-preservation. However, survival in the jungle seems to embody these principles. How, then, do auditors survive in this jungle while playing by a different set of rules?

Auditors are not self-serving in that their work requires them to look out for the interests of the stakeholders of the organizations for which they work. They do this by making sure that the internal control system adopted by the organization will safeguard the organization’s assets and attest that the principals of the organization are taking a fiduciary stance in all their dealings.

So how do auditors remain fit and avoid being prey? At the core of the auditor’s existence is independence. Auditors are to be independent in the organization that they audit and/or work for, and act independently from the area they audit. This means that through their relationships and reporting lines, auditors should be free to report any issues they find in the course of their work.

A fit auditor needs to be independent and objective at all times. Auditors’ independence is what differentiates them as they navigate the jungle. In Threats and Safeguards in the Determination of Auditor Independence, authors William T. Allen and Arthur Siegel state that independent expert judgment is the alpha and the omega of the auditing profession. They acknowledged the growth that has been seen in auditors’ independence while also highlighting that some shortcomings persist.

The ISACA Standard 2003.3 lists the following as some of the activities that can impair the auditor’s objectivity and/or independence:

  • Self-interest—The threat that a financial or other interest will influence professional judgment or behavior inappropriately
  • Self-review—The threat that practitioners will not appropriately evaluate the results of previous judgments made or services performed, either by themselves or by other individuals within the audit function, which practitioners will rely upon when forming judgments in the current engagement
  • Advocacy—The threat that practitioners will promote an auditee’s position to the point that professional objectivity is compromised
  • Familiarity—The threat that due to a long or close relationship with the auditee, practitioners will be too sympathetic to the interests of the auditee, or will be too accepting of the auditee’s work, views or arguments
  • Intimidation—The threat that practitioners will be deterred from acting with integrity and objectivity because of actual or perceived pressures, including attempts to exercise undue influence over practitioners
  • Bias—The threat that political, ideological, social, psychological or other convictions will influence practitioners to take positions that are not objective
  • Management participation—The threat of impairments to objectivity resulting from practitioners taking on the role of management, or otherwise performing management functions on behalf of the entity undergoing an audit or assurance engagement

William T. Allen and Arthur Siegel also state the obvious: that perfect independence of judgment is not possible in this world. This does not mean that auditors do not try. Training is provided to auditors on the subject, auditors live by a code of ethics and, as part of the audit process, they have independence checklists.

I believe that, beyond the independence checklists, the training and the discussions that auditors conduct among themselves and the establishment of a support system from the organization they work for is critical. One system that I have found to build resilience for auditors is the ethics framework that the organizations they work for adopt. Studies have shown that when ethics are built within the fabric of internal control systems, there are fewer instances of abuse and misconduct in the dealings of an organization. People do the right thing because they value the organization’s mission, vision and its shareholders. In such organizations, auditors do not have to brace themselves when conducting audits and the value proposition of audit is easily visible.

The truth is we are not living in the jungle and our systems as humans have evolved and continue to evolve to accommodate all, regardless of physical, emotional and social strengths. This growth is evident as more and more regulators see the value in promoting ethical systems as well as corporate social responsibilities, such as the South Africa Companies Act that requires that state-owned and publicly listed companies should have an Ethics and Social Committee at the board level. This approach can be applied anywhere and will make navigating the corporate jungle a smoother journey for auditors.