Many organizations, Including the IT function, live in fear of the auditor.  The auditor sticks their nose into everybody’s business. They’re looking for problems. And they usually have no trouble finding them.  More and more auditors are focusing on the technology and the value it is supposed to produce.
Instead of fearing the auditor, IT should recognize their dearest friend.  Auditors aren’t focused on technology for technology’s sake. Instead they are trying to understand what the organization got for all the money they spent on this technology. If technology projects were implemented with clear business goals in mind, there is every chance they will find real business value. But if the technology was delivered with a focus solely on the technology then it is likely the auditor is going to point out no return was garnered from a large investment.  Regardless, this is good news for IT.
If there was real business value found, that system has proven it’s worth and the base line has been created to assess any change that impacts that system in the future.  This can include the impact of infrastructure needing investment. On the other hand, If no real value was found, then  the results of the audit provide the basis for reassessment of the previous investment. Because the auditor focused on, and found fault with, realized business value, so the re-assessment must focus on that missing value.  As business value is created by the function that employed the technology deployed by IT, it is that business function that must address the issues found in the audit.  IT needs to support that business function in this effort.  Only by working together and taking appropriate responsibility can response to the audit succeed.

cartoon-detective
So I say to my colleagues in IT, “all hail the auditor!”

Rob Collins – Nov. 18, 2016