MIS 5201.001 – Mike Romeu

Week 03 – Discussion Question 1

Dr. Ed Glebstein, Ph.D. lists and describes in his article “Is There Such a Thing as a Bad Auditor” a number of “Auditor Types” with the intent of helping readers recognize possible weaknesses in themselves.

Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

79 Responses to Week 03 – Discussion Question 1

  • In my opinion, nobody is perfect and nobody knows everything, including auditors. I would consider “the faker” would be the worst type from the standpoint of an auditee. We have been taught that we cannot say “I do not know” when we are asked to provide an answer or opinion. If we do, the auditee may think the auditor is unprofessional. However, it is easy to see through that if an auditor is bluffing, faking and jargon to cover up their ineptitude. Either way the auditor is losing creditability.

    If the auditor is bluffing him/herself by making false statement or recommendation to a client, it is a real danger for the client/auditee because it is wasting client’s time and money, giving them wrong direction and doesn’t add value to the company or the auditor him/herself. In my opinion, it is acceptable to say” let me do some research before I can fully answer this question” or “let me ask my colleagues / specialists” because passing the Certified Information Systems Auditor’s exam does not guarantee you to know everything in the IT auditing field.

    • I agree with you that “the Faker” may be the worst type of auditor from the auditee perspective. Although it may be easy for some auditees to spot a faker for others the faker may slip through the cracks. Slipping through the cracks and becoming a trusted authority on the topic of audit is where the faker can cause the most serious damage to a business. If the faker becomes trusted than whatever they say and do becomes acceptable without question as the correct and valid thing to say or do when it comes to audit. That can be dangerous as it may be in direct violation of an industry, regulatory, or statutory standard with which comes serious penalties if not followed with strict adherence. So although the faker may just be a momentary pain to a more seasoned auditee, to a newer auditee the faker could be a catastrophic consequence.

      • You are definitely right Sean. The faker could be a catastrophic consequence to the auditee. Sooner or later, all false statement will see the light of day. The auditee will see itself fined by the authorities. This is why it is really important to do research before hiring auditors. It also underlined the importance of reputation because the industry is full of impostors who will bring you more problems than solutions.

    • I agree with you Yu ming, the faker is incompetent in certain area and mask the incompetence with lying instead of building their skills. Auditors are risk, compliance, and process experts, but not necessarily experts in everything their clients do. When faced with complex situations, the faker will attempt to “fake it” instead of learning the industry or processes. This is dangerous. this type of auditor prevents the completion of productive engagements. The evaluation of the control environment is not based on a truly objective review. This compromises the integrity of the entire audit.

    • I agree with you, Yu Ming. “The faker” might provide false statements or recommendations to clients, it wastes the company’s time and resource if the company just follow the false statement or recommendation. Other types of auditors, even though they are lazy, geek, or timid, I think they can still contribute the company some useful thoughts. People can’t be perfect, it is the normal thing that people have different weaknesses. However, “the faker” has no advantage for the company because they lie all the time in order to pretend they know as much as other auditors.

  • I agree that all auditors have their undesirable traits. No one will have everything that you want. I would have to say that the faker is the worst. If you know more about controls and less about regulations, you should have the integrity to say that you don’t know HIPPA or PCI regulations and let someone else deal with those audits. Not being able to say that you need more help will only lead to problems for the company. Mistakes that should have been caught, would not have been caught and could lead to data breaches or penalties for not following government regulations.

    • I agree with you Blake. I like that you mentioned “integrity.” In fact, integrity is critical to the well-being of society and the records that are generated as a result of audits conducted. A good auditor must have integrity principles in their personal character; as you mentioned the faker does not have this characteristic and that is an issue.

  • Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

    From my personal standpoint, I would choose “The Lazy” IS Auditor as the worst type. As being the auditee, I would want an IS Auditor to be the total opposite of Lazy. I believe constant innovation is key much like technology and if my auditor could not keep up they would create a cesspool of vulnerabilities due to their lazy risk assessments and lack of motivation. According, to the definition of “The Lazy” these auditors can be identified by poor or incomplete working papers, few or no tests, a focus on low-impact, low-risk topics”. Auditee’s should not be okay with these behaviors. Personally, speaking I would not be okay with my auditor preforming little to no test and delivering incomplete documentation. I believe being this type of auditor totally undermines the overall duty of an auditor to ensure compliance with established internal control procedures by examining records, reports, operating practices, and documentation. They need to be able to assess assets and liabilities by comparing items to documentation. Completes audit work papers by documenting audit tests and findings. Overall, the auditees should be concern that their audit are perform accurately as stated above, because this allows their organization to combat threats, as well as be efficient and prosper.

    • Great post Magaly. The Lazy type can yield a absolute wrong result. They would be dependent on previous documentation, or worst the previous report and do a copy paste.
      However with this kind, the audit report reviewer or senior auditor will easily catch hold of him and his mistakes. It is very difficult to justify why have you included an observation and why you have not. When the report is reviewed thoroughly, the lazy auditor will have a extremely hard time. He will not have evidence to justify his own report. Lazy auditor will have to go back to the auditee to verify what he has not when coupled with a good type of senior auditor, reviewer or peer.

    • Laly, would you be ok with an auditor who has no idea about what he/she is doing? i mean what’s worse? one who is ignorant and refuses to learn or one who knows things but is just lazy, need a little push? I think lazy auditors are still good at observation and inquiry. They are still able to provide sound audit recommendations. the downside is that they have issues completing audit engagements. Don’t get me wrong it is still a bad personality, but not the worst in my opinion.

      • I think Lazy is worse in the auditor. If a person is lazy, he will not able to collect and analyze evidence, and he may past last year audit results and documentation. the lazy factor, which is likely an underlying issue that stands in the way of you enjoying your career (and perhaps your entire life). The lazy employee may ignore the significant audit results due to provide complex substantive test. The lazy people will not observe and inquiry, because it is too complex work and bring trouble things for themselves.

    • Great post! It is obvious that no one wants this type of auditor. However, I think it the type that would bring the least problem. True that they are lazy and will not do the job the way they are supposed to, but at least they will not be faking. They will do the bare minimum and sometime present incomplete work. But their supervisor will always catch on the missing part and make it right. This type can only slow things down contrary to fakers that can create much greater damages.

  • From the standpoint of the auditee, and even the organization hiring that auditor, I strongly believe that the faker is the worst type of auditor. In fact, an auditor can be lazy, dominant, stressed etc. but there is nothing worse than not knowing what they are doing. I mean, one of the crucial characteristic of a good auditor is to determine what is relevant and what is not; how can someone who does not know what he/she is doing can successfully do that?
    A faker is a danger for the auditee because he/she would be depending on a wrong audit reports and this could negatively impact their business. Indeed, chances are that the “fake” auditor will either look at the wrong documents or software system during the audit, or simply omit crucial points such as identifying the lack of firewalls for example, and won’t admit it.
    An auditee cannot rely on an auditor who fakes his finding. A good auditor is constantly learning and should be honest when he/she does not know a concept, and find a way to be better. Lying about one’s skills is a dangerous thing especially when others rely on you to meet business and stakeholders’ needs. There are a lot of controls and regulations that an auditor must know in addition to the specific type of business being audited. Yes, google may be a good resource in some cases, however, if that auditor does not understand the concepts, such as how to apply COBIT 5 framework to help the auditee create optimal value from IT, internet would not be very helpful. In fact, there is a difference between, looking up a definition, and understanding and how to apply a concept.
    Thus, in my opinion an auditor who fakes his/her abilities should not even be hired in the first place and if they are already on board, they should be fired because this is a “fraud”, unless they take the necessary steps to acquired necessary knowledge to become successful in the field.

    • You mentioned very good points. I agree with you that the faker is a danger for the auditee. Auditee should be able to rely on auditor’s information. False information can mislead the auditee, and it can make a huge negative impact on the company’s future. The faker can ruin companies trustworthiness, and they will lose their validity in the field. I also agree with the part that you mentioned about the faker should not be hired in first place, or fired if he/she is on board. This can be a good way to prevent fraud in companies, and this way can persuade people to stay far away of being dishonest.

    • You mentioned very good points. I agree with you that the faker is a danger for the auditee. Auditee should be able to rely on auditor’s information. False information can mislead the auditee, and it can make a huge negative impact on the company’s future. The faker can ruin companies trustworthiness, and they will lose their validity in the field. I also agree with the part that you mentioned about the faker should not be hired in first place, or fired if he/she is on board. This can be a good way to prevent fraud in companies, and this way can persuade people to stay far away of being dishonest.

    • You mentioned very good points. I agree with you that the faker is a danger for the auditee. Auditee should be able to rely on auditor’s information. False information can mislead the auditee, and it can make a huge negative impact on the company’s future. The faker can ruin companies trustworthiness, and they will lose their validity in the field. I also agree with the part that you mentioned about the faker should not be hired in first place, or fired if he/she is on board. This can be a good way to prevent fraud in companies, and this way can persuade people to stay far away of being dishonest.

    • Nice post Alexandra. Lying about your knowledge can be very risky especially because the auditee would most likely be an expertise in that field and would very easily find out if you are lying or not. Not only that it is difficult to fake knowledge for a longer period of time. The Faker can therefore incorrectly determine the risks as he may not really understand or miss on some of the risks which can be harmful for the audit itself. Without understanding the technology, he cannot make any useful recommendations to benefit that function. An auditor should always be quick to learn and correct themselves if wrong. Lack of knowledge does not make an Auditor bad, but it is lack of interest to learn or update his skills which can cause audits to fail.

    • Great post Alex! I totally agree with you on this one, but companies do not know that they are hiring fakers. In fact, they are fakers because they are not who they said they are and got hired based on those false statements. One thing companies can do is to strengthen their background check process and hire auditors only based on their reputation and experience.

      • I agree with you, Said. You mentioned about the reason why a faker can be a faker in a company is because they know how to pretend they know stuff. Some fakers can be caught by experienced auditees, but some fakers may very good at pretending. People are very hard to notice they actually don’t really know how to apply those important concepts. So, at the first place, during the interview process, companies should check their knowledge like you said. Also, companies can train new employees to make sure they master the important knowledge.

    • Hey Alex, good post, I strongly agree with you that faker is the worst type of auditor. If they issue wrong opinions to the auditee, They can cause the most catastrophic damage to a business. There is a lot of sources available like COBIT 5, NIST for the auditor to refer to. A responsible auditor are meant to be reliable all the times!

  • In the article titled “Perspectives From a Seasoned Practitioner”, Dr. Glebstein defined the concept
    of “auditor” as follows:

    A – Analytical
    U – Unbiased
    D – Diplomatic
    I – Independent
    T – Thorough
    O – Objective
    R – Reliable

    While I could answer this question from my personal perspective as an auditee, I chose to use antonyms of the auditor concepts per by Dr. Glebstein to objectively determine the worst type of auditor.

    Regarding the notion that Well-Connected professionals become IS Auditors based on nepotism or favors indicates the potential for lack of objectivity. Arrogance implies a lack of diplomacy, and IS Auditors who are not inclined to do a good job may be disorganized, careless and unreliable. Worse yet, the sense of entitlement associated with IS Auditors who are hired and/or promoted based on quotas can lead to inferior performance, disproportionate reliance on others, and imbalanced workloads that can undermine the Audit Department infrastructure.

    An effective Audit Chief (CAE) should be able to easily identify traits of The Faker. Progressive audit departments should also have post audit surveys, mandatory training requirements, and routine performance evaluations that would “root out” such inferior employees.

    In a professional organization, the terms “Lazy” and “Auditor” should not be tolerated, since laziness implies inattention (vs. thorough) and irresponsibility (vs. reliable). As with The Faker, an effective CAE should easily identify such poor performers based on quantitative KPI’s – e.g. the number of audits completed on time, within budget and/or cycle time – as well as qualitative KPI’s, including the nature of audit recommendations and their perceived value to the organization.

    Dr. Glebstein referred to his “Stress Creator” friend as a most effective auditor – insightful, experienced and personable – which are likely the traits the auditee would experience. Hence, the Stress Creator enacts more harm on their audit colleagues. Open, honest employee communication with the CAE and/or HR could remedy such situations. Unfortunately, it sometimes takes exit interviews of good employees to bring such intolerable situations to light.

    By virtue of the fact that audit is a service, and auditees are clients, it is likely that The Bureaucratic auditor would be exposed if they asked for more evidence than is necessary and/or if they conduct their audits inefficiently. Additionally, IS Audit functions that make unrealistic client demands should be detected by savvy, engaged Audit Committee members. Hence, it is incumbent on the CAE to ensure ineffective IS Auditors are closely supervised and monitored.

    Dr. Glebstein referred to The Cookbook Auditor as being “mediocre but arrogant” – both traits that defy the auditor concepts of reliable and diplomatic. Unfortunately, due to the lack of IT resources, these services are often procured by Internal Audit departments in an outsourced or co sourced model. In these situations, it is likely clients will encounter “newbies” who are educated in IS Audit techniques but lack hands-on experience and emotional maturity. Such situations can be addressed by having robust Service Level Agreements that specify minimum qualifications/experience; and require junior auditors to be supervised, their work to be independently reviewed, and their recommendations to be vetted.

    The description of a The Timid IS Auditor provided by Dr. Glebstein as smart and knowledgeable but introverted and unassertive does not seem to put an auditee at a significant disadvantage. If the question sought the best type of auditor from the perspective of the auditee, The Timid would get my vote!

    It is not unusual for The Geek to have weak interpersonal skills but very effective IS Audit competencies. Their superior capabilities may cause them to be inadvertently rude, and their obsessive tendencies can lead to inefficiencies. With proper supervision/oversight and effective pairing, this type of IS Auditor may not be detrimental to their clients.

    Based on the foregoing, I have concluded that the worst type of auditor from the perspective of the auditee is the one who is Well-Connected. This conclusion is supported by the fact that ISACA’s Code of Professional Ethics requires certified IS Auditors to perform their duties with objectivity. It is likely that a well-connected auditor will be unable to be objective if they are not professionally or organizationally independent in both attitude and appearance.

    • Great post Candace! I totally agree with your comments about the Stress creator type.
      According to study conducted by Richard Lazarus, stress goes to various appraisal levels and influences specific type of performance. At secondary appraisal, the person begins to think what he can do his best to lower the stress. A moderate level stress in fact optimizes performance.
      A study conducted by Freddi choo states auditors performance improvement as stress increases from a low to moderate level with optimal performance at moderate stress level and decremented performance at excessive stress level. I believe the same applies to auditee. Given a freeway, auditee may not even take efforts to gather required documentation, or would take the audit casually. Some stress would drive audit in a right direction. A stress giver will definitely collapse the auditees stability and return with less or no information.

  • In my opinion, the worst type of auditor from Dr. Glebstein’s list is “The Bureaucrat”. The Bureaucrat is described as an auditor who “sells” projects to the business but doesn’t produce the proper return on investment. The Bureaucrat is an illusionist, who seems to have a company sponsor / budget for IS/IT projects. Instead of focusing / prioritizing on mission critical projects producing higher ROI, they get too technical and try to implement irrelevant solutions to make a busy impression.

    To reduce the chances of someone turning into The Bureaucrat, I would recommend assembling a technology committee to review all projects before, during, and after the process. The project should have specific benchmarks and performance metrics to realize returns and prevent over-spending.

    The Bureaucrat is the worst for an auditee because they prevent a good return on investment. One of the hardest things to do is get the company to fund a project. There is only a limited amount of money for projects, and you are affecting other employees by intervening with their everyday routine.

    Imagine if the City of Philadelphia (Auditor) said they were going to widen Broad Street to reduce traffic and car accidences. By doing so, travelers will have to use other side roads until the work is completed. As a driver (Auditee), we accept the burden because the end result will be a quicker and safer commute. The City of Philadelphia decides it wants to have state-of-the-art system similar to the I95 roadways because it will produce the fastest and safest route. The decision sounds great, but after going over budget we realized the I95 roadways were too much because Broad Street doesn’t get as much traffic as I95, the buildings are too close, and there isn’t side street parking. And I wasn’t able to use Broad Street during the entire project.

    The Bureaucrat sold the CFO, the CFO said “yes” to the money, the operations manager said yes to the audit, and after everything was said and done, the Bureaucrat is behind schedule, and over budget.

  • Dr. Ed Glebstein, Ph.D. lists and describes in his article “Is There Such a Thing as a Bad Auditor” a number of “Auditor Types” with the intent of helping readers recognize possible weaknesses in themselves.

    Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

    I would say the worst category of the Auditor types is The Well Connected from the standpoint of the auditee. Why? They are made to become auditors because they simply “Well’ know someone in a higher position in a company. No mention is made of their poor qualifications or skills in Auditing.

    The reason why Auditee hires Auditors is to ask them to identify possible vulnerabilities so as to mitigate risks. In order for the Auditors to meet the expectations, they should have in-depth knowledge and understanding of the specific field they are auditing. It will be very frustrating to see if Auditors couldn’t conduct their work properly or generate ridiculously poor quality of the work.

    At least, if people are disqualified for what the position is, then they should not be hired even though their father/mother/good friends are the hiring manager.

    • I agree that The Well Connected auditor is one of the worst types, though I’m now thinking from the standpoint of the audit team and its leaders, rather than the auditee. The Well Connected is hired due to pressure from someone in a position of power, which means that, once hired, this auditor can be very difficult to get rid of. In addition, due to their ability to acquire the job with little, if any, effort on their part, they can develop the mindset that they’re untouchable. I could see the Well Connected auditor developing traits from The Lazy and The Faker as well, thinking that they’re secure in their position and do not need to put in as much effort as others or learn about new business processes or technologies that may be audited.

      • I too think that the well connected is a bad type of auditor. Initially I thought that it may not be that bad, but when I thought more about it, I changed my mind. How could someone be independent when they may have been given the job as a favor to an executive? I think that would be very hard, especially if they don’t have previous audit experience. You definitely don’t want anyone that feels protected, which a well connected may if they have an executive on their side. If someone felt protected, they may not put in the effort to do a good job.

        I do still think that if someone did a good job at an other organization and was hired on a recommendation, that would be ok. I wouldn’t have a problem with this because while they got the job through a connection, they don’t have a real connection in the company.

  • The Faker is the worst from the perspective of the auditee because there are times that they will receive information that is not accurate due to the faker. This will decrease the trust that the auditee has for the auditor. Also, the auditor will lose credibility when the false information re-surfaces. An auditor needs to leave room to learn, grow, experience, and continue to develop as an auditor. The lazy would be the second worst but I think that a wake up call could transform a lazy auditor. There is a sense of arrogance to a Faker that will not allow them to realize a wake up call. It is important to be honest with yourself and your team about how knowledgeable you are on certain topics. It is important to rely on SMEs on your team when you are not knowledgeable on certain topics. You may only have one chance to provide accurate and correct information to your customer. All it takes is one mistake and a customer may leave your team for a competitor. Overall, the faker does not help the business reduce IS/iT-related risk or help the auditees focus on the best opportunities for improvement because they actually increase the risk and point the auditee in the wrong direction.

  • IT audit values independent skilled assessment of risks and controls. As an IT auditor it is important that you evolve as the industry is evolving. True traits of an auditor are clearly seen through the auditor’s experience, education and most of all his behavior traits as a human being. Ed Gelbstein, Ph.D.in his article “Is there such a thing as a bad IT auditor” has touched base with the fact that personal traits influence the professional behavior. And I totally agree with his viewpoint. While reading this articles I recollected a lot of instances where I encountered these types of auditors. Imperfection is a characteristics of humans and their negatives affect the way they perform tasks. I believe the bad auditor behavior is not a purposeful behavior but it’s natural to a type of person he/she is.
    From the various types listed, I believe the worst influence on audit result would be by the ‘The Faker’ and ‘The Timid’ types. Both these types throne the auditee and give him the rights of concluding the audit. An auditee is a person who has certain expectations when he is undergoing an audit. He wants a judgement by a person who is having better knowledge for inspection. He wants a certificate of assurance. And yes, there are types of auditees that influence the audit too. However the auditor must drive the audit. ISMS defines independence and decision making roles of the auditor. Auditor’s behavior drives the audit.
    The Faker type would not be able to complete the audit at a satisfactory level. Any discussion goes in depth as it continues. A Faker establishes a lie at the beginning of audit and as conversation gets deeper his level of understanding keeps falling. He will not only miss a possible observation but also give a wrong information to the auditee. One wrong doing affects several other areas. Example, a faker pretends he knows well about a new technology like Drupal. He cannot make comments on vulnerabilities in Drupal, he has to agree what the auditee is stating. The effect of audit is nullified. Had the auditee to decide if he’s complaint or not, there is no need of an audit.
    A timid auditor too falls prey to auditee driven audit. Being knowledgeable he might see the flaws but they get suppressed in front of a strong auditee. He would tend to miss or purposely skip many steps to come out of the frustrating situation. This again nullifies the purpose of the audit.

    Both parties must realize that audit is not war. Both the auditor and auditee are in same team and work towards company objectives. Professional are acquirable and can be gained with practice. Auditors must self-assess using Ed Gelbstein article and try to transition to as better type.

    • I agree with you Priya. Lazy auditors cannot work independently since they do not put so much efforts on their jobs. They will probably have many incomplete tasks that cannot be completed on time. I also believe that lazy auditors can be so careless because they cannot concentrate about on the job at hand, and this can become a huge loss for the auditee.

    • I agree with you Priya. Lazy auditors cannot work independently since they do not put so much efforts on their jobs. They will probably have many incomplete tasks that cannot be completed on time. I also believe that lazy auditors can be so careless because they cannot concentrate about on the job at hand, and this can become a huge loss for the auditee.

    • I agree with you Priya. Lazy auditors cannot work independently since they do not put so much efforts on their jobs. They will probably have many incomplete tasks that cannot be completed on time. I also believe that lazy auditors can be so careless because they cannot concentrate about on the job at hand, and this can become a huge loss for the auditee.

    • Good point Priya, I like that you mentioned that “As an IT auditor it is important that you evolve as the industry is evolving”. Indeed, the great thing about being an auditor is that you are constantly learning. Every audit provides new situations and challenges. Legislation and regulations change too. There is no way a faker can be trusted. I mean the more you know about your client industry, the better you serve them.

    • Hi Priya, good point about a timid auditor. The scenario is more likely to happen if the auditors have to confront with auditee about significant risks or even frauds who are held directly accountable to the issues. Timidity creates an unsubstantial sense of threat to auditors and compromises the auditors’ position of independent.

    • Hi Priya,

      While I was reading the article, I felt that the lazy one would also make it at least in the top three but I didn’t think of the timid type and good points. I agree that if an auditor is a master in the a certain field but can be manipulated by a strong auditee then it defeats the whole point of the audit.

  • Which one of these “Auditor Types” do you consider the worst type from the standpoint of the auditee? Why?

    All of these types, when taken to the extreme, are clearly not what anyone wants in an audit organization. But from an auditee’s standpoint I would think that “The Faker” is the worst. The reason being, that this individual makes no attempts to learn about the business/process/technology/etc. that they are auditing, and instead tries to bluff their way through. As the article mentioned, auditees are usually very quick to pick up on this, and it can damage the relationship between them and the audit team. By not understanding what they are auditing, a Faker may not recognize risks or controls where they exist and may incorrectly raise issues.

  • With the dynamic changes in the business environment, being able to know everything about a particular field is an impossible for an individual. However, continues learning and the ability to identify the personal strength and weaknesses are essential points for any employee. In each company, the right person should be in the right place doing his specific tasks which he supposed to has full knowledge about. When an individual in a firm fails to identify what he/she is capable of doing, that may consider as an obstacle to achieving the business objectives. Thus, I strongly believe that the faker is the worst type of any employee especially the auditor. Actually, an IT auditor is responsible for the internal controls and risks of a company’s technology network, and that require a full understanding of the enterprise’s activities, technologies, goals, and the employees’ responsibilities. If the auditors pretend to know things they are far from mastering and rely on cheating and faking to cover up their ineptitude, the auditor will lose their credibility, and that may negatively impact the business.

  • Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

    From the standpoint of the auditee, I would consider that the bureaucrat is the worst type of auditors. According to the article “Is There Such a Thing as a Bad IS Auditor”, the bureaucrat is defined as creating work for themselves as well as other colleagues when it’s not necessary and does not add value to the auditee.

    At my previous job, I used to assist auditors in collecting/organizing the materials and files they need. I have seen some auditors spent a lot of time on unnecessary documents. There was one time that I tried to help so the auditor could save some time. However, when I pointed that point, he thought I wasn’t cooperate and I should have just followed what he told me to do. This type of auditors really wasted time, which they could have utilized to do something add more value to the auditee’s company. In addition, the auditors should understand that all other people have tasks to do; assisting them is just a part of it. From this point of view, in my opinion the bureaucrat is the worst category of auditors.

    • Hi Celine, I am sorry to hear about the unpleasant experience occurred in your previous job. Bureaucracy is more people doing fewer things and taking more time to do them worse. In your situation, you were trying to assist the auditor in getting the work done efficiently; however, the auditor didn’t appreciate your help and he scolded you for not doing what you being told to do. I totally agree with you, if I were you I would do the same thing and point out to the auditor that it’s waste of time to collect unnecessary documents which bring no value to the audit process. I think a good auditor not only has to master the professional skills, but also need to be open-minded and listen to what others have to say. For auditor, listening is a very important concept, missing one small piece of the what others have to say can cause them to miss the message entirely. Many auditors listen to hear the answer they want to hear rather than to listen for understanding. Auditors should be able to communicate well and willing to accept the points others making.

  • Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.
    From the standpoint of the auditee, I would consider that the Faker is the worst type of auditors. IT technology is changing every day, so the IS auditor cannot know everything when their perform audit. The IS auditor should be honest to consider the capability to do this audit tasks. But then there are those who are unable to say “I do not know and will find out” and instead pretend to know things they are far from mastering and rely on bluffing, faking and jargon to cover up their ineptitude. An experienced auditee will see through this and the auditor will lose credibility. An experienced auditee will see through this and the auditor will lose credibility. Internal auditing is performed by professionals with an in-depth understanding of the organization’s business culture, systems, processes. Internal auditors are expected to follow the IIA’s International standards for the professional practice of internal auditing (standards) and adhere to its Code of Ethics. The audit is the independent, assurance work, so the auditor should keep theirs trust and reliability. Otherwise, the faker will influence their future work, and nobody will trust their work.

    • Nice post, I agree with you fakers will influence their professional career because nobody will trust auditors who are not honest. In addition, with false information, it might cause catastrophic damage to a business operationally and financially. Credibility doesn’t just mean being honest. To be sure, honesty is essential to credibility. Stakeholders also must be able to trust the judgment behind a recommendation and have confidence in the accuracy of a report.

      • Definitely agree that fakers will not only harm their careers, but can hurt the auditing field’s reputation. There have been many times where I have stepped into a role where my initial experience was directly informed by those that preceded me. If they were positively received, than that initially extended to me, while the opposite was true. Bad experiences can transcend an individual and permeatuate through roles and functions and are hard to overcome.

    • Good points Wenlin! Fakers can create negative impact to their professional career as well as the auditee’s company. Organizations would make decisions based on the feedbacks they received, so honest feedback from an auditor is very essential to an organization.

  • Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

    In my opinion, the worst type of auditor from the auditee standpoint would be that of “The Cookbook Auditor”. This type of auditor is one who generally uses a checklist of which they need to audit upon and can often times not have much experience in the audit field. Likewise, these types of audits rarely scratch the surface and often the auditors are just looking at last year’s documentation and attempting to replicate it with current year’s information. My reasoning for why an auditee might find this type of auditor the worst is due to my past experiences. I have been involved in SOX compliance audits where the purpose of the audits was in question. The auditees found the audits to be “pointless” and that gathering the evidence and providing to the auditor was a burdensome task with not benefit. In situations like these, the auditee more likely than not will not make the audit work their priority which makes the audit itself a timelier endeavor. Lastly, if a recommendation is made by the auditor the auditee will likely not approve of the recommendation since the basis of the audit is just to meet some checklist. With that being said, I think all the different types of auditors can/do inhibit the working relationship with the auditee and overall effectiveness of an audit.

  • Which one of these do you consider the worst type from the standpoint of the auditee? Why?

    Actually, all answers are correct which are written here. Because, the answer of this question is related to the meaning of the “worst”, according to auditee. For example, does “worst” mean be arrogance? If so, the well-connected auditors may be the worst type of auditor from the auditee perspective. Or, does it mean “wasting our time on irrelevant and insignificant issues”? If so, the geek auditors may be the worst type.

    I agree with all of you but I would like to approach this question from a different perspective.

    To be honest, according to me as an auditee, the “worst” thing is “more findings”. I prefer to see fewer findings in my report. Therefore, in my opinion, the worst type of auditor from Dr. Gelbstein’s list is “The Bureaucrat”.

    As we remember from our course, communication is the one of the components of the audit process. At the end of the audit process, all findings must be shared with auditee before arriving final conclusion. And they should be all confirmed by communication. If you are right, you can convince the auditors at the end of the audit, whether the auditors be a well-connected, faker, or lazy. On the other hand, I think set up healthy communication with Bureaucrats is a bit harder than others. As you know, they are professional at the creating work to others. They focus more on documents and are likely to create more findings that are not important. However, their audit does not add value to the auditee. They can make recommendations that the auditee cannot possibly implement. Worst of all, probably their findings will result in penalties.

    • Mustafa,
      I like your consideration with “worst” meaning, it really makes sense. Also, I understand your point of view about the “The Bureaucrat” type, but do you think the lack of communication skills in the auditor may lead to significant impact for the company and its objectives comparing with other Auditor Types?
      I believe that it leads to negative consequences, and it’s absolutely not the ideal type of auditor but in the same time, some of the other types effect both the individual and the company.

    • Hi Mustafa,

      I see your point and I agree. You stated “They focus more on documents and are likely to create more findings that are not important…They can make recommendations that the auditee cannot possibly implement. Worst of all, probably their findings will result in penalties.” I can recall an audit that I experienced as the auditee, and it was the worst. The auditor kept requesting document after document, which became cumbersome and unnecessary if you ask me. To make things worst the audit was being conducted under the busiest time of the quarter. It reached a point where my supervisor had to step in a demand that all required documentation be requested at one time to avoid the continued back and forth.

    • Hey Mustafa,

      You bring a different perspective to the question. You state that if you were an auditee the worst thing that you can get would be “more findings”. What happens in a situation where the audit is performed on a newly designed process or department and that this is the first audit? If I am an auditee, I would like the auditor to help identify any areas that need to be corrected and therefore the “findings” are more beneficial since they can be addressed shortly after the implementation of a project. Maybe it is because I have worked on the audit side, but I see audits as a means to help an organization and not a way to penalize or the auditee.

      • Great point Paul. Audit helps organisations to find GAP and accordingly work on it before it may lead to loss of business. So it is not a way to penalize but to help organizations in running their functions smoothly. It also helps to build trust of the stakeholders.
        There is a saying “prevention is better than cure”. Audit helps in prevention before a state is reached where cure is needed. It helps analyse the issue and work on it before it reaches a level where organisation may suffer some kind of loss because of it.

    • Hey Mustafa, I like how you stated that auditors focus more on documents and are likely to create more findings that are not important. It is a good point and I never thought of that. You are right, “Less is More” and that “more” doesn’t always add value to the organisations/auditee. That kind of auditors works so hard but they don’t know what the clients need or whether they are able to afford to implement the recommendations after the audit is finished.

  • Some people believe that auditing is a stressful job, and it can affect people who work in this field. In my opinion, according to Dr. Ed Glebstein’s article, one of the worst type of auditor is “ The Stress Creator “. Stress can have an impact on auditors’ job, and it can reduce the quality of their performance. As we read in Dr. Goldstein’s article, having stress can make auditors bad leaders, and it prevent people to associate with them even if they are the best auditors. Stressful auditors cannot work efficiently in a team, and it can make other team members uncomfortable. In a stressful work environment, employees cannot stay, and their performance will decrease. According to Audit structure, role stress, and job satisfaction, environment an Dmotivation: evidence from Thailand by Wittayapoom, Kanyamon article, “In large audit firms, auditors are likely to experience high levels of stress (Rebele and Michale, 1990). The work environment has many unpredictable, volatile and sometimes conflicting variables concerning professional standards, organization rule, and procedures (Otley and Pierce, 1995). Beside, it is relatively fast-paced, with the auditor continually learning new roles. The possibility for role stress being associated with poor job satisfaction should be a significant concern to the auditing profession (Fisher, 2001).” Audit team needs to have job satisfaction that needs to provide a relax environment for them. I also believe that stress can affect on concentration, and it can cause some mistakes on their task. Auditors who have stress cannot concentrate on their jobs as good as relaxed auditors, and they can be more careless due to less concentration. This reason can affect the relationship of auditors and their clients/auditee. Clients/auditee prefer to work with auditors who focus on their job, and fully understand clients’ needs.

  • Some people believe that auditing is a stressful job, and it can affect people who work in this field. In my opinion, according to Dr. Ed Glebstein’s article, one of the worst type of auditor is “ The Stress Creator “. Stress can have an impact on auditors’ job, and it can reduce the quality of their performance. As we read in Dr. Goldstein’s article, having stress can make auditors bad leaders, and it prevent people to associate with them even if they are the best auditors. Stressful auditors cannot work efficiently in a team, and it can make other team members uncomfortable. In a stressful work environment, employees cannot stay, and their performance will decrease. According to Audit structure, role stress, and job satisfaction, environment an Dmotivation: evidence from Thailand by Wittayapoom, Kanyamon article, “In large audit firms, auditors are likely to experience high levels of stress (Rebele and Michale, 1990). The work environment has many unpredictable, volatile and sometimes conflicting variables concerning professional standards, organization rule, and procedures (Otley and Pierce, 1995). Beside, it is relatively fast-paced, with the auditor continually learning new roles. The possibility for role stress being associated with poor job satisfaction should be a significant concern to the auditing profession (Fisher, 2001).” Audit team needs to have job satisfaction that needs to provide a relax environment for them. I also believe that stress can affect on concentration, and it can cause some mistakes on their task. Auditors who have stress cannot concentrate on their jobs as good as relaxed auditors, and they can be more careless due to less concentration. This reason can affect the relationship of auditors and their clients/auditee. Clients/auditee prefer to work with auditors who focus on their job, and fully understand clients’ needs.

  • Some people believe that auditing is a stressful job, and it can affect people who work in this field. In my opinion, according to Dr. Ed Glebstein’s article, one of the worst type of auditor is “ The Stress Creator “. Stress can have an impact on auditors’ job, and it can reduce the quality of their performance. As we read in Dr. Goldstein’s article, having stress can make auditors bad leaders, and it prevent people to associate with them even if they are the best auditors. Stressful auditors cannot work efficiently in a team, and it can make other team members uncomfortable. In a stressful work environment, employees cannot stay, and their performance will decrease. According to Audit structure, role stress, and job satisfaction, environment an Dmotivation: evidence from Thailand by Wittayapoom, Kanyamon article, “In large audit firms, auditors are likely to experience high levels of stress (Rebele and Michale, 1990). The work environment has many unpredictable, volatile and sometimes conflicting variables concerning professional standards, organization rule, and procedures (Otley and Pierce, 1995). Beside, it is relatively fast-paced, with the auditor continually learning new roles. The possibility for role stress being associated with poor job satisfaction should be a significant concern to the auditing profession (Fisher, 2001).” Audit team needs to have job satisfaction that needs to provide a relax environment for them. I also believe that stress can affect on concentration, and it can cause some mistakes on their task. Auditors who have stress cannot concentrate on their jobs as good as relaxed auditors, and they can be more careless due to less concentration. This reason can affect the relationship of auditors and their clients/auditee. Clients/auditee prefer to work with auditors who focus on their job, and fully understand clients’ needs.

    • Hi Somayeh,

      I truly agree with your comment about the stress creator ‘s impact on the auditing environment. You talked about auditors being stressed and making mistakes. If a stressor creates this type of environment it could disrupt the assurance process, which could cause a false conclusion. I believe an auditor should make every effort to maintain a positive environment, which will assist them during their execution process.

    • Definitely agree that stress can cause many environmental issues. It can be corrosive and in a way contagious. There many times that I can remember simply being around a person projecting stress increased mine. Important to project a sense of calm, as opposed to needlessly creating a stressful environment.

  • From my point of view, the worst type of auditor from Ed Glebstein’s list is “Well connected”.

    It was just last week that our senior audit manager in our department (Internal audit) asked us to complete an annual affirmation survey. Questions were based on the definition of internal auditor code of ethics. They asked if we have any relative, partner/significant other, close personal friend, or adversary working for either our company or external audit company.
    I believe that well-connected employees may exhibit poor soft skills, also they don’t have the attitude to avoid any conflict of interest. A “conflict of interest” is a situation in which an internal auditor; who is in a position of trust, has a competing professional or personal interest. A conflict of interest could impair an individual’s ability to perform his or her duties and responsibilities objectively.
    Internal Auditor Code of ethics is listed as below:
    Internal auditors are expected to apply and uphold the following principles:
    • Integrity
    The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
    • Objectivity
    Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
    • Confidentiality
    Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
    • Competency
    Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
    For more information about Internal Audit code of Ethics, please refer to: https://na.theiia.org/standards-guidance/mandatory-guidance/pages/code-of-ethics.aspx

  • While the traits mentioned by Dr. Ed Glebstein, Ph.D in his article “Is There Such a Thing as a Bad Auditor” are all undesirable traits of an auditor, in real time we do see such characteristics come by due to the fact that Auditors are also human prone to different behavior. Reading this article one can be aware of their behavior type and make conscious effort not to fall into any of this categories.
    All the types have their own demerits, but I think ‘The Geek’ comes out to be problematic especially if he has zero interest in the business objective. The main purpose of an IS/IT audit is to see that the IT is strategically aligned with the business objective. Having knowledge is not good enough if he is not really concerned about the business impact the risk may have. If he wastes the auditees time on doing what is not necessary, the auditee may fail to trust the auditor’s skill and thus the auditor may lose credibility in the long run. Not only that the main purpose of audit is defeated here.

    • Binu,

      Well said, your comment to this question is pointing to what I mentioned about question 2, from an Audit perspective , auditors that have deep and detailed knowledge about technology “The Geek”, can waste an excessive amount of the auditees’ time on irrelevant and negligible subjects.

      Also I was thinking about recruiting process for Audit position, the students that had deep technical background, had much more difficult time to get an audit position, Now I can conclude that the employer may had the same concern.

  • An audit is conducted on a subject matter to assure that it is in compliance with the required standards, legislation, and regulation. A written communication is then created by an auditor which expresses a well-defined conclusion about the subject matter’s adherence to controls. The auditee and users are reliant on the auditor’s conclusion and recommendations to assure they are in compliance with standards and to correct any weaknesses that were identified. An auditor’s role within this process is strongly dependent upon, and bad auditing practices are not acceptable. However, as Dr. Ed Glebstein pointed out auditors are human…and imperfect”. In reading this article I have concluded that all of the auditor types listed are horrible, and in their own way presents a weakness within the field of auditing. It is truly hard to identify just one, but as the auditee, I would definitely choose the faker. In my opinion, the faker can cause the most harm to an organization’s objective with remaining compliant. If the auditee and user are given misleading information because the auditor “pretend to know things they are far from mastering and rely on bluffing, faking and jargon to cover up their ineptitude” it can/will put the organization at risk of receiving a penalty or experiencing losses. Auditors that fall into the realm of faking are unethical, and I believe they are the worst within this listing. However, any auditor that cannot truly adhere to the assurance process and produce an ethical conclusion should not be allowed to practice.

  • Which one of these do you consider the worst type from the standpoint of the auditee? Why?

    According to Ed Gelbstein, Ph.D’s article, “Is there such a thing as a bad IT auditor”, I consider “The Faker” can be the worst type of auditor from the standpoint of the auditee. Firstly, as an auditor, the most important thing is to be honest because the public will trust a company based on the auditors’ report. If auditors can pretend they master new technologies but actually they don’t know, they may also pretend they review all the documents that they need to read. In the other hand, “the faker” also means they are lazy to learn new technologies, they don’t own a thirst for knowledge. Which is not a good personality as an auditor. Secondly, an experienced auditee will see through this and the auditor will lose credibility. When auditors audit a company, some issues “the Faker” can’t find out because they don’t really understand about the new technologies and Vulnerabilities. It also damages their company’s reputation. Thirdly, because “the Faker” don’t know new technologies, it not only may slow they work efficiency down but also it delay and affect the whole team’s progress of work.

    “the Faker’ unable to say “I do not know and will find out”, that means they refuse to learn new things, they refuse to be a better one. I don’t believe these people can pretend forever, one day they will be found out, and pay the price eventually.

  • Dr. Ed Glebstein, Ph.D. lists and describes in his article “Is There Such a Thing as a Bad Auditor” a number of “Auditor Types” with the intent of helping readers recognize possible weaknesses in themselves.
    Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

    In my opinion “The Cookbook Auditor” is the worst type from the standpoint of the auditee.

    There is a famous saying “no knowledge is better than half knowledge”.

    The problem is that their lack of experience prevents them from recognizing evidence if it stared them in the face. It may lead to GAP in areas like:
    • Gathering sufficient audit evidence
    • Exercising due professional care
    • Demonstrating appropriate level of professional skepticism
    • Interpreting or applying requirements of GAAP
    • Designing audit programs and planning engagement (inherent risk issues, nonroutine transactions)
    • Obtaining adequate evidence related to the evaluation of significant management estimates (failing to gather sufficient evidence).
    • Recognizing/disclosing key related parties
    • Relying on internal controls (rely too much/failing to react to known control weaknesses

    Hence the lack of competencies in such auditor can lead to incorrect audit result or unattended issues which ultimately can lead to loss of business, credibility, accountability and trust of stakeholders.

    • Deepali,

      You are correct in your statement of “no knowledge is better than half knowledge”. I use something similar. Clients who know just enough about technology to encourage them to break the system.

      The problem with Cookbook’s are each department or company if external is different. There may be an overall best practices guide for general business, but ABC will be different than XYZ, although they are both Accountant companies.

      No knowing the right questions to ask will only delay the project, or destroy the entire thing.

  • While each type of auditor has its own flaws, I believe that the lazy auditor is the worst type and would have the biggest impact on the auditee. The lazy auditor does not have the desire or motivation to perform due diligence on the organization being audited and would, as mentioned by Dr. Gelbstein, focus on the low-risk topics and poor or incomplete documentation. This could cost the organization in terms of lost revenue, reputation or brand damage, as well as the potential breech risks which would be unknown to the leadership of the organization. In comparing the lazy auditor to the other types, it is clear that this one is the biggest liability to the organization mainly because they just don’t care, whereas the faker type for example may be a close parallel to last, but may at least learn the process during their tenure and eventually move out of this category, although not a guarantee. Lazy is set in their ways and can put up more of a fight to remain that way then put the effort to improve performance, they have no desire to make themselves aware of the current technologies and risks, and would seem to border on the line of being a faker as well as lazy which adds a double jeopardy to the organization being audited.

  • Dr. Ed Glebstein, Ph.D. lists and describes in his article “Is There Such a Thing as a Bad Auditor” a number of “Auditor Types” with the intent of helping readers recognize possible weaknesses in themselves.
    Which one of these do you consider the worst type from the standpoint of the auditee? Why?
    The auditee is the person or group responsible for the subject matter being audited.
    According to Dr. Ed Glebstein’s article, he lists some categories of anonymous auditors which may cause difficulties or fails: The well connected, the faker, the lazy, the stress creator etc. Among all these types, I think the faker is the worst type from the auditee’s perspective. First of all, fakers are not honest enough to admit that they don’t know how to solve the problem or not capable to provide the advice to help auditee add value to its business. What worse, fakers pretend to know things which may cause them give wrong advices to the decision maker. Sometimes the senior management will realize the fakers are bluffing, sometimes they trust the fakers and take their advice which may cause huge loss. Comparing with other types, the faker may cause more serious impact in the auditee.

  • After reading the article, I feel that “The Lazy” auditor is the worst kind of individual to have in the organization. While “The Faker” comes in a close second, I feel that and IT auditor possessing lazy traits is much harder to correct than an auditor phased by ignorance. While “The Faker” can lead to an IT Auditor losing credibility when an experienced auditee sees through their jargon and ignorance, key issues and risks are still identified in this situation. The largest problem is that the solution presented is not based on any understanding or experience with the specific technologies. However, in “The Lazy” auditor’s work, key issues and risk are skipped over due to his or her taking on of low risk, low impact topics. By sticking to problems that are minimal at hand, the larger items may not be identified, thus leaving the auditee prone to problems in the future. Through my experience as an IT audit intern, I noticed several different people possessing some of these bad traits. I feel that “The Faker” is easy to correct when it is noticed because management can encourage an individual to update his or herself on the industry in order to keep discussions relevant. However, it is much harder, maybe even impossible in some cases, to correct an auditor who possesses “The Lazy” auditor type because this is a key element of this person’s personality. Through this, an auditor possessing “The Lazy” type will continue to identify with this description unless the auditor alters is able to alter his or her personality to remove the negative trait.

    • I agree that “The Lazy” auditor is a bad one since it appears they lost their drive and only want to work on low risk projects and not any highly important ones. However in my opinion the “faker” is worse because they are causing project to lose credibility whereas the lazy auditor is doing their work but just not on high risk projects.

      • I forgot to add that the faker can’t even be bothered to learn about the process and projects whereas the lazy auditor knows about them.

  • Since everyone has weakness and what we can do as a professional is to overcome weaknesses. I believe the characteristics of laziness is the worst types from the standpoint of the auditee. Compared to others, it post greater impact on audit work and audit team, and it also leaves lesser room for changes or improvements.
    Laziness means that the auditors do not perform audit work professionally and ethically. They do not engage themselves fully into work or take due diligence to fulfill auditors responsibilities. This will compromise the quality of the audit. In the long run, accumulated under-performing audit deliverable will even damage the reputation of the audit firm. Once the damage occurs, it is difficult to remedy and the firm will lose the clients. Moreover, laziness means the auditors lack the interest or passion for his career. The commitment of auditors is especially important because, unlike other professions in sales or engineering which are the highlights of an organization, we indirectly help enable and support the success of other businesses. Therefore, our inner drives for the career are critically for us to keep working and learning. Meanwhile, laziness also implies there is little room for improvement. If a person is do not like his job intrinsically, how do we force him or her to feel otherwise?

    • I also want to add the laziness is an problem of attitude. It will leave an unpleasusant impression to auditter and thus place an roadblock to further communication and colloboration with whoever the auditor need to work with. It cannot never be ignored that working with people is also a important aspects of audit besides IT. Also, I bilieve attitude is is an inherent trait one of a person for which a chqnge needs continuous efforts and determination.

  • Dr. Ed Glebstein, Ph.D. lists and describes in his article “Is There Such a Thing as a Bad Auditor” a number of “Auditor Types” with the intent of helping readers recognize possible weaknesses in themselves.
    Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

    In my opinion, The Lazy type is considered as the worst type from the standpoint of the auditee. As Dr. Ed Glebstein mentioned, it is not difficult to become a lazy auditor by repeating past audits in large organizations. However, when an auditor is repeating past audits, my concern is that if there is an error or many errors that he/she did not find and report in the past audits, the error(s) will repeat again, negatively continuing issuing wrong opinions. If the auditor is lazy to test something, even the problem was in low risk last year, it could become medium or even high risk for future years. As a result, based on my thought, The lazy type is the worst type from the standpoint of the auditee.

    • Yulun,

      The Lazy Auditor could have a devastating effect on a company. It is easy to develop a “template” that seems to work over and over. The difference in the Audit world is:

      1. Rules and Regulations change all of the time
      2. Technology Evolves
      3. Business Strategies change

      And other reasons for an auditor to remain focused on the task at hand. Simply using a “Plug-and-Play” system will only get you so far, and may level those who are relying on your work in a bad situation.

  • Personally I find the well-connected one to be the worst of the lot. There are high chances that not only would this one be undeserving or unfit for the role but he or she would probably throw their weight around too. While such a person might not contribute as well as the others do, they still might get an undeserved promotion. This in turn would bring down the team’s morale and it won’t be long before the team becomes highly under-performing and demotivated.

    • Mansi,

      The well connected auditor is in just about every organization. A well-connected someone is also just about in every organization.

      You can stop the fact that we are living in a performance and social based America. In my experience, the person who is most enjoyable, is at all the social events, and just has that certain something about them will go further than an upper level performer. It is very difficult for those who are not may be sitting at their desks, watching the well connected auditor laughing it up with management, while you are reviewing business control policies. “Wasn’t lunch over a 45 minutes ago?”

  • Based on Dr. Ed Glebstein, Ph.D. article “Is There Such a Thing as a Bad Auditor”, I believe that “The Bureaucrat” is the worst type from the standpoint of the auditee. The bureaucrat creates an illusion of work and activity being done but is in fact doing meaningless tasks that does not add value to the organization. Often times, the bureaucrat auditor’s illusion will not be discovered for an extended period of time and the auditee will continuously spend money on the auditor without any return. The extended period of time where work is not being done may leave vulnerabilities unchecked and may possibly lead to cyber threats.

  • Based on Dr. Ed Glebstein, Ph.D. article “Is There Such a Thing as a Bad Auditor”, I believe that “The Bureaucrat” is the worst type from the standpoint of the auditee. The bureaucrat creates an illusion of work and activity being done but is in fact doing meaningless tasks that does not add value to the organization. Often times, the bureaucrat auditor’s illusion will not be discovered for an extended period of time and the auditee will continuously spend money on the auditor without any return. The extended period of time where work is not being done may leave vulnerabilities unchecked and may possibly lead to cyber threats.

  • In my opinion, “the faker” is the worst type of auditor. The rationale behind me choosing this type of auditor as the worst type is because they no longer care to learn or get the right answer and instead try to avoid the problem. They will be loosing credibility as they try to bluff, fake and use jargon to try to get by. The auditor will still lose credibility even if they try to learn the correct methods later on as they have already displayed untrustworthiness and lack of accountability/ knowledge. This type of auditor is also mixing lazy traits into their work ethic and will not have their job for much longer as other auditors can see through this.

    • Jaspreet,

      You bring up good points about the faker.

      In my opinion, there are two reasons for a faker.

      1. They are simply unmotivated by the work
      2. They are Arrogant

      The first may be cured with a simple change in assignment. The second is much more tricky. The “I know it all” will get you no where and only cause your peers to shy away from you.

      Any good professional will realize, there is always someone who knows more, is stronger than you, or is just simply better than you in every way. Once you understand this, you will be able to grow by embracing the knowledge someone or thing offers.

  • I strongly believe that the “fake” has to be the worst type. Dr. Ed Glebstein correctly puts that while it may not be necessary for an auditor to be a master of everything but an auditor should also know when to say, “I don’t know, I will research more about it.” The reason why I think that a faker would be the worst because the consequences can be very damaging to the very company. Especially, we if consider companies that fall under heavily regulated industries like finance, healthcare, etc.

    As I read through the article, I also thought “the lazy” type was quite a liability for any company and noticed how there was a thin line between the aforementioned types.

  • From my experience I would have the say the faker is the worst type of auditor. No one knows everything, and everyone has their limitations. I’ve always felt it’s important understand that “you don’t know what you don’t know”. Without this mindset, it is difficult to learn from past mistakes or new things. In addition, people will assume what this auditor saying is correct, when in fact it is not. Can lead to many wrong decisions that can negatively impact and harm an enterprise and its employees. Being open minded and self aware, while honest is much more effective than pretending to be competent. Eventually a faker wi most likely be found out found out.

  • Of the 7 “not so good” types of auditors discussed in the article, it’s my opinion that the “faker” would be the worst type of auditor from the auditee’s perspective, if they’re ever able to identify the underlying truth. There are a number of obvious reasons that this could have significant negative impact to the audtiee. The point of the IS/IT auditor is to bring a level of expertise to the table that the organization or department may not have the luxury of having and bring to the forefront real-life vulnerabilities and risks. When someone is creating an illusion of expertise in this field, but in reality has none, the auditee is trusting their organization’s future in the recommendations from this individual. The outcome of using a “faker” as an auditor can create a number of threats in and of itself including missed vulnerabilities altogether that could have substantial negative impact to the business and, in essence, they are no better off than if they did nothing altogether, in fact they would probably be better off if they did nothing altogether because at least they wouldn’t be stuck with the auditor’s fee. When someone is looking to bring on a new auditor to a company whether it be an external contract or an internal hire it should be mandatory that the interview cover a wide range of topics and specialty areas and if at no point the prospective employee mentions that the best course of action would be to seek out the expertise of someone in that specific field it should raise a red flag and they should look to the next candidate. It should not be frowned upon to leverage other resources to effectively complete a project, rather it should be viewed as a best-practice.

  • For me, the faker is the worst type from auditee’s perspective. Honesty is a key ingredient to have integrity in the audit process to ensure its accuracy, truthfulness and completeness, and auditors are expected to give an unbiased and honest professional opinion, which must be based on an honest evaluation of the facts and circumstances. Any unhonesty in audit process may greatly impair its integrity, which may go against the primary purpose of the audit, i.e. provide company stakeholders with an expert, independent opinion, and leave vulnerabilities inside the organization, once exploited in the future may lead to financial loss, legal issues, or even reputation damage.

Leave a Reply

Your email address will not be published.