Mike Romeu

In my opinion, there is no conflict between depth of knowledge in technology, or its impact on the enterprise. They are both important at the same level because they support each other. With that said, depth of knowledge in technology can cause either good/bad impact on the enterprise. And impact on the enterprise can motivate people to obtain knowledge in technology in order to innovate.

In 2000s, Mobile technologies are transformed by smartphones and tablets; bring your own device(BYOD), and mobile apps become a big trend to most of enterprises. In 2010s, cloud computing, big data are invented; people started to have the awareness of intellectual property, privacy. Therefore, there is a need/market of IT engineer or computing engineer who can use their depth of knowledge in technology to develop those data-related technical innovations for the enterprises. At the same time, those engineers need the funding/ financial support from those enterprises. This is why I am stating that they both support each other and they are both important.

Technology has advanced a lot over the years, and it is continuing to advanced. From the room sized computers of the 50’s to the cloud based options of today. IT professionals have to be up to date as technology changes. Newer technologies can help the business increase productivity, efficiency and ultimately the profits of the business. In addition, with new technology, there are increased threats and vulnerabilities. Developers and IT engineers have to be knowledgeable with new technologies and new threats. It will help the business in the long run if they are.

With all of the new technologies out there, you also have to be know how implementing a new system or app will impact the business. When thinking about the impact IT projects can have, I am reminded of a business friend of my parents. This company decided that the busiest time of the year was a good time to upgrade their computer systems. When the new system failed, they couldn’t ship products and lost all of their Christmas season sales. Not long after this, their cash flow dried up and the business went bankrupt. If someone had thought about the impact the project could have if it didn’t work, perhaps they would have picked a different time to implement the new system, or tested it more thoroughly and the company would still be around. Whenever a new technology is being considered, you must consider the impact, both positive and negative, that this project could have.

Knowledge and impact are both important to be aware of. However, given the risks technology can pose, I would rate the impact slightly higher than breath of knowledge.

Yu Ming, I agree with your statement, “There is no conflict between depth of knowledge in technology, or its impact on the enterprise.” I believe they are both equally important and for that reason, they should be aligned. By embracing both the IT innovation with its affects on the enterprise, allow businesses the ability to transform along side technology . Today, IT is a vital component to a company’s operations and leveraging information technology for business success is a key to survival in the modern business world. With that being said, with technology evolving, companies should do the same. Without technology the idea of globalization wouldn’t have become a reality. Technology allowed businesses to grow and expand in ways never thought possible. Overall, I agree that they are equally important, as they both rely upon each other in the spectrum of innovation.

Blake, I agree with your underlying premise of which aspect of technology is more important. I’m not sure any person will ever achieve a full depth of knowledge regarding a technology based purely on the dynamic environment that technology is. The moment a person may think they have a full and complete understanding of a specific technology a new aspect may be discovered regarding the technology or its application, reach, deployment, etc which will make keeping pace with that depth of knowledge nearly impossible. Although the depth of knowledge regarding a technology is important for a business to consider, understanding the impact of that technology on the enterprise is paramount to the business when considering technology. Without a clear understanding of the risks, benefits, applications, costs, etc. of the technology’s impact on the business can quickly lead to a completely unforeseen bankruptcy like your example showcased. Because tech is always changing a business would be prudent to have personnel always exploring those changes and advancements looking for potential opportunities, but that business would be remiss to neglect considering the impact of that technology. Although, I’m sure an argument could be made that in order to understand the impact one would have to have depth of knowledge, and in order to have a depth of knowledge about a specific tech it would lead to understanding the impact(s).

Nowadays, technology becomes an essential part of each enterprise, and it’s playing such a major factor in the success or failure of businesses as it can bring more advantages and opportunities or create more challenges and vulnerabilities. Consequently, it is critical that companies adapt to the technological changes and being aware of its impact on the business.

For my perspective, being aware of the technology impact must be considered as a fundamental level of the depth of knowledge in technology. Having a vast knowledge in technology without a clear understanding of our goal from using this technology, the potential impact on our business, how this technology can facilitate our tasks and activities and what kind of technology is more appropriate to fulfill our requirements will make this knowledge meaningless. For this reason, many companies are trying to create a mid-point that encourage the IT specialist to be more aware of the business objectives and involve them in the requirements identification and decision-making processes. However, almost all of technical/non-technical projects are team efforts, so this can aid the organization to efficiently achieve its goals by having a variety of members with different experiences and backgrounds.

Magaly,

I may be confusing myself, but how an organization will know the impact of a technology if it does not understand it? In order to know what impact a technology could have on your enterprise environment you first need to understand it. By understanding I mean everything, from the implementation to maintenance. It is only after hat you can consider the impacts (revenue and productivity).

I would say that technology impacts on the enterprise depends on depth of knowledge in technology. In fact, I don’t see how a technology would have a positive impact on an organization if the organization does not master the technology. As we all know, technology is a double-edge sword. The wrong use of it can be costly to any organization. I wouldn’t recommend that an organization use a technology it does not understand. The thing is sometimes, organizations put first the possible impact of a technology on their revenue without fully understanding the technology. I think the best course of action will be first to understand the technology (advantages and downsides) and then conduct a cost-benefit analysis.

Technology provides a wide range of tools entrepreneurs can use to guide their new companies through the startup and growth stages. Small-business accounting, marketing and communication have been revolutionized by advances in computer, network and communications technology, and businesses in a range of industries continually adapt to take full advantage of technological developments.For example, Setting up and managing a new accounting system can be a daunting task on your own. Modern accounting software packages simplify the process of setting up accounts and posting daily transactions. Managing accounts with a small-business accounting package such as Microsoft Money or QuickBooks can eliminate the need to hire full-time or third-party accountants. Accounting software also assists managers by creating informative reports and financial statements to increase decision-making effectiveness. Therefore, the knowledge of technology can improve the enterprise effectively and effectiveness.

You bring up some great points in your post. First, I agree that, without understanding the impact that technology will have on the business, the knowledge itself is useless (and potentially very harmful). An organization simply cannot have one without the other if it wants to be successful. And it is important, as you mentioned, that organizations bring a variety of individuals with different skills and backgrounds onto a team, as this will more easily expand the breadth of technology knowledge. Where I work, every employee is required to input their skills into a database. This way, if there is an audit that involves a specific technology or process that no one on the team is familiar with, we can search for other employees that may have that knowledge and connect with them.

Said, I do get where you are coming from. My suggestion was more along the sides of collaboration and growth. I don’t really think its one-sided choice whatsoever. I personally just think that organizations must understand technology and the enterprise impacts/risk that it faces at that time by thinking more along the lines of the future. Organizations, who began to use technology and saw progress then learned the ever-growing threats that face it. However, if they were able to think in a non-chronological order of understanding, implementing and finding out the risk/impact they wouldn’t have faced all those data breaches. I guess, my approach is more along the sides of innovation and not dealing with the risk after the implementation.

Technology changes at mind-boggling speeds, and it greatly affects businesses and enterprises. What do you consider to be more important, depth of knowledge in technology, or its impact on the enterprise?

I think the answer to this question should be determined on how you want your role to be within an organization. I say this because having a depth of knowledge in technology and understanding the impact on an organization are both desirable skills to have. However, certain positions favor one or the other. If I am considering a career in say research and development, I will benefit by understanding the intricacies of a certain type of technology in hopes to improve or create a new product or service to sell. On the flip side, if I am in a risk management or a compliance position, I would be more interested in how technology impacts an organization. With all that being said, it is tough to decide which set of skills should an IT auditor focus on. On one hand, if you can’t understand how technology impacts an organization, then you will not be able to identify if a policy/control/technology successfully mitigates a risk to the organization. On the other hand, if you don’t understand the technology being utilized by an organization and how it works to the detailed level, then you might miss some of the underlying nuances of this technology during an audit that could affect the organization. Since I must choose, I would choose how technology impacts an organization. When all is said and done, it is the business you are protecting and therefore it is important for you to understand how technology affects an organization.

Good point Annamarie. I have mentioned in my post that transition to new technology must be smooth, and thus the impact will be managed. Any new technology will have similarities with what employees are familiar with. Organization can make a choice of smooth transition. It is also necessary to help by giving time and exposure to the new technology to increase depth of knowledge.

I agree with you Yu Ming. Depth and impact are both are supportive of each other. The speed with which new technology emerges is so fast that while gaining depth of one technology world moves to another. I do not know what is the best solution but I believe experience teaches it all. Hence before making a new technology active in the business, it must be tried and tested. Thus we have things like prototyping and agile methodologies. One, it gives hands of experience and organizations gets familiar with the technology and two organization understands the impact and business need for the change to new technology. If from this pilot they can make a decision if they need to go in depth.

Technology has been ever growing and most often it is a decision that the management has to make whether to incorporate it into the system or not.
I guess the answer to this question depends who you are in an organization. For example, if I am an application developer, I will be concerned with learning new technologies so as to be in market and stay up to date so as to sell my application, making sure it is compatible with devices in market.
I as an auditor would consider the impact on the enterprise as more important than the depth of knowledge because most often a technology is in place and by the time people are really skilled at it there are newer technologies that evolve. So definitely it is impractical to keep tab of all technologies. However understanding the nature of the new technology and identifying the risks involved and trying to mitigate this risk can help the organization to meet its business goals.
It is not necessary for all organizations have to upgrade to the latest technology. Only if the business goals and objectives require it then newer technology needs to be deployed. Newer technologies can be more secure, faster, more sophisticated in nature and simplify human efforts but it also opens door to newer risks.

My answer to this question is “how technology impacts an organization”.

In the current dynamic and turbulent business environment, Information Technology is considered a very competitive advantage. One of the main requirements for obtaining benefits from investing in IT, is strategic alliances with business and technology. Alignment implies that there are two separate entities trying to work together but still remaining separate.
Business objectives and IT requirements seem to contradict, but many experts agree that alignment between them is crucial to the success of an enterprise.
While firms are investing in information technology, the evidence of whether or not those investments are made improvement on firm performance is mixed. It is important to consider the effectiveness and efficiency of the deployed information systems in an organization. This is challenging, because different firms adopt and use information technology differently. I believe there should be an acceptable level of IT knowledge, not necessary a deep knowledge. It depends on the nature of business and how much firms rely on computer data to conduct business operations and making business decisions to improve their performances.
Also from an Audit perspective and based on Ed Gelbstein’s article, Auditors that have deep and detailed knowledge about technology can waste an excessive amount of the auditees’ time on irrelevant and negligible subjects.

You mentioned to very good points Wenlin. I agree with you that new technologies provide the opportunity for people to be more independent, and help them to do some of their task without asking help from full-time or third-party accountants. To reach to that point, first people need to improve the level of their knowledge about new technologies, second after they understand the concept of new technologies they can apply to their businesses with little help.

Said, I agree with you. Applying and using every new technology need a deep understanding of it, and without sufficient knowledge it cannot turn to benefit for organization. I believe using new technologies and applications can increase the performance of employees or be more beneficials to the organization. But as you mentioned in your statement, if people do not understand these technologies in their job, they cannot use them in a right way. So in that way it cannot be useful, and it will have a negative impact on the companies.

Technology changes at mind-boggling speeds, and it greatly affects businesses and enterprises. What do you consider to be more important, depth of knowledge in technology, or its impact on the enterprise?

In my opinion, the depth of knowledge in technology and its impact on the enterprise are both important issues for companies. Nowadays, information technologies are the most critical part of the enterprise’s operations. On the other hand, for continuing business success, risk assessments of these technologies are necessary for each company. Without the knowledge in technology, we cannot assess properly its impact on the enterprise which uses it. Therefore these concepts need each other and they should be aligned.

However, if we answer this question as an IT auditor, there will be a minor difference between them. Because there is a difference between being IT engineer and IT auditor. As we know that, IT auditors should have adequate skills and proficiency in conducting information technology audit and assurance engagement. But it does not mean that they should be an expert in all technologies. According to me, for IT auditors, it is enough to have adequate knowledge (an optimal level of depth of knowledge) such as understanding of the benefits, risks etc. As a result, it is expected that they should be able to identify and assess risks relevant to the area under review. Besides, if they need, they can maintain professional competence through appropriate technological education and training. On the other hand IT engineers have to be up to date with new technologies and have depth knowledge of technologies which are used in their enterprises. From IT auditors perspective, understanding the impacts of technologies on the enterprise is a bit important than having depth knowledge in technology.

In my opinion, both of them are required as they complete each other. People need to gain a good knowledge about the new technologies so that they can apply it into the processes. Without any understanding of technologies available people cannot implement them into their businesses. People need to learn about every aspect of new technologies available for their fields, and should be up-to-date with new technologies. According to Perspectives From a Seasoned Practitioner article, “we are required to learn how to learn and then how to unlearn and relearn.” With the quick look at figure 1 in this article we can see the technical innovation in each decades. I think cloud services can be a good example for this discussion. Cloud services such as Amazon Web Services, Google, Rackspace, and many others are built on virtualization techniques, and that can enable people to save big data on remote servers, instead of physical servers that are more costly in terms of maintenance. Cloud storages provide the opportunity for companies to store their data in more efficiently. So, People who want to switch to cloud services must understand the concept first in order to understand the value they can bring into their business. After gaining that knowledge then they can implement such services into their business.

I agree with you that deep and detailed knowledge about a particular technology can waste excessive time on irrelevant and negligible subjects. But knowing it won’t hurt either. It depends on how he uses the knowledge that he/she has for the audit. Also the perspective of which is important: depth of knowledge or impact on the business depends on the position you are in a firm. Both are equally important from different viewpoints.

Thank you for the reply, Annamarie.

Collecting employee’s data and especially knowing their strength and weakness will help the organization to use its resources efficiently and achieve its goals effectively. Indeed, this can assist in working with large projects that require different expertise from various fields.

Blake,

I agree with you here. A business should have full knowledge of the product being considered, and the impact that it may have on the business. It is also important that the business set resources aside to remain knowledgeable about the changes and upgrades concerning that technology.

These issues go hand in hand, and I believe they are both equally important. I think it is important for businesses to maintain a depth of knowledge in technology to reduce the impact. Technology changes with the blink of an eye, and it is almost impossible to keep up with every aspect of it. However, it is vital for enterprises to stay as closely abreast to its innovation as possible. The changes in technology are driven by the demands for improvement. Take for instance the automobile industry. Our only form of transportation was walking and animals, and as the demand for better quality transportation grew the wheel was created, which led to the creation of automobiles. During this process, technology was gaining momentum. However, the auto industry stayed abreast of its impacting changes, and as the demand for better/faster cars grew it drove the demand for greater technology and a deeper understanding of it. Therefore, I consider both topics important because they impact each other equally.

Technology has brought advancements in various aspects of the society over the years; it also brought up important effects on business operations. In my opinion both the depth of knowledge in technology and its impact on the enterprise weighted equally important. Technology provides enterprises the strength to spread their wings. It gives organizations an opportunity to analyze specific data relate to the business so the companies can plan and grow. It also provides an opportunity to the enterprises to take advantage of many tools to solve potential problems. However, without leveraging the benefits of IT, it is impossible to attain long term business success in this digital age. If an organization does not know how to utilize and apply the fast growing technology in their business, then it wouldn’t bring any positive impact to the organization at all. It is essential for any companies to understand the technologies and aligning IT with business objectives.

Hey Said,

I took the question’s “impact” on an organization moreso to be like how the organization can utilize the technology and improve itself with not so much the “impact” being how much it costs financially. For example, utilizing an email application can “impact” the organization by offering a quicker and more reliable form of communication but also “impact” the organization by opening up security vulnerabilities like phishing. I agree that the best course of action will be first to understand the pros and cons to implementing a new technology in an organization and then perform a cost benefit analysis.

Hey Lezile, I agree with you that both issues go hand in hand. In today’s environment, business can’t ignore the impact of technology because information technology is a vital components to a company’s operations and growth. For example, many companies have already embracing the IT innovation like launching their phone applications, resulting in significant growth because they can easily improve the customer relationship through the innovation of smart phones. Overall, I agree that they are both equally important and they are supportive of each other.

Given the rapid development and implementation of technologies into enterprises, it is important to understand exactly how the technology itself functions but also how it affects an organization. By focusing on whether understanding the technology or understanding its effect on the enterprise is more important than the other, it brings in the question of which kind of organization is present. If an organization has no understanding of technology as it is brought into its specific business, I feel that it is much more essential to gain a depth of knowledge of the technology that the business faces before it is able to evaluate the impact on the enterprise. However, if a business has a moderate understanding of the technology that it will face, I believe that it is much more important to gain an understanding on how the technology being implemented impacts the specific business. Through this, a business is able to deem which new designs and technologies work well in their specific environment as well as which ones are not as suitable. By understanding the true effect of specific technologies on the business, a company can ensure that it eliminates toxic designs as well as remains under budget on its spending habits to avoid correctly costly technological errors.

In order to adjust and apply the rapidly changing dynamic and applications of technology there has to be a base knowledge in order to understand the implications and impact changing tech may in a particular industry. While technologies impact on an enterprise in ultimately the final result of its development and application, I believe that knowledge is slightly more important than the impact. In the article “Perspectives from a Seasoned Practitioner” one statement stands out about our current technological state as a whole; “Dependency on IS/IT has become irreversible”. To this effect, the persons with the knowledge to create, apply and manipulate technology can dictate the impact on the enterprise and by business evolution and competition, the industry as a whole. The introduction of mobile devices was slow paced at first, until a designer with knowledge integrated applications and computing, which changed the use of the phone call only cell phone to the connected devices we have today. Now we can’t go anywhere without a device or a connection to the web or cloud; our entire lives are based on Wi-Fi, and that change in this one area has changed the industry forever and made the threat data theft an everyday occurrence. If the organizational impact had been studied more closely and the knowledge and technology developed in parallel, there may have been a more equalized integration.

Technology changes at mind-boggling speeds, and it greatly affects businesses and enterprises. What do you consider to be more important, depth of knowledge in technology, or its impact on the enterprise?

Technology helps an organization to stay competitive in the market. It is very important for organizations to go with the flow.

Lets take an example of quick service restaurant industry. Technologies like digital display, Point of sale, Tablet Restaurant management, Mobile Technology, Online email, social media are making operators to compete and differentiate.

These technologies are helping operators to provide exceptional services to the customers and , meeting customers experience that exceeds their expectations.

It is very important to understand the impact of technology on the enterprise before its implementation. Technology is a big investment and should be made after understanding the need and calculating factors such as ROI. For example it is not necessary for a small scale organizations with employee strength 100 to implement SAP to manage its finance data as it requires huge cost to implement such a big system.

I agree to your point Priya. Organisation must not rush into a new technology and risking business. A similar case happened with one of the startup enterprise with which I use to work. It was a small startup with the strength of 80 employees and wanted to grow on strength. Keeping in mind the expected growth they implemented SAP which costed a huge amount. The setup failed as they didn’t had that much business to recover the cost of the software implementation. Implementation of technology like SAP is not required for such a small organisation.

Technology is taking over everything in an organization now a day and will continue to be incorporated more into businesses everyday use. Employees are using it to gain access to buildings, remote access to the system from anywhere in the world and restaurants are using it to take our payments right there are the table. With that, I believe both are equally important, we must understand the depth of knowledge in technology and its impact on the enterprise. Both plays a role with one another. To understand the impact of new rising technology impact on an enterprise, employees must learn about the technology and understand how it operates and decide if it will improve the day to day business activities. The Depth of knowledge in technology assess whether the technology will have been positive for the company or have a negative effect. For example, if an enterprise incorporates a new technology that does not improve the business then it would be a bad impact and the company would have wasted money.

I agree, the industry of the enterprise, the strategy and tactic of enterprise at one point of the time and the structures of the enterprise all decided the weights of effects coming from these two dimension. Also, the products and services of the enterprise, the expertise of the enterprise, its strengths and weaknesses, etc. For me, depth of knowledge is very important but it has to be knowledge that is applicable to the company.

One of the greatest ways the Millennial generation is going to impact the audit and assurance profession is in the IT aspect. The Millennial generation has had access to rapidly changing technology from their cradles to where they are at in their lives currently. This access to technology, and the exponential change in it, throughout their lives is going to give them the ability to adapt quickly to technological change and to cope with technological displacement greater than previous generations. Their rapid adoption of new technologies will be both a challenge in keeping pace with regarding control efforts, but will potentially translate into faster benefits realization through quicker deployment of those new technologies as well.
Another aspect of the Millennial generation that can be a benefit to the audit and assurance profession is their generations diversity and education levels. The Millennial generation, at least in America, is the most diverse generation so far and has the highest percentage of its generation with at least a Bachelors degree. This greater diversity and higher education rate will enhance the generation’s members’ ability and techniques at identifying and solving problems. Being able to approach problems with a new and richly dynamic ability to solve problems will be a tremendous benefit for businesses in what is an ever increasing globalized economic and social community.

Millennials will help the Audit and Assurance profession because of the ability to collaborate,the great problem solving skills, tech-savvy backgrounds, the ability to multi-task and stay connected.

Millennials are problem solvers that are excited about not having one correct answer. Millennials are quick to stay connected, collaborate, and use their technical resources to find the best answers available. Millennials are typically curious and use their tech-savvy backgrounds to solve problems in ways that may have never been accomplished before. Staying connected helps millennials understand best practices and what is going on in their industries.

Millennials challenge process and what has always been done. If change makes sense, millennials welcome it because they are not use to what has always “worked”. Fresh eyes help increase efficiency and effectiveness. Millennials tend to be motivated by challenges and projects that don’t have one correct answer. Millennials love feedback and want constant recognition would could be a good thing (to a point) with customer relations. Millennials crave to learn more and more and this will only help the audit process.

I think you offered some great points about the aspects of the Millennial generation that may offer benefits to the Audit and Assurance profession. I think your point about Millennials challenging the mantra of “that’s how it’s always been done” can be a double-edged sword. On the one hand, Millennials may find many areas to improve with modern technological advancements and, by implementing change(s), can increase efficiency and effectiveness within a business. On the other hand, I can see Millennial potential impatience, which is the source of the monikers “Generation Now” and “Now Generation,” rearing its head and causing potentially negative consequences from challenging a system, and implementing change, before fully ready. Or, implementing a change and before the change produces the desired results reverting back to “how things have always been done” and essentially wasting resources on change. It definitely raises the question of the importance of analyzing both the potentially positive and negative outcomes from generational traits.

These are two good points, and ones that I think not everyone would immediately think of when discussing Millennials. I agree that the ability to quickly adapt to new technology can be a huge benefit for an audit organization. I remember a time when floppy disks were the go-to method of storage and file transport, and now we can put and pull files from a “cloud”! As you mentioned, Millennials have the ability to identify and teach themselves about emerging technologies, in a way that many in earlier generations do not. This can be especially useful in an auditing context when it comes to mapping out risks and controls for new technological developments and understanding how they can impact an organization.

One of the best ways that millennials will impact the audit and assurance profession is with their knowledge of IT. Younger generations have an advantage that older generations did not have- they grew up with technology. They have seen technology change rapidly from when they were young to where they are now. When new programs, apps or platforms are introduced, millennials are some the first people to gain an extensive knowledge of the new technology.

Millennials are also well educated and more free thinking. This will help businesses steer away from the “this is the way it’s always been” excuse that is seen a lot in the business world. They can challenge the norm and find a better way to get things done. One thing I would warn about this, is that you have to get a thorough understanding of why businesses do things the way they do. If you don’t do due diligence, you may end up making a major mistake. However, I think that with millennials knowledge of technology and business processes, this shouldn’t be a problem.

I think the Audit and Assurance professions will benefit from the millennial generation. As being a millennial myself, we have grown up using computers, mobile technology, and smart devices our entire lives, and that continues to evolve alongside technology; therefore, millennials have a much more advanced baseline knowledge of digital information than the generations that preceded us. I believe, like generations before us, we millennials are driven to make an impact. Millennials are ambitious and goal-oriented. Audit and Assurance as professions I believe have been a bit reluctant to embrace new technologies, such as the cloud. Millennials have no such reluctances. In fact, they love the cloud and the flexibility it offers. So, if anything, I believe they will do more to increase widespread technology adoption and innovation, which will in turn contribute to the changing role of the CFO. CFOs and financial executives will need to be better versed on available technology and what makes sense for their organizations.

Behavior of generation reflects in workplace. Companies face bigger problems that downsizing,
problem of workflow balance between the Baby boomers, X and Y and Veterans. Audit as a profession goes by 80:20 rule. 20% auditing technicalities and 80% communication and behavior during audit and towards auditee.
Millennial generation they say is civic minded. They trust in humanity and thus are more social and team oriented. They love to collaborate which definitely is a plus for audit profession. They are not scared of placing opinions. They are known of their surroundings.
Generally auditors spend quite some time to understand business processes as they are new to the company they audit. Since they like to socialize, and are open to ideas, auditors from this generation will be able to communicate easily, understand the environment , scope and objective of audit faster. They would help motivate an unbiased audit.
Millennials are more attracted to power and power comes with knowledge. Today’s dynamic nature of technology is something Millennials are growing up in. They have been challenged of newer technology and constant change. This will benefit the audit function one, to accept changes and work in dynamic environment. And two, the positivity to accept feedback would help in improving processes.

Hi Candace, Thank you for providing links to interesting articles, I read a few of them and Meyer in his article mentions that switching between activities will prove a hindrance in productivity.
However, I feel today’s tasks, professional activities, machine usage requires multitasking. Our brain is adaptable and is hopefully adapting to this need of multitasking. Meyer explained about how a multitasking activity like driving cars and talking on phone is a cause of major accidents. But don’t you feel driving a car in itself is a multitask activity. You have to be alert on different level, pull levers, and watch the traffic, give signals, check mirrors, maintain speed, take the curves and so much more.
In case of audits, I can recall a particular instance, while asking audit questions, I feel the need to understand the technicalities, write down the points I think should be documented and process the body language of auditees.

Blake I completely agree with you that millennials generation are so well educated compare to older generations. They are young but they can interpret everything very good, and also are good problem solvers. I think these abilities are the result of good educating. I also agree with the fact that they are so good at technologies. They can understand how to work or apply new technologies much faster, and I think it shows how they can be experts in their jobs in the futures. These abilities can have an impact on the Audit and Assurance professions, and help auditee to find expert employees in near future.

Every industry is affected by new technologies these days, and it can be a good motivation for people to increase their knowledge. In this era, technology plays a vital role in all the industries, and professions, and the auditing profession is no exception. Adopting a new technology can be difficult for older generations, so they prefer to do their jobs the old way, and it can make them inflexible in regards to new technologies. Millennials are more flexible with changes compare to older generations, and they are more enthusiastic. I believe that millennials can have a stronger background with new technologies since they grew up in the age of Internet and computers. Also they can adopt some new technologies faster than older generations, and they can be more flexible in negotiation, and collaboration. For reaching an agreement or to get a win-win situation, people need to negotiate with each other. According to The Soft Skills Challenge, Part 2 article, “Good negotiators understand that a win-win outcome may not be achieved and have a considered set of alternative outcomes, ideally based on compromise, i.e., all the parties make concessions to reach an agreement, even if recognized not to be ideal. In audit, compromise is acceptable as long as it does not compromise the auditor’s integrity or independence. The challenge for the auditor is to recognize when it is time to be firm and when compromise is an acceptable path to follow.” I believe that the millennials have a good ability in building relationships, and negotiation. Due to these abilities, and being so familiar with new technologies, they can have a beneficial impact in every industries.

There are plenty of opinions regarding the so-called “Millennial” generation. This the generation you will most likely be working with as you mature in your career. How do you think the Audit and Assurance profession will benefit from their contributions?

I think “Millennial” generation’s effects will be seen on every aspects of life, besides Audit and Assurance profession. These effects are not only related to technology but also relevant to social life.

Some of the things are written that I thought. I do not want to repeat them again. As a summary, the “Millennial” generations are more educated and connected to everything than previous generations. To give an example; online education facilities are now available for them. Also they can find what they want to learn by using technology immediately. They can improve their communication skills easily with texting, sharing, and video conferencing by their smart mobile devices. They can understand and adapt quickly to technology changes… What I want to say is that they are so dynamic in life than previous generations. And I strongly believe that they will affect job culture in every discipline.

In my opinion, the most important contribution from “Millennial” generations to Audit and Assurance profession is to automate some steps of audit process by using their technological knowledge. Some steps in auditing may be taking longer because of manual processes. If some possible steps can be automatized, we might have more time to focus on audit quality. “Millennial” generations may find many quick solutions to improve audit steps because they like to live fast. I think automating some steps can increase efficiency, effectiveness and integrity of auditing process.

I agree with you Blake that the Millennials have a great advantage of having to grow up with the technology. They are quick to learn and well educated. They are ready for change and ready to challenge the norms as you said. All these qualities are traits of a good Auditor or Assurance Professional. One thing that Millennial lack is experience and would be able to perform better with experience auditing various fields. Technically they could be skilled, but it takes time to understand the business, the work culture, the organizational structure and therefore focus on business goals. They tend to make quicker decisions based on facts rather than experience or need of the business which can create conflicts. Understanding and learning the business goals and collaborating with experienced staff can help one to be successful.

I like your explanation of driving a car as a multitask activity, Priya. I totally agree that most of the recent jobs and activities require a multitasking abilities which based mainly on time management and organizational skills. In fact, employees who multitask effectively must be able to rotate their concentration smoothly and entirely from one activity to another.

Hi Mustafa,

I agree with your comment ” the most important contribution from “Millennial” generations to Audit and Assurance profession is to automate some steps of audit process by using their technological knowledge”. Over the years I have had experiences with the older generations where they refuse to change the process because it always been done that way. I have heard that statement so much that I truly believe it is a true cop-out. Some organization has such antiquated processes, and they could truly benefit from the innovative ideas of a millennial.

Hi Ian,

Your comment is right on point! May I also add that Millennials are great at networking. As you stated, “Millennials are typically curious and use their tech-savvy backgrounds to solve problems …”. They are also not afraid to call on a connection for an in-depth answer to their problem. This generation has had greater opportunity because of the advancement of technology, and they have truly taken advantage of their opportunities. I believe their networking skills will also lend to the assurance process.

I think the millennials will benefit Audit and Assurance professions from a technology perspective. Millennials have grown up with technology and adept it very well. To them, technology is the central to their lives. As a millennial myself, technology is tool to me to access information, to learn, and to stay conned to the rest of the world. As others have mentioned, comparing with the older generations, millennials are definitely more educated and connected in terms of technology. In the world of Audit and Assurance is pretty much technology driven, millennials can help to smooth and improve the process by utilizing their technology skills. They could also help others to adept new technology at workplace; especially provide assistance to the older generations who face challenges with technology. Millennials play a major role in the workplace and they are actively to create, innovate, and make a difference.

Millennials will help the Audit and Assurance profession. Managers need to really understand the personal and professional goals of millennials. Put them on special rotational assignments more frequently to give them a sense that they are moving toward something and gaining a variety of experiences. Challenge them to come up with new ways to streamline processes and to exercise creativity. Millennials have a strong desire to work overseas and this is a rich potential resource for organisations focused on global growth. Less desirable locations could be positioned as an important career path milestone. Every opportunity should also be taken to mix teams generationally.Millennials want and value frequent feedback. Unlike the past where people received annual reviews, millennials want to know how they’re doing much more regularly. Give them honest feedback in real time — and highlight positive contributions or improvements on key competencies.

Millennials are the technological and connected generation. In Audit Assurance profession, Managers can take advantage of their comfort level with teams.
We millennials used to working in groups and teams, we have experienced team success and like to network around the world electronically.
Audit and Assurance profession need to have strong communication skills in order to succeed and improve in the changing, complex international global marketplace. Auditors utilize communication skills in almost every situation they encounter. Millennials with excellent communication skills can always add value to an organization.

Sean,

You are right! the greatest impacts on audit from millennials is in IT aspect. Managers would benefit from their strong technology literacy. Technology is one of the biggest drivers of change in organizations and millennials like to work in challenging environment. They seek ever-changing tasks within their work and cannot tolerate being bored at work.

Yes! I think Millennials are going to handle technological change much more efficiently and effectively than their preceding generations have. Since Millennials have grown up in what can easily be described as a “change generation” they will already have the ability to respond to change rapidly. Their response may also be more positive to change than previous generations too since their lives have entailed so much change on a continual basis, and much of that change has affected them positively as opposed to the technological displacement types of change that have negatively affected others.

You are absolutely right , bu let’s not forget that technology is a double-edged sword. And as we all know (as millennials) we tend to use technology everywhere and in every situation. Some task may not required technology and since we can’t live without it we will try to apply it to the tasks with the risks of making them harder. Don’t get me wrong, millennials will definitely bring a lot in the industry; they may just make it more complex with their technology.

You raise some great risks Paul, but are they limited to Millennials? I might argue that those issues aren’t limited to just Millennials, but you might be able to argue the prevalence might at least be greater than other generations. I definitely agree that the pros and cons of the Millennial technology aspect have to be carefully considered in risk analysis; and especially when considering mitigation techniques like controls. The flip side to that scenario though is with Millennials being the ones conducting the analysis and control design, they more than likely will have the necessary insight into how those risks should be properly considered and mitigated. Essentially, Millennials might be “dangerous” to a business, but Millennials will be the answer to fix that!

The millennial generation will benefit the Audit and Assurance profession greatly in its contributions to technological and IT related areas of business. With previous generations currently dominating the business field, many workers are very change resistant and enjoy sticking to the methods that have worked for years. Millennials understand via their knowledge of the rapidly changing IT world that altering old methods and implementing new designs are essential to remaining competitive and relevant. By bringing millennials into the Audit and Assurance environment, these employees will be change advocates that thrive to alter old designs and implement modern methods to keep the area being audited advancing and relevant. With the millennials vast knowledge of technology due to its role in their everyday lives, adapting to and promoting the new technologies in business will come at an ease and ensure productivity does not diminish. Through their assistance, the older generations will have less difficulties adapting and learning the new methods, encouraging a friendly work environment as well.

I agree with your opinion Binu. Millennials have a lot to offer to Audit Assurance profession. It is equally important for an IS Auditor to have good soft skills along with good technical knowledge so as to establish a good relationship with the client. This domain requires a professional to work with clients of different industries with different work culture. It is very important for a professional to quickly adapt to the client’s work culture and perform steps accordingly. Therefore such people have a lot to offer to this field.

The millennial generation is without a doubt the most technologically savvy group to date, and are connected in ways only dreamt of by the Nintendo generation. It is also believed that they are somewhat disconnected on the verbal communication front often preferring to text or post status’ on social media, straying from the experiences and emotions connected with face to face meetings. The benefit of these types of interactions could only serve to benefit a millennial when it comes time for the tough negotiation; since they have the advantage of possessing adept knowledge of today’s IT world and its future. This is where this generation can benefit the audit and assurance profession, by using their familiarity with technology trends and online chatter to keep auditors and auditee aware of new threats and solutions to manage IT risks and to keep organizations ahead of those with nefarious intent. A symbiotic relationship between millennial and auditors would eventually lead to a sharing of skills, by the auditors keeping informed and communications skills harnessed between the two to allow for more productive and informative negotiations and presentations of risk analysis to a organizations management who may need to make serious investments into their IT infrastructure as a result of the audit results.

Hi Mustafa,

I agree with your comment ” the most important contribution from “Millennial” generations to Audit and Assurance profession is to automate some steps of audit process by using their technological knowledge”. Over the years I have had experiences with the older generations where they refuse to change the process because it always been done that way. I have heard that statement so much that I truly believe it is a true cop-out. Some organization has such antiquated processes, and they could truly benefit from the innovative ideas of a millennial.

Bringing in millennials to the work place is beneficial for the organization because they can bring in new ideas in an advanced technology perspective. Embracing IT allow businesses to grow and expand much faster. Organizations who accelerate the integration of technology into workplace will enable workers to harness technology in way that allows them to have high flexibility and increase of work efficiency. To Millennials, since they have growing up with technology such as computers, smart phone, they are more willing to acquire technical knowledge and soft skills to the work place and benefit the audit and assurance profession. this is a must because they expect to have access to the best tools for collaboration and execution.

Working in IT Audit domain requires a person to be dynamic, good at interacting with people from different industry. The person should be open to the changing environment and should be able to adapt to the changes. All these are the qualities of Millenials. They are the most techno-savvy people and are open to challenges. I believe these qualities help them to contribute a lot in IT Audit and assurance domain as this field requires a person to be knowledgeable and along with that should be good at working in a dynamic environment. Having people with these qualities can help teams and the organization to be successful and result oriented with the audits they perform.

These are risks of pushing change. However, I have seen it done with guidance and support from experienced sponsors. Many of upper management realize the need to change but need a fresh perspective/mind set on how to accomplish these changes. I agree that you can force change but if there is a need, there is a way.

Candace – thanks for the articles. I will be sure to read them…. and you’re right. Multi-tasking is a not a new skill but with having the internet and computers around since birth, millennials have formed a new level to multi-tasking where technology is leveraged. I also agree that there are positive and negative ways to multi-task. An individual (from any generation) must be careful to not overload multi-tasking to the point where nothing gets done.

In my opinion, nobody is perfect and nobody knows everything, including auditors. I would consider “the faker” would be the worst type from the standpoint of an auditee. We have been taught that we cannot say “I do not know” when we are asked to provide an answer or opinion. If we do, the auditee may think the auditor is unprofessional. However, it is easy to see through that if an auditor is bluffing, faking and jargon to cover up their ineptitude. Either way the auditor is losing creditability.

If the auditor is bluffing him/herself by making false statement or recommendation to a client, it is a real danger for the client/auditee because it is wasting client’s time and money, giving them wrong direction and doesn’t add value to the company or the auditor him/herself. In my opinion, it is acceptable to say” let me do some research before I can fully answer this question” or “let me ask my colleagues / specialists” because passing the Certified Information Systems Auditor’s exam does not guarantee you to know everything in the IT auditing field.

I agree that all auditors have their undesirable traits. No one will have everything that you want. I would have to say that the faker is the worst. If you know more about controls and less about regulations, you should have the integrity to say that you don’t know HIPPA or PCI regulations and let someone else deal with those audits. Not being able to say that you need more help will only lead to problems for the company. Mistakes that should have been caught, would not have been caught and could lead to data breaches or penalties for not following government regulations.

I agree with you Blake. I like that you mentioned “integrity.” In fact, integrity is critical to the well-being of society and the records that are generated as a result of audits conducted. A good auditor must have integrity principles in their personal character; as you mentioned the faker does not have this characteristic and that is an issue.

From the standpoint of the auditee, and even the organization hiring that auditor, I strongly believe that the faker is the worst type of auditor. In fact, an auditor can be lazy, dominant, stressed etc. but there is nothing worse than not knowing what they are doing. I mean, one of the crucial characteristic of a good auditor is to determine what is relevant and what is not; how can someone who does not know what he/she is doing can successfully do that?
A faker is a danger for the auditee because he/she would be depending on a wrong audit reports and this could negatively impact their business. Indeed, chances are that the “fake” auditor will either look at the wrong documents or software system during the audit, or simply omit crucial points such as identifying the lack of firewalls for example, and won’t admit it.
An auditee cannot rely on an auditor who fakes his finding. A good auditor is constantly learning and should be honest when he/she does not know a concept, and find a way to be better. Lying about one’s skills is a dangerous thing especially when others rely on you to meet business and stakeholders’ needs. There are a lot of controls and regulations that an auditor must know in addition to the specific type of business being audited. Yes, google may be a good resource in some cases, however, if that auditor does not understand the concepts, such as how to apply COBIT 5 framework to help the auditee create optimal value from IT, internet would not be very helpful. In fact, there is a difference between, looking up a definition, and understanding and how to apply a concept.
Thus, in my opinion an auditor who fakes his/her abilities should not even be hired in the first place and if they are already on board, they should be fired because this is a “fraud”, unless they take the necessary steps to acquired necessary knowledge to become successful in the field.

Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

From my personal standpoint, I would choose “The Lazy” IS Auditor as the worst type. As being the auditee, I would want an IS Auditor to be the total opposite of Lazy. I believe constant innovation is key much like technology and if my auditor could not keep up they would create a cesspool of vulnerabilities due to their lazy risk assessments and lack of motivation. According, to the definition of “The Lazy” these auditors can be identified by poor or incomplete working papers, few or no tests, a focus on low-impact, low-risk topics”. Auditee’s should not be okay with these behaviors. Personally, speaking I would not be okay with my auditor preforming little to no test and delivering incomplete documentation. I believe being this type of auditor totally undermines the overall duty of an auditor to ensure compliance with established internal control procedures by examining records, reports, operating practices, and documentation. They need to be able to assess assets and liabilities by comparing items to documentation. Completes audit work papers by documenting audit tests and findings. Overall, the auditees should be concern that their audit are perform accurately as stated above, because this allows their organization to combat threats, as well as be efficient and prosper.

The Faker is the worst from the perspective of the auditee because there are times that they will receive information that is not accurate due to the faker. This will decrease the trust that the auditee has for the auditor. Also, the auditor will lose credibility when the false information re-surfaces. An auditor needs to leave room to learn, grow, experience, and continue to develop as an auditor. The lazy would be the second worst but I think that a wake up call could transform a lazy auditor. There is a sense of arrogance to a Faker that will not allow them to realize a wake up call. It is important to be honest with yourself and your team about how knowledgeable you are on certain topics. It is important to rely on SMEs on your team when you are not knowledgeable on certain topics. You may only have one chance to provide accurate and correct information to your customer. All it takes is one mistake and a customer may leave your team for a competitor. Overall, the faker does not help the business reduce IS/iT-related risk or help the auditees focus on the best opportunities for improvement because they actually increase the risk and point the auditee in the wrong direction.

Dr. Ed Glebstein, Ph.D. lists and describes in his article “Is There Such a Thing as a Bad Auditor” a number of “Auditor Types” with the intent of helping readers recognize possible weaknesses in themselves.

Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

I would say the worst category of the Auditor types is The Well Connected from the standpoint of the auditee. Why? They are made to become auditors because they simply “Well’ know someone in a higher position in a company. No mention is made of their poor qualifications or skills in Auditing.

The reason why Auditee hires Auditors is to ask them to identify possible vulnerabilities so as to mitigate risks. In order for the Auditors to meet the expectations, they should have in-depth knowledge and understanding of the specific field they are auditing. It will be very frustrating to see if Auditors couldn’t conduct their work properly or generate ridiculously poor quality of the work.

At least, if people are disqualified for what the position is, then they should not be hired even though their father/mother/good friends are the hiring manager.

In my opinion, the worst type of auditor from Dr. Glebstein’s list is “The Bureaucrat”. The Bureaucrat is described as an auditor who “sells” projects to the business but doesn’t produce the proper return on investment. The Bureaucrat is an illusionist, who seems to have a company sponsor / budget for IS/IT projects. Instead of focusing / prioritizing on mission critical projects producing higher ROI, they get too technical and try to implement irrelevant solutions to make a busy impression.

To reduce the chances of someone turning into The Bureaucrat, I would recommend assembling a technology committee to review all projects before, during, and after the process. The project should have specific benchmarks and performance metrics to realize returns and prevent over-spending.

The Bureaucrat is the worst for an auditee because they prevent a good return on investment. One of the hardest things to do is get the company to fund a project. There is only a limited amount of money for projects, and you are affecting other employees by intervening with their everyday routine.

Imagine if the City of Philadelphia (Auditor) said they were going to widen Broad Street to reduce traffic and car accidences. By doing so, travelers will have to use other side roads until the work is completed. As a driver (Auditee), we accept the burden because the end result will be a quicker and safer commute. The City of Philadelphia decides it wants to have state-of-the-art system similar to the I95 roadways because it will produce the fastest and safest route. The decision sounds great, but after going over budget we realized the I95 roadways were too much because Broad Street doesn’t get as much traffic as I95, the buildings are too close, and there isn’t side street parking. And I wasn’t able to use Broad Street during the entire project.

The Bureaucrat sold the CFO, the CFO said “yes” to the money, the operations manager said yes to the audit, and after everything was said and done, the Bureaucrat is behind schedule, and over budget.

With the dynamic changes in the business environment, being able to know everything about a particular field is an impossible for an individual. However, continues learning and the ability to identify the personal strength and weaknesses are essential points for any employee. In each company, the right person should be in the right place doing his specific tasks which he supposed to has full knowledge about. When an individual in a firm fails to identify what he/she is capable of doing, that may consider as an obstacle to achieving the business objectives. Thus, I strongly believe that the faker is the worst type of any employee especially the auditor. Actually, an IT auditor is responsible for the internal controls and risks of a company’s technology network, and that require a full understanding of the enterprise’s activities, technologies, goals, and the employees’ responsibilities. If the auditors pretend to know things they are far from mastering and rely on cheating and faking to cover up their ineptitude, the auditor will lose their credibility, and that may negatively impact the business.

I agree with you that “the Faker” may be the worst type of auditor from the auditee perspective. Although it may be easy for some auditees to spot a faker for others the faker may slip through the cracks. Slipping through the cracks and becoming a trusted authority on the topic of audit is where the faker can cause the most serious damage to a business. If the faker becomes trusted than whatever they say and do becomes acceptable without question as the correct and valid thing to say or do when it comes to audit. That can be dangerous as it may be in direct violation of an industry, regulatory, or statutory standard with which comes serious penalties if not followed with strict adherence. So although the faker may just be a momentary pain to a more seasoned auditee, to a newer auditee the faker could be a catastrophic consequence.

Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

From the standpoint of the auditee, I would consider that the bureaucrat is the worst type of auditors. According to the article “Is There Such a Thing as a Bad IS Auditor”, the bureaucrat is defined as creating work for themselves as well as other colleagues when it’s not necessary and does not add value to the auditee.

At my previous job, I used to assist auditors in collecting/organizing the materials and files they need. I have seen some auditors spent a lot of time on unnecessary documents. There was one time that I tried to help so the auditor could save some time. However, when I pointed that point, he thought I wasn’t cooperate and I should have just followed what he told me to do. This type of auditors really wasted time, which they could have utilized to do something add more value to the auditee’s company. In addition, the auditors should understand that all other people have tasks to do; assisting them is just a part of it. From this point of view, in my opinion the bureaucrat is the worst category of auditors.

I agree that The Well Connected auditor is one of the worst types, though I’m now thinking from the standpoint of the audit team and its leaders, rather than the auditee. The Well Connected is hired due to pressure from someone in a position of power, which means that, once hired, this auditor can be very difficult to get rid of. In addition, due to their ability to acquire the job with little, if any, effort on their part, they can develop the mindset that they’re untouchable. I could see the Well Connected auditor developing traits from The Lazy and The Faker as well, thinking that they’re secure in their position and do not need to put in as much effort as others or learn about new business processes or technologies that may be audited.

Which one of these “Auditor Types” do you consider the worst type from the standpoint of the auditee? Why?

All of these types, when taken to the extreme, are clearly not what anyone wants in an audit organization. But from an auditee’s standpoint I would think that “The Faker” is the worst. The reason being, that this individual makes no attempts to learn about the business/process/technology/etc. that they are auditing, and instead tries to bluff their way through. As the article mentioned, auditees are usually very quick to pick up on this, and it can damage the relationship between them and the audit team. By not understanding what they are auditing, a Faker may not recognize risks or controls where they exist and may incorrectly raise issues.

Great post Candace! I totally agree with your comments about the Stress creator type.
According to study conducted by Richard Lazarus, stress goes to various appraisal levels and influences specific type of performance. At secondary appraisal, the person begins to think what he can do his best to lower the stress. A moderate level stress in fact optimizes performance.
A study conducted by Freddi choo states auditors performance improvement as stress increases from a low to moderate level with optimal performance at moderate stress level and decremented performance at excessive stress level. I believe the same applies to auditee. Given a freeway, auditee may not even take efforts to gather required documentation, or would take the audit casually. Some stress would drive audit in a right direction. A stress giver will definitely collapse the auditees stability and return with less or no information.

Great post Magaly. The Lazy type can yield a absolute wrong result. They would be dependent on previous documentation, or worst the previous report and do a copy paste.
However with this kind, the audit report reviewer or senior auditor will easily catch hold of him and his mistakes. It is very difficult to justify why have you included an observation and why you have not. When the report is reviewed thoroughly, the lazy auditor will have a extremely hard time. He will not have evidence to justify his own report. Lazy auditor will have to go back to the auditee to verify what he has not when coupled with a good type of senior auditor, reviewer or peer.

IT audit values independent skilled assessment of risks and controls. As an IT auditor it is important that you evolve as the industry is evolving. True traits of an auditor are clearly seen through the auditor’s experience, education and most of all his behavior traits as a human being. Ed Gelbstein, Ph.D.in his article “Is there such a thing as a bad IT auditor” has touched base with the fact that personal traits influence the professional behavior. And I totally agree with his viewpoint. While reading this articles I recollected a lot of instances where I encountered these types of auditors. Imperfection is a characteristics of humans and their negatives affect the way they perform tasks. I believe the bad auditor behavior is not a purposeful behavior but it’s natural to a type of person he/she is.
From the various types listed, I believe the worst influence on audit result would be by the ‘The Faker’ and ‘The Timid’ types. Both these types throne the auditee and give him the rights of concluding the audit. An auditee is a person who has certain expectations when he is undergoing an audit. He wants a judgement by a person who is having better knowledge for inspection. He wants a certificate of assurance. And yes, there are types of auditees that influence the audit too. However the auditor must drive the audit. ISMS defines independence and decision making roles of the auditor. Auditor’s behavior drives the audit.
The Faker type would not be able to complete the audit at a satisfactory level. Any discussion goes in depth as it continues. A Faker establishes a lie at the beginning of audit and as conversation gets deeper his level of understanding keeps falling. He will not only miss a possible observation but also give a wrong information to the auditee. One wrong doing affects several other areas. Example, a faker pretends he knows well about a new technology like Drupal. He cannot make comments on vulnerabilities in Drupal, he has to agree what the auditee is stating. The effect of audit is nullified. Had the auditee to decide if he’s complaint or not, there is no need of an audit.
A timid auditor too falls prey to auditee driven audit. Being knowledgeable he might see the flaws but they get suppressed in front of a strong auditee. He would tend to miss or purposely skip many steps to come out of the frustrating situation. This again nullifies the purpose of the audit.

Both parties must realize that audit is not war. Both the auditor and auditee are in same team and work towards company objectives. Professional are acquirable and can be gained with practice. Auditors must self-assess using Ed Gelbstein article and try to transition to as better type.

Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.
From the standpoint of the auditee, I would consider that the Faker is the worst type of auditors. IT technology is changing every day, so the IS auditor cannot know everything when their perform audit. The IS auditor should be honest to consider the capability to do this audit tasks. But then there are those who are unable to say “I do not know and will find out” and instead pretend to know things they are far from mastering and rely on bluffing, faking and jargon to cover up their ineptitude. An experienced auditee will see through this and the auditor will lose credibility. An experienced auditee will see through this and the auditor will lose credibility. Internal auditing is performed by professionals with an in-depth understanding of the organization’s business culture, systems, processes. Internal auditors are expected to follow the IIA’s International standards for the professional practice of internal auditing (standards) and adhere to its Code of Ethics. The audit is the independent, assurance work, so the auditor should keep theirs trust and reliability. Otherwise, the faker will influence their future work, and nobody will trust their work.

I too think that the well connected is a bad type of auditor. Initially I thought that it may not be that bad, but when I thought more about it, I changed my mind. How could someone be independent when they may have been given the job as a favor to an executive? I think that would be very hard, especially if they don’t have previous audit experience. You definitely don’t want anyone that feels protected, which a well connected may if they have an executive on their side. If someone felt protected, they may not put in the effort to do a good job.

I do still think that if someone did a good job at an other organization and was hired on a recommendation, that would be ok. I wouldn’t have a problem with this because while they got the job through a connection, they don’t have a real connection in the company.

Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.

In my opinion, the worst type of auditor from the auditee standpoint would be that of “The Cookbook Auditor”. This type of auditor is one who generally uses a checklist of which they need to audit upon and can often times not have much experience in the audit field. Likewise, these types of audits rarely scratch the surface and often the auditors are just looking at last year’s documentation and attempting to replicate it with current year’s information. My reasoning for why an auditee might find this type of auditor the worst is due to my past experiences. I have been involved in SOX compliance audits where the purpose of the audits was in question. The auditees found the audits to be “pointless” and that gathering the evidence and providing to the auditor was a burdensome task with not benefit. In situations like these, the auditee more likely than not will not make the audit work their priority which makes the audit itself a timelier endeavor. Lastly, if a recommendation is made by the auditor the auditee will likely not approve of the recommendation since the basis of the audit is just to meet some checklist. With that being said, I think all the different types of auditors can/do inhibit the working relationship with the auditee and overall effectiveness of an audit.

Nice post Alexandra. Lying about your knowledge can be very risky especially because the auditee would most likely be an expertise in that field and would very easily find out if you are lying or not. Not only that it is difficult to fake knowledge for a longer period of time. The Faker can therefore incorrectly determine the risks as he may not really understand or miss on some of the risks which can be harmful for the audit itself. Without understanding the technology, he cannot make any useful recommendations to benefit that function. An auditor should always be quick to learn and correct themselves if wrong. Lack of knowledge does not make an Auditor bad, but it is lack of interest to learn or update his skills which can cause audits to fail.

While the traits mentioned by Dr. Ed Glebstein, Ph.D in his article “Is There Such a Thing as a Bad Auditor” are all undesirable traits of an auditor, in real time we do see such characteristics come by due to the fact that Auditors are also human prone to different behavior. Reading this article one can be aware of their behavior type and make conscious effort not to fall into any of this categories.
All the types have their own demerits, but I think ‘The Geek’ comes out to be problematic especially if he has zero interest in the business objective. The main purpose of an IS/IT audit is to see that the IT is strategically aligned with the business objective. Having knowledge is not good enough if he is not really concerned about the business impact the risk may have. If he wastes the auditees time on doing what is not necessary, the auditee may fail to trust the auditor’s skill and thus the auditor may lose credibility in the long run. Not only that the main purpose of audit is defeated here.

From my point of view, the worst type of auditor from Ed Glebstein’s list is “Well connected”.

It was just last week that our senior audit manager in our department (Internal audit) asked us to complete an annual affirmation survey. Questions were based on the definition of internal auditor code of ethics. They asked if we have any relative, partner/significant other, close personal friend, or adversary working for either our company or external audit company.
I believe that well-connected employees may exhibit poor soft skills, also they don’t have the attitude to avoid any conflict of interest. A “conflict of interest” is a situation in which an internal auditor; who is in a position of trust, has a competing professional or personal interest. A conflict of interest could impair an individual’s ability to perform his or her duties and responsibilities objectively.
Internal Auditor Code of ethics is listed as below:
Internal auditors are expected to apply and uphold the following principles:
• Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
• Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
• Confidentiality
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
• Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
For more information about Internal Audit code of Ethics, please refer to: https://na.theiia.org/standards-guidance/mandatory-guidance/pages/code-of-ethics.aspx

I agree with you Priya. Lazy auditors cannot work independently since they do not put so much efforts on their jobs. They will probably have many incomplete tasks that cannot be completed on time. I also believe that lazy auditors can be so careless because they cannot concentrate about on the job at hand, and this can become a huge loss for the auditee.

Some people believe that auditing is a stressful job, and it can affect people who work in this field. In my opinion, according to Dr. Ed Glebstein’s article, one of the worst type of auditor is “ The Stress Creator “. Stress can have an impact on auditors’ job, and it can reduce the quality of their performance. As we read in Dr. Goldstein’s article, having stress can make auditors bad leaders, and it prevent people to associate with them even if they are the best auditors. Stressful auditors cannot work efficiently in a team, and it can make other team members uncomfortable. In a stressful work environment, employees cannot stay, and their performance will decrease. According to Audit structure, role stress, and job satisfaction, environment an Dmotivation: evidence from Thailand by Wittayapoom, Kanyamon article, “In large audit firms, auditors are likely to experience high levels of stress (Rebele and Michale, 1990). The work environment has many unpredictable, volatile and sometimes conflicting variables concerning professional standards, organization rule, and procedures (Otley and Pierce, 1995). Beside, it is relatively fast-paced, with the auditor continually learning new roles. The possibility for role stress being associated with poor job satisfaction should be a significant concern to the auditing profession (Fisher, 2001).” Audit team needs to have job satisfaction that needs to provide a relax environment for them. I also believe that stress can affect on concentration, and it can cause some mistakes on their task. Auditors who have stress cannot concentrate on their jobs as good as relaxed auditors, and they can be more careless due to less concentration. This reason can affect the relationship of auditors and their clients/auditee. Clients/auditee prefer to work with auditors who focus on their job, and fully understand clients’ needs.

Which one of these do you consider the worst type from the standpoint of the auditee? Why?

Actually, all answers are correct which are written here. Because, the answer of this question is related to the meaning of the “worst”, according to auditee. For example, does “worst” mean be arrogance? If so, the well-connected auditors may be the worst type of auditor from the auditee perspective. Or, does it mean “wasting our time on irrelevant and insignificant issues”? If so, the geek auditors may be the worst type.

I agree with all of you but I would like to approach this question from a different perspective.

To be honest, according to me as an auditee, the “worst” thing is “more findings”. I prefer to see fewer findings in my report. Therefore, in my opinion, the worst type of auditor from Dr. Gelbstein’s list is “The Bureaucrat”.

As we remember from our course, communication is the one of the components of the audit process. At the end of the audit process, all findings must be shared with auditee before arriving final conclusion. And they should be all confirmed by communication. If you are right, you can convince the auditors at the end of the audit, whether the auditors be a well-connected, faker, or lazy. On the other hand, I think set up healthy communication with Bureaucrats is a bit harder than others. As you know, they are professional at the creating work to others. They focus more on documents and are likely to create more findings that are not important. However, their audit does not add value to the auditee. They can make recommendations that the auditee cannot possibly implement. Worst of all, probably their findings will result in penalties.

You mentioned very good points. I agree with you that the faker is a danger for the auditee. Auditee should be able to rely on auditor’s information. False information can mislead the auditee, and it can make a huge negative impact on the company’s future. The faker can ruin companies trustworthiness, and they will lose their validity in the field. I also agree with the part that you mentioned about the faker should not be hired in first place, or fired if he/she is on board. This can be a good way to prevent fraud in companies, and this way can persuade people to stay far away of being dishonest.

Mustafa,
I like your consideration with “worst” meaning, it really makes sense. Also, I understand your point of view about the “The Bureaucrat” type, but do you think the lack of communication skills in the auditor may lead to significant impact for the company and its objectives comparing with other Auditor Types?
I believe that it leads to negative consequences, and it’s absolutely not the ideal type of auditor but in the same time, some of the other types effect both the individual and the company.

I agree with you Yu ming, the faker is incompetent in certain area and mask the incompetence with lying instead of building their skills. Auditors are risk, compliance, and process experts, but not necessarily experts in everything their clients do. When faced with complex situations, the faker will attempt to “fake it” instead of learning the industry or processes. This is dangerous. this type of auditor prevents the completion of productive engagements. The evaluation of the control environment is not based on a truly objective review. This compromises the integrity of the entire audit.

Laly, would you be ok with an auditor who has no idea about what he/she is doing? i mean what’s worse? one who is ignorant and refuses to learn or one who knows things but is just lazy, need a little push? I think lazy auditors are still good at observation and inquiry. They are still able to provide sound audit recommendations. the downside is that they have issues completing audit engagements. Don’t get me wrong it is still a bad personality, but not the worst in my opinion.

Binu,

Well said, your comment to this question is pointing to what I mentioned about question 2, from an Audit perspective , auditors that have deep and detailed knowledge about technology “The Geek”, can waste an excessive amount of the auditees’ time on irrelevant and negligible subjects.

Also I was thinking about recruiting process for Audit position, the students that had deep technical background, had much more difficult time to get an audit position, Now I can conclude that the employer may had the same concern.

Hi Mustafa,

I see your point and I agree. You stated “They focus more on documents and are likely to create more findings that are not important…They can make recommendations that the auditee cannot possibly implement. Worst of all, probably their findings will result in penalties.” I can recall an audit that I experienced as the auditee, and it was the worst. The auditor kept requesting document after document, which became cumbersome and unnecessary if you ask me. To make things worst the audit was being conducted under the busiest time of the quarter. It reached a point where my supervisor had to step in a demand that all required documentation be requested at one time to avoid the continued back and forth.

Hi Somayeh,

I truly agree with your comment about the stress creator ‘s impact on the auditing environment. You talked about auditors being stressed and making mistakes. If a stressor creates this type of environment it could disrupt the assurance process, which could cause a false conclusion. I believe an auditor should make every effort to maintain a positive environment, which will assist them during their execution process.

An audit is conducted on a subject matter to assure that it is in compliance with the required standards, legislation, and regulation. A written communication is then created by an auditor which expresses a well-defined conclusion about the subject matter’s adherence to controls. The auditee and users are reliant on the auditor’s conclusion and recommendations to assure they are in compliance with standards and to correct any weaknesses that were identified. An auditor’s role within this process is strongly dependent upon, and bad auditing practices are not acceptable. However, as Dr. Ed Glebstein pointed out auditors are human…and imperfect”. In reading this article I have concluded that all of the auditor types listed are horrible, and in their own way presents a weakness within the field of auditing. It is truly hard to identify just one, but as the auditee, I would definitely choose the faker. In my opinion, the faker can cause the most harm to an organization’s objective with remaining compliant. If the auditee and user are given misleading information because the auditor “pretend to know things they are far from mastering and rely on bluffing, faking and jargon to cover up their ineptitude” it can/will put the organization at risk of receiving a penalty or experiencing losses. Auditors that fall into the realm of faking are unethical, and I believe they are the worst within this listing. However, any auditor that cannot truly adhere to the assurance process and produce an ethical conclusion should not be allowed to practice.

Hey Mustafa,

You bring a different perspective to the question. You state that if you were an auditee the worst thing that you can get would be “more findings”. What happens in a situation where the audit is performed on a newly designed process or department and that this is the first audit? If I am an auditee, I would like the auditor to help identify any areas that need to be corrected and therefore the “findings” are more beneficial since they can be addressed shortly after the implementation of a project. Maybe it is because I have worked on the audit side, but I see audits as a means to help an organization and not a way to penalize or the auditee.

I think Lazy is worse in the auditor. If a person is lazy, he will not able to collect and analyze evidence, and he may past last year audit results and documentation. the lazy factor, which is likely an underlying issue that stands in the way of you enjoying your career (and perhaps your entire life). The lazy employee may ignore the significant audit results due to provide complex substantive test. The lazy people will not observe and inquiry, because it is too complex work and bring trouble things for themselves.

Good point Priya, I like that you mentioned that “As an IT auditor it is important that you evolve as the industry is evolving”. Indeed, the great thing about being an auditor is that you are constantly learning. Every audit provides new situations and challenges. Legislation and regulations change too. There is no way a faker can be trusted. I mean the more you know about your client industry, the better you serve them.

Great post! It is obvious that no one wants this type of auditor. However, I think it the type that would bring the least problem. True that they are lazy and will not do the job the way they are supposed to, but at least they will not be faking. They will do the bare minimum and sometime present incomplete work. But their supervisor will always catch on the missing part and make it right. This type can only slow things down contrary to fakers that can create much greater damages.

Great post Alex! I totally agree with you on this one, but companies do not know that they are hiring fakers. In fact, they are fakers because they are not who they said they are and got hired based on those false statements. One thing companies can do is to strengthen their background check process and hire auditors only based on their reputation and experience.

I agree with you, Yu Ming. “The faker” might provide false statements or recommendations to clients, it wastes the company’s time and resource if the company just follow the false statement or recommendation. Other types of auditors, even though they are lazy, geek, or timid, I think they can still contribute the company some useful thoughts. People can’t be perfect, it is the normal thing that people have different weaknesses. However, “the faker” has no advantage for the company because they lie all the time in order to pretend they know as much as other auditors.

Hey Alex, good post, I strongly agree with you that faker is the worst type of auditor. If they issue wrong opinions to the auditee, They can cause the most catastrophic damage to a business. There is a lot of sources available like COBIT 5, NIST for the auditor to refer to. A responsible auditor are meant to be reliable all the times!

Hey Mustafa, I like how you stated that auditors focus more on documents and are likely to create more findings that are not important. It is a good point and I never thought of that. You are right, “Less is More” and that “more” doesn’t always add value to the organisations/auditee. That kind of auditors works so hard but they don’t know what the clients need or whether they are able to afford to implement the recommendations after the audit is finished.