IT Auditors. I used to have an image of them. Not particularly a romantic image. More like a well-defined image, really. I sort of associated them with IT Security Experts: slightly more serious than average, a bit of the worrying type and with an insistent urge to analyse and structure.
All of these are important, crucial capabilities that I sadly do not possess.
Nevertheless, in the past few months I was asked several times to engage with IT Auditors. First as a keynote speaker on a national event and just a few days ago as the chair of the annual networking event of governmental IT Auditors.
And then, as a relative outsider, you learn quickly.

You find out that – just like in IT Security – there are different ideas about how to achieve the best results. Indeed, there is a procedural, analytical side that aims to help the IT Auditor in assessing the correctness of a system. We encounter methods, frameworks and reference models, all firmly rooted in science. Also, many formulas are in use to articulate risks in the most unambiguous way, the best known being – of course –
R = P * I
Risk is simply the probability that a disturbance will occur times the impact of the effects. That is a pretty straightforward way of calculating and the temptation is strong – whether or not supported by checklists – to express all the risk aspects of the system in numbers. It gives that confident illusion of being completely in control, a state of mind that is ostenatiously in the conform zone of most IT Auditors.
On the other side of the spectrum, we find a much more pragmatic approach. Forget all the procedures and frameworks. Instead, gather a group of battle-hardened experts from actual practice (look for scars and raw, cynical laughter) and just let that intuition flow in finding the flaws of the system. Again, there is a parallel with IT Security, in which – next to methodologists – we gladly assign ethical hackers: unpredictable didgeridoo players that, in all their unfocused creativity, know exactly where it hurts.
The Control Freak and The Fool, both can be seen during a cosy day of networking with IT Auditors. And on one topic they are of the same mind: it is becoming increasingly difficult to assess risk when everything is connected to everything and complexity levels explode. Maybe, just maybe it is a better idea to be a trusted partner to business management in a continuous dialogue about risk than to produce one-off audit reports that can only really suggest control and accuracy.
Life-changing stuff indeed. Before you know it, you find yourself discussing with IT Auditors about the impossibility of being objective, Gödels incompleteness theorem and the agonies of doubt in general.
Formulas, they just don’t seem to work any longer.