For years, I have had IT audit directors ask me, as a recruiter, to look for experienced IT audit professionals with “auditor instinct” – that ability to “just know” when something isn’t quite right and when more questions and more digging are is needed to surface the big issues, the root causes, the major findings.
Why should you care about this skill? Here’s the thing. Although auditor instinct doesn’t show up in job descriptions, it is a competency that hiring leaders are evaluating when they interview candidates and that managers think about when evaluating job performance. Developing this skill will be hugely beneficial to your career whether you are in the first, second or third line of defense.
But how do professionals develop this elusive gut feel? How long does it take to acquire? Is it a transferable skill if you move into the secondline of defense or the first (information/cyber security)? So many questions.
On a quest to get the answers, I reached out to three CISOs who had spent time in their careers as IT audit leaders, and to a current head of IT audit who had started his career in IT. Together, they have a range of varied industry experience: consumer and industrial products, retail, banking, healthcare, insurance, distribution and consulting.
With this diversity of perspectives, it was almost surprising that these security and IT audit leaders all converged on their answers. Is there really “auditor instinct”? Most definitely. Is it valuable? Very. Is it a skill that can be applied to information/cyber security? Absolutely.
So, what is auditor instinct? One leader described it as “spidey sense,” referencing the uncanny instincts that guided superhero Spider-Man. You have a baseline of data and inputs about people, processes and situations. You take your current situational observations and compare to the baseline. Do they align or is something off? As one CISO said, “It comes from a place of knowledge and competence. You have to know how stuff works.”
Over time, this focused, conscious consideration of the norms for any given situation, person or process becomes much more intuitive. At that point, there is enough experience to just sort of “know” that there is more than meets the eye, similar to when, experienced drivers intuit that those small swerves by a vehicle ahead spells a potential danger of a texting or otherwise distracted driver: time to change lanes.
Jeremy Zahora, SVP, IT Audit at Wintrust Financial commented, “It’s not a skill that can be mastered overnight, and it’s developed incrementally over time. A big part of it is being able to read people and situations. To have a sufficient baseline, an auditor needs to have the background and experience to leverage. This is something that an auditor starts building on their first audit and is something that continues all the way to their last.”
How long does it take to acquire auditor instinct? The leaders I spoke with indicated that with four to five years of experience, an observant professional working on diverse projects would have a good foundation for this competency. With more experience, the skill is fine-tuned. The “been there, done that” experience was deemed important. It was also noted that when people stay only one to two years in the field, and this is particularly true for IT audit, it is too little time for auditor instinct to mature.
The value of this skill for an auditor is that it enhances one’s understanding of areas where there may be issues that need to be raised, investigated or tested further. With the constraint of audit time budgets, saving time and focusing on the right stuff is crucial. The engagement and attentiveness required to build the skill also fosters trust and credibility. It will improve your overall performance on the job. On top of that, auditor instinct is highly transferrable to information security and myriad other career roles.
Security professionals also reap important benefits from this skill. In information/cyber security, saving time is crucial. John Blair, VP/CISO of a major healthcare company, noted that “There is a big difference between five minutes and an hour; the clock starts when the link in a phishing email is clicked. You have to be able to detect anomalies. How quickly can you detect when someone clicks on something?” Thus, this sense that something is off – a system that is running a bit slower, for instance, prompts one to go check the SIEM logs to see what’s up.
And, information/ cyber security, like audit, involves people and people’s behavior. Tuning into folks in the business and beyond, engaging, building trust, and asking deeper questions are as critical to strong job performance and accomplishment in security as in audit.
How does one acquire this important skill? My panel of experts had a lot of pointers:
- Be observant. What’s normal? What’s not? What is different now?
- Engage people and build trust so that they will talk with you.
- Develop a big-picture view of your organization and its business strategy.
- Know how IT systems work. The more you know, the better the dialog will be, and the faster you will build credibility.
- Know the environment you are working in and the relevant regulations and their requirements, applicable frameworks, and controls.
- Listen carefully. Ask questions. Then ask follow-up questions.
- Your stakeholders and internal clients are the subject matter experts. Treat them as such.
- Don’t be afraid to say you don’t know or that you aren’t really sure how something works in detail (even if you have an inkling).
- Learn the acronyms specific to your IT environment.
- Be curious and a student of human nature.
- Realize that an audit checklist can signal to stakeholders that you may not know much and won’t ask questions beyond the checklist.
- Build a strong foundation of risk and controls knowledge through certification.
IT audit leaders and CISOs agree that “auditor instinct” is a critical competency. Mastery comes from practice and experience. Every project is an opportunity to develop this skill. Observe good role models and talk with them about how they “knew” to ask an important question or how they “read” a particular person’s behavior in an interaction. Audit and information security are both science and art. Learn the art of auditor instinct as you deepen your technical skills, and you will be on your way to superhero performance!