My wife (an accountant) and I were having a discussion on the way to my dropping he off at her office this morning, and the whole thing stuck enough of a chord with me that I thought I'd share my insights with you on the subject (imagine that).
She and her office had just completed a year end audit from their internal audit department, and I'm about to go through the same thing shortly with my yearly GCC (General Computing Compliance) audit.
Apparently the auditor assigned to their case was more concerned about tactics than strategies in performing their audit.
It's been my experience especially in assessment and audit situations, that the demeanor and background of the folks responsible for audit oversight are every bit as important as the organization and processes being scrutinized during the audit itself.
I've found that the worst personality type to have an audit oversight is a highly structured and detailed oriented individual, someone with the background of requiring compliance in strict accordance with the letter of the law (or internal procedure as the case may be).
The problem with this approach, is that like most things in life, though rules may be interpreted as binary (0 or 1, black or white), life is not binary, and mostly consists on a continuum with everything being shades along the continuum.
Such is the case with the assessment or auditing process, the type of auditor, in my belief, that makes the best of these types of situations is that of someone with the heart of a teacher. An individual that understands the strategies involved with the process under assessment, understands that situations are different for different cases, and subsequently adjust to meet the spirit or intent of the process, not the letter of it.
I'm not advocating being sloppy about assessment processes, I'm suggesting that life requires balance. And understanding the spirit of the process and measuring against the objective evidence for assessment is every bit as important as the assessment itself.
I would rather have an organization seek to understand WHY things are measured a particular way, so they can do a better job at improving the QUALITY of the process, than worrying about HOW a particular instrument was implemented to collect data for producing an assessment artifact.
In my own experience I've run across several auditors, but three of them specifically come to mind, my experience with all three have been if not enjoyable, then at the very least educational. These are all people with the heart of a teacher, professionals interested in seeing organizations succeed during the assessment process, while not allowing for sloppy process failures. They are come from different organizations and disciplines but all share the same spirit of education.
I've worked with Mary Sakary and Neil Potter from The Process Group for several years in improving the processes on our software development systems using the CMMI, as a model systems and software process improvements.
Without this spirit of education, auditors can get caught up in the HOW data are collected and loose sight of the nature of the control and risk the process is intended to mitigate. This "tactical" approach can lead to crushing rigidity in organizations where strict adherence to the law actually causes processes to fail.
So as a note, remember WHY you're assessing a process, understand the risks and measures needed to mitigate the risks, instead of getting wrapped around the axle about HOW the data are collected.
So what are the two biggest lies told during an audit?
1. "We're here to help."
2. "We're sorry to see you leave."