As I promised in my first blog post, “Gearing up for my Summer Internship at Key Bank”, I will go into more detail about what being an IT General Controls Sox Audit team member looks like on a day to day basis. Before I get into anything too serious, I need to start with the basics. Some of the most important things that I have learned this summer about being a technological auditor are from my marvelous manager, Brian Drotleff. Ironically, most of those things are witty one-liners. Some of my most coveted one-liners are:
- Be comfortable being uncomfortable
- Be curious
- Trust, but verify
- If it’s not documented, it didn’t happen
With these handy dandy proverbs in your pocket there is nothing you can’t achieve in the working world.
The first saying is by far my favorite. I think being comfortable being uncomfortable is applicable to all parts of life. If you can be comfortable not understanding or knowing everything, but make inquisitive, intelligent steps towards your task, then you will be worlds better off. Throughout my internship I have learned to be comfortable being uncomfortable really quick. From day one I was staffed onto a project looking into access provisioning. I am by no means a subject matter expert on access provisioning, but by accepting what I do know I am able to then build steps to fill the gaps of what I do not know therefore completing my testing. The more comfortable I get with being uncomfortable the better I fair with each set of new testing!
The second maxim once again applies to almost everything in life and ties in very closely with the first. If I had a nickel for every time I was encouraged to be curious, I would probably already be retired. All jokes aside, being curious is really important to being a technological auditor. If I get an email back from app support and I do not really understand what they mean, it’s imperative to take it a step further to make sure my understanding aligns with the deciphered technological lingo and abbreviations (there are abbreviations for everything – including abbreviations for abbreviations).
The third axiom plays off the second. It is paramount for all Risk Review, or the third line of defense, to ensure that what is being reported is accurate. There is no way to ensure the information sourced from applications and systems, if the application and system can’t be ensured to be working efficiently and accurately. For example, if an individual tells you a password is securely stored – that’s great. You can trust them, but you better verify.
The final one-liner is probably the most important. I can be as comfortable being uncomfortable, as curious, or as verified as I want, but none of it happened unless I document it. Throughout my internship the screen shot has become my best friend. I am constantly logging different conversations and pulled reports as form of documentation. As tedious as it may seem, documenting is very valuable. When coming across a speed bump in testing, it is very nice to be able to look back at all the documented details from last year to give clues to the next steps.
The most challenging part about being a technological auditor is walking the line between being a member of the KeyBank team and being an independent body to the lines of business. Many lines of business don’t reply or comply in a timely fashion because we are seen as the folks that show up once a year and point out all of the mistakes similarly to regulators and external auditors. I spend a measurable time at work trying to track down emails and get answers. At the end of the day, we all play for the same team. Whether the lines of business acknowledge it or not, it is much better off for Risk Review to find something rather than the regulators or the external auditors.
Opinions expressed are those of the speakers and do not necessarily represent those of KeyBank