Auditors, Explained

But who, precisely, are auditors? Who do they report to? Where does their power come from? “Who audit reports to depends on the size of the company, and if it is publicly held,” says Sharon O’Bryan, a former auditor and CISO who has her own consultancy in Saint Charles, Ill.

Typically, O’Bryan says, the audit function reports to the head of audit, who in turn reports to an audit committee, typically made up of the CEO, CFO, COO and other board members. “Historically, audit committees were staffed with board members who people either didn’t know what to do with, or because they didn’t have enough to do. They were rubber stamps.”

But rubber stamps with authority: auditors’ clout, she says, comes from the imprimatur that they attach to financial statements. Consequently, “audit functions do, and did, inspire fear,” she says. “Some companies had a policy of firing people that had, say, three negative audit comments, which made their auditors unpopular. Yet the auditors were told: Come back with negative comments, or you’re fired. It was very endemic, especially in the financial service industry, where an attitude often prevailed of, There must be something going wrong, so go find it, damn it.”

But changes are afoot. As technology encroaches more and more upon business life, observes O’Bryan, auditors have become reliant upon those whom they monitor. “The population of auditors hasn’t kept up with the skill set required to audit technology,” she asserts. “The security function, in essence, has been helping the audit function to audit it, which means that the independence of the audit function is questionable at best.”