We commonly hear things along the lines of “that’s required for audit purposes” and it’s therefore not to be questioned. If it really is needed for audit then we should certainly do it. Yet, every time I’ve had the opportunity to talk to an auditor, I discover that they don’t want most of the things that we give them.
In fact, they often hate the full list of things we provide them because they are required to audit everything they are given, regardless of whether they originally wanted it or not. I’ve heard this directly from auditors; that they wish we would only give them the things they need.
Sometimes when we talk to the auditors, we discover together that there are different things we could provide to them that would be better for them and also easier for us to provide.
Why do we have such a disconnect?
That’s a really good question that I don’t have a good answer for. In many companies, the development organization is actively discouraged from talking to auditors directly. I have been told “no” repeatedly when asking to speak to one and yet every time I am allowed, it’s a very useful and productive conversation.
We might think that the auditors are too busy and shouldn’t be disturbed. Yet, with the current model we’re creating more work for both the development organization and also for the auditors. Surely some well placed conversations would be beneficial all around.
We might think that they should be kept apart under the theory of “security by obscurity” or “what we don’t know can’t hurt us”. Except that’s poor risk management and since the whole point of having audit is risk management, perhaps that’s counterproductive.