Clarissa Lucas’ Audit Playlist

Auditors want to work with you

When the auditors come knocking, it’s rare for Management to fling open the doors and happily usher them in. It’s even more rare for Management to invite their auditors in. Auditors, at times, are viewed as Management’s adversaries who get in the way of implementing better ways of working, like DevOps.

What if it could be different? What if auditors and Management could work together instead of getting in each other’s way?

Believe it or not, we auditors want to work with you, not against you. We want you to be able to do your work effectively and for you to achieve your objectives.

Here are a few of my favorite videos from DevOps Enterprise Summits that set the stage for moving past adversarial relationships and toward collective collaboration (and more fun) during audits! Both auditors and professionals who get audited will benefit from watching these videos.

Common myths about auditors

This presentation busts common DevOps myths about auditors. It begins by stating the root problem addressed by the session: Management views auditors as an impediment to implementing better ways of working. Specifically, it explores the following:

• Integrating auditors into DevOps practices.
• Changing the question from asking permission to do something to instead asking how to make it happen well – this mindset can be applied beyond DevOps specific items. I encourage auditors looking to apply DevOps and Agile practices to their own audit work to adopt this mindset and shift their questioning in the same way.
• Digs into the “why” behind certain key controls, focusing on the control’s objectives and exploring different ways of achieving those objectives under a DevOps operating model. Shifting the focus from “this is the control we have to implement and figure out how to fit it in our new operating model” to “this is the risk we’re trying to mitigate; how best can we control that risk now that we’ve graduated to DevOps ways of working?”
• Introduces the importance of working together and bringing auditors along in the DevOps journey to help them understand what you’re doing and why, and so they can better understand your objectives and risks.

Cultivating a better understanding of each party’s objectives and perspectives is an important step in creating stronger working relationships and leveraging that understanding as a superpower to bring the two parties together to work collectively and achieve so much more together. This presentation sets the stage for exactly this.

Audit Panel (Las Vegas 2019)
Matt Bonser, Director, Digital Risk Solutions, PricewaterhouseCoopers LLP
Yosef Levine, Managing Director, Global Technology Controls, Confidentiality & Privacy, Deloitte
Jeff Roberts, Senior Manager, Advisory Services, Ernst&Young
Michael Wolf, Managing Director Modern Delivery Lead, KPMG
Gene Kim, Founder and Author, IT Revolution

How auditors can satisfy their customers

One of the Agile Principles emphasizes satisfying the customer. Instead of the auditors guessing what they think their clients want to learn about, this session embraces this Agile Principle by building the entire presentation around whatever the audience wants to learn about.

It also brings auditors and Management into the same room with the objective of gaining a better understanding of each other—auditors understanding what their clients are worried about and struggling with, and Management understanding what the auditors are trying to accomplish and how they can best add value.

WATCH: Auditors’ Workshop – What You’ve Wanted to Ask an Auditor but Were Afraid to Ask (Las Vegas 2019)

Seeing auditors as partners

These next two presentations hold a special place in my heart for two reasons:

1. They helped technology practitioners see auditors as a partner instead of a barrier.
2. They were the catalyst for my own personal journey to learning about DevOps, which was the first step to developing my platform for driving a better audit experience.

They build upon the first session in my list by providing the audience with a double-click into what the auditors explored there. It provides tangible examples of controls commonly seen as hurdles to implementing DevOps. It also provides a different perspective to the audience, as the speakers here are internal auditors, whereas the speakers in the first session are external auditors.

In this two-part session, technology practitioners hear directly from internal auditors how they could think differently about controlling risks under this new operating model. It also explores the advantages to be experienced during an audit of an area using DevOps practices, including decreased interruption to daily work, stronger collaboration, and fewer requests for evidence.

I recommend watching this to everyone who is stuck fitting a square peg (old ways of controlling risk) in a round hole (new ways of working and different methods of controlling those risks).

WATCH: DevOps and Internal Audit: A Great Partnership (Las Vegas 2020)
Rusty Lewis, IT Auditor, Nationwide Insurance
Clarissa Lucas, IT Audit Director, Nationwide Insurance

WATCH: DevOps and Internal Audit: A Great Partnership (Part 2) (US 2021)
Clarissa Lucas, IT Audit Director, Nationwide Insurance
Rusty Lewis, IT Audit Specialist, Nationwide Insurance
Ethan Culp, NTEC Sr. Associate, Nationwide Insurance

Why auditors do what they do

I selected this presentation because it dispels a number of myths about auditors. It is a great follow-up to the first one on my list, going beyond the myths about auditors and their impact on teams implementing DevOps practices, to instead exploring common myths about the audit profession and why auditors do what they do.

Some of the questions answered in this session include:

• Do auditors get paid by the finding?
• Are audits simply rinse-and-repeat, check-the-box exercises?
• Are auditors out to get you?

Understanding these truths (and other truths) about auditors and the audit profession also drives a better relationship between auditors and management, resulting in more value for the organization.

WATCH: From Your Auditor Friends: What We Wish Every Technology Leader Knew (Las Vegas 2020)
Rusty Lewis, IT Auditor, Nationwide Insurance
Clarissa Lucas, IT Audit Director, Nationwide Insurance

Modern governance practices

This is another great session from DevOps Enterprise Summit. It is great for both technology leaders and auditors. One of the key takeaways from this session is that it explores audit-related challenges in the software delivery process, including:

• Execution of an audit interfering with the software delivery process.
• Ambiguity around the audit process (from the perspective of those audited).

This presentation explores how technology professionals can overcome these challenges using modern governance practices. Technology leaders can watch this session to explore how to improve their own processes. I also encourage auditors to view this session, as they can learn more about these leading practices and add value to their audit clients by suggesting these practices as improvement opportunities, where it makes the most sense.

WATCH: We’re Sorry, Love DevOps (Europe 2022)
Bill Bensing, Software Factory – Managing Architect, Red Hat

The clarity of chaos

Finally, I encourage each of you to attend this year’s DevOps Enterprise Summit in Las Vegas October 18-20.

In addition to a list of phenomenal speakers who are thought leaders exploring the technology side of DevOps, you’ll experience a session unlike many others.

I, an internal auditor, will present with my client, a technology leader, sharing our experience working together collaboratively on an internal audit, implementing Agile and DevOps practices into the audit process itself. Yes, you read that correctly – applying better ways of working to the audit process itself.

This presentation expands beyond the other presentations in my list above by bringing audit and Management to the same side of the table. The presentations above are primarily given by auditors with technology leaders in the audience. Other DevOps Enterprise Summit sessions are given by technology leaders (with mostly technology leaders in the audience with some auditors sprinkled in).

What we’re presenting in this session has been compared to the Velocity 2009 session titled “10+ Deploys Per Day: Dev and Ops Cooperation at Flickr” by John Allspaw and Paul Hammond.

I can’t wait to see you there!

- About The Authors

Clarissa Lucas

Clarissa Lucas is an experienced audit and risk management leader in the financial services industry. She is also the author of "Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices", has written articles on Auditing with Agility that have been published by the IIA, and has spoken at a number of industry conferences on this topic locally and internationally.

Follow Clarissa on Social Media

• 
•