Project Managers and "an Annoyance" of Auditors

One of the more recent developments in the corporate world is the advent of internal IT auditors - they even have their own institute! I think they should also have a group noun - I would offer up 'an Annoyance'. 

Once restricted to the accounting world they have recently migrated, infested might be a better description, to the IT domain. Like some invasive species they have been introduced by the bean counters into an foreign clime and they have flourished. How could they not!

The IT world does not sit well in the realm of tight controls and methodology. Developers are loath to accept tight controls, they need the calming interface/buffer that a project manager affords to relate to the outside world. "Deal with the client/ customer, I just want to code", is their typical mantra. One of the main rationales for the spread of Agile methods in IT has been the manifest deficiency in requirements gathering processes and the fast pace of modern development needs. Speed, velocity, responsiveness, flexibility are the new watchwords. Not words that one necessarily associates with auditors. The oft quoted description of an auditor is a person who couldn't handle the excitement of accounting! The same could be said of an IT auditor, a guy who couldn't handle the excitement of being a methodologist!

Now I'm not saying that auditing our processes has no value: Far from it. Anything that constrains the cowboy developers is to be welcomed. Proper version control and release management is a pre-requisite for a mature development shop. However the unholy alliance of an over prescriptive methodology and a pedant auditor can cause havoc. The result of the union of two zealots is always fanaticism. To paraphrase Oscar Wild "to have one zealot might be considered unfortunate, to have two can only be described as carelessness!"

The usual result is that your development team will become bogged down in requests for information and may event become paranoid. Afraid to commit to anything and demanding everything be signed off in triplicate before anything is started. One thing that will happen is that productivity will be reduced and flexibility will be minimized.

So how do you handle this threat?

Well the one thing you don't do is take them head on in the early stages. You aren't going to win that fight. Not at first. The right response is patience. Fanatics always overstep the mark. Nothing is ever enough, their appetite for more and more information just keeps on growing. So feed them the information, keep good records and detail all the productivity hits this work is causing. At some stage the business leaders will realize that their responsiveness to the market is being compromised by the workload associated with the internal audit.

Remember internal audits are self-imposed costs, they differ from external audits in that they are discretionary. They can go away or be scaled back at anytime. So patience is the byword and good record keeping is the method. There's no profit in auditing and bosses are judged by profits.