A critical friend in a Valhalla of IT applications

Ali joins Rabobank in 2020 from the public sector. “I was at the limit of my knowledge; I was doing the same thing over and over again. I needed more depth and breadth in my work. Since 2016, I have become vegan and thus try to contribute to a fairer and sustainable world. From that conviction, Rabobank’s mission appeals to me greatly, Growing a Better World Together. I applied for the job and did my research well beforehand. For instance, I read the financial statements and talked to some people from my study who work at Rabobank. During the job interviews, the high level of professionalism soon became apparent. And now that I work here, I can really confirm that, the professional way in which we as auditors can do our work here, is something I have never experienced before in my career.”

Where does this professionalism in auditing come from?

Ali first takes a step back in his explanation: “Look, what we actually do is assess a process. We look at the risks within a process. There are control measures in place. We assess whether those control measures sufficiently cover the risks. In this way, we hold up a mirror to the organisation and suggest improvements. And that’s all it is. But the good thing is, within Rabobank we have an organisation-wide risk and control framework, called Archer. We as audit also register all our audits in Archer and assign an owner and a significance for each finding. The significance determines the period within which the owner must resolve the finding. If the solution is not found, then we can escalate this to a higher level via the application and periodic management discussions. Up to the Group Management Board. All risks and controls of the organisation are in one application and all have an owner; that shows a high degree of professionalism. I have not seen that anywhere else.

Is that part of the culture within Rabobank?

Ali continues, “In my career, I have experienced that when certain findings remain at too low a management level, nothing is done with them. At Rabobank, you see that everything is recorded in Archer in a very structured way.”
“At the same time, the culture within the bank is very open and friendly. Informal. During my job interview, I was wearing a tie. I had expected a very business-like conversation. My future colleagues on the other side of the table were neatly dressed, but without ties. So it didn’t have to be so business-like. The conversation was also very friendly. It gave me even more confirmation that I wanted to be part of this. Once I started, I noticed the same pleasant atmosphere in the meetings with the auditees. Rabobank is really a nice environment to work in as an auditor”.

What is your job like as an IT Auditor at Rabobank?

“There is still so much I can learn within the bank as an IT Auditor, I am really in a Valhalla here when you look at the application landscape and the IT architecture of the organisation. I think I will still be able to perform varied audits here in 10 years’ time.”
“Our IT landscape is enormously complex. We have operating systems from Windows to various flavours of Linux, but also older mainframes. As IT auditors, we look at the various layers of the architecture and the risks and control measures within them. The investigations range from audits of various applications, the network, cryptography, information security and many other interesting topics. We are also switching to cloud environments and dealing with subjects such as cyber security. I have to keep my knowledge up to date in these areas. As an IT auditor you have the task of continuously developing yourself. For example, I am now working on getting my certification for Certified Cloud Security Professional.”

This is done from a training budget for IT auditors?

“Rabobank offers various possibilities in this respect. Together with your manager, you determine the areas in which you want to develop. You get the space to make your own choices. We receive an annual personal training budget that you can spend on a course that you want to develop in your field. It is also possible to save up this budget for more expensive training courses. We organise internal training sessions and we have a summer school. We give each other training sessions on our own areas of expertise. I’m currently working on Cloud Security, but you can just as easily develop further in data analytics or culture and behaviour, for example.”

Culture and behaviour? For IT audits?

“Definitely! We believe that culture and behaviour are important for controlling your IT environment. We pay attention to the cultural aspects of a department during audits. In this way, we look at whether there is a cultural aspect that underlies certain findings. A cultural aspect could be that someone experiences the processes and guidelines as unclear. If we then have findings on the implementation of that process, you can indicate in your advice that the guidelines should be communicated more clearly.”

Ali talks about his findings in data centres. A place where he can often be found. “Suppose I’m at a data centre and I see a certain door open that actually shouldn’t be open. I can choose to report this in my findings: the door is open without permission. Or I walk up to the door, see what’s going on and give a practical advice to the auditee. Make sure you replace the lock, fix the hinges. Then he immediately knows what he has to do to solve the problem. They are small things but they do add value.”

Communication skills for the auditor

“It is one of the skills you must have as an auditor: the ability to have a good conversation. We take a look in someone’s kitchen, we tell them whether something is going well or not. If you communicate in black and white, it can clash. Your powers of persuasion, communication skills and judgement are important. In doing so, you must remain objective. This is easier said than done, because there are grey areas. How do you deal with certain circumstances? That’s where your professionalism comes in.”

The auditor as critical friend

“My main motivation is to be the critical friend of my auditees. That’s how I add value for others. If I see that we can improve something together, that just makes the bank better. We make each other better and that’s what gives me energy, that I can contribute to our organisation, its vision and mission.”

Visiting Amazon and Google

Visiting Amazon and Google
“As an IT Auditor at Rabobank, you have the opportunity to carry out audits abroad. In the autumn, this is done by the CCAG, Collaborative Cloud Audit Group. This is a partnership of various European banks and insurers. The members make auditors available to carry out audits at Google, Amazon and Microsoft. You won’t get this opportunity anywhere else. It is actually the ultimate dream of an IT auditor. I am allowed to look into Amazon’s kitchen and carry out an IT audit of the various IT management processes, such as their Identity and Access Management. Then you really are at world cup level.”

Ali is sure of it after 2.5 years as an IT Auditor: “If you are looking for a real challenge with an enormous variety of work, broadening and depth, then you are really at the right employer, at Rabobank.”