How to Hire a Code Whisperer for Financial Audits

Published on: Fri Sep 01 2023 by Ivar Strand

How to Hire a “Code Whisperer”: Finding the Right Technical Expert for a Financial Audit

As financial processes become inextricably linked with technology, the need for technical expertise within audit and assurance functions is clear. Traditional audit teams must be augmented with specialists who can look inside the “black box” of modern software systems.

However, finance and audit managers are often faced with a challenge: they know they need technical help, but they are uncertain of the precise skills required. Hiring a generic software developer or IT generalist is a common and often costly mistake. A specific and distinct profile is needed for a technical audit role.

The Technical Auditor is Not a Developer

The first and most critical distinction to make is that the skillset of a technical auditor is different from that of a software developer.

A developer’s primary function is to build. They are trained in creating new functionality, solving technical problems creatively, and writing efficient code. An auditor’s primary function is to verify. They must possess an investigative and skeptical mindset, focused on deconstructing existing systems to identify control weaknesses, logic flaws, and potential vulnerabilities. While the two roles require technical knowledge, their core objectives and professional temperaments are fundamentally different.

Key Competencies for a Technical Audit Specialist

When drafting a Terms of Reference (TOR) or interviewing a candidate for a technical assurance role, we advise focusing on five core competencies. This framework helps distinguish a true technical auditor from a generalist developer.

1. Systems Thinking and Process Fluency. The candidate’s expertise must begin with the business process, not the technology. A strong technical auditor first seeks to understand the financial workflow, the control objectives, and the fiduciary risks involved. Their initial questions should be about the “why” of the process, not the “how” of the code.

2. Database Interrogation Expertise. The ultimate source of truth in most enterprise systems is the database. The expert must be fluent in writing and interpreting complex database queries (typically using SQL). This skill is non-negotiable, as it allows for the independent extraction and analysis of data, bypassing the application’s potentially flawed reporting layer.

3. Investigative Code Review Skills. While knowledge of programming languages is required, the emphasis is on the ability to read and analyze existing code, not write new code. The specialist must be able to scan code for hardcoded assumptions (e.g., a fixed tax rate), logical weaknesses (e.g., a flawed “if-then” statement), and insecure practices.

4. Deep Understanding of System Configuration. Many of the most significant control weaknesses are not in the custom code but in the system’s configuration settings. The expert must have experience navigating the administrative back-end of enterprise systems to assess user access rights, role permissions, approval workflows, and other configurable parameters that define the control environment.

5. Exceptional Translation and Communication Skills. A technical finding has no value if it cannot be understood by management. The expert must be able to translate complex technical issues into clear, concise business language, explaining the risk and its implications to a non-technical audience of auditors, controllers, and executives.

Key Questions for the Procurement Process

To assess these competencies, consider asking targeted, scenario-based questions during the interview:

• “Describe a time you identified a significant internal control weakness within a system’s configuration, rather than in its custom code.”
• “Walk me through the steps you would take to independently verify a key financial total using only direct database access.”
• “Explain the business risk of a cross-site scripting vulnerability to a Chief Financial Officer.”

Sourcing the right technical expert is a critical investment in modern financial assurance. By focusing on these specific, investigative competencies, you ensure your audit team has the capacity to produce verification that is not just technically sound, but genuinely insightful.