Quick thoughts on development aid

Development aid is not about punishing people. Not our own people, not our beneficiaries. It should never be about guilt, or about a debt owed. It should be about using our intelligence, our creativity, to make the world more inclusive.

It should never be about the typical Catholic rap of: "you should feel bad because you have it so good." We need to look at all possible ways of bootstrapping our beneficiaries, pull them up to where we are, and continue together, beyond where we are now. Fundamentally, it's about leaving this place a better place because we've been in it.

We should also dare to be open for the non-traditional solution, which may not perhaps be on or right next to the trodden path. As Robert Frost so eloquently wrote:

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.

You know, I've never really known whether this was a positive or a negative poem. But perhaps life is like that.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Some ideas on democratic administrations (updated)

There is a old "new" management wave roaring through the organisational straights again, and it is lapping up on the shores of public administrations. I'm talking about the workplace democracy model that was made famous by the success of Brazil based Semco in the 1990's. The general idea is that reducing management in favor of direct decision making by the collaborators themselves will significantly increase performance without sacrificing efficiency, effectiveness and compliance. The Semco experiment has shown this model can work in a for profit environment, where the participants stand to gain from maximizing their own input as it translates directly in monetary values. The question is whether this model would also function in a public sector environment.

A more fundamental analysis of the uses and issues with such a model in a public sector environment is probably an excellent subject for a doctoral thesis. I have no data to support or reject the use of this model, other than some narratives which are, as evidence goes, rather limited. But there are a number of factors which we need to consider when implementing this type of model in a public sector environment. Let's consider a few ...

It's not your money

Problems with workplace democracy in a for profit environment directly impacts the collaborators themselves, as it hits their personal bottom line. They have a direct, tangible incentive to correct problems because they stand to gain less if the issues are not resolved in a timely manner.
In a public sector environment, the money is not theirs, or not theirs directly. The tragedy of the commons problem will tend to occur, where key maintenance activities - I consider internal controls as maintenance activities - are neglected to get the most use out of the available means without considering longer term impacts.

Corruption and fraud

When a person actively abuses means from a for profit organisation, he harms the shareholders. These shareholders are those colleagues around him. These people have - under certain assumptions - a vested interest to ensure that the abuse does not take place. If the direct (financial and other) benefit of participation is significant, participants will automatically tend to curb free rider behavior of one or more players. You will have some misuse, but it should not, in principle, dominate.
However, the same Nash equilibrium will not necessarily be reached because the circumstances are fundamentally different. The pay-off for each of the participants in a public sector context is quite different from that in a for profit context. The risk of abuse of public means may be significantly higher.

Need for strategic audit

Some of the proponents of the workplace democracy idea would like to do away with control and audit, because self-regulating organisms regulate themselves. There would no longer be a need for such control and oversight systems. That may be taking that particular turn at too high a speed, however.
Self-regulating organisms either regulate themselves, or die. If they die, they die because their particular solution is not adequately adapted to the circumstances on which it was brought to bear. Hence, we need to ensure that the circumstances for workplace democracy in public sector are adapted. To me, and subject to significant further research, this would mean having adequate internal control systems as well as clear governance in place, including internal audit structures, to ensure that the taxpayer's money is used in the most effective and efficient manner for the intended purposes.

Update - responsible autonomy

A good friend and reader mentioned the following article on wikipedia on responsible autonomy. What I really like about the article is that it does mention the need for "clearly defined boundaries at which external direction stops".

If we consider this, the need for an independent and objective group of people, such as auditors, to assess both the relevance and the continued compliance with those boundaries becomes very obvious indeed.

Internal audit can assess whether circumstances validate for example an extension of the boundaries or, on the contrary, require a contraction of those boundaries. Factors need not only be internal control issues, but may also be related to external factors changing. These factors could be identified through risk analysis, for example.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Marketeers all the way

Turtles all the way

There's this story I must have read in one of Terry Pratchett's wonderful diskworld novels. In a conference open to the public, a scientist is approached by an older lady. She contests the round world hypothesis and points out that the world is a disk, carried on four elephants, who stand on the shell of an enormous turtle. The scientist then asks her what the turtle stands on. To which the old lady replies: "Sir, that's a faulty question. It's turtles all the way down."

Looking up and looking down

Look down. On whose shoulders do you stand? And how high is that piramid that is holding you up? Are you more towards the bottom, groaning under the weight of those above you but with some sense that if, no, when it will all come falling down you will not get hurt that much ... or at least not from the fall? You may still get crushed, but that's another problem. Or are you dizzy with vertigo from the height you find yourself at? Quite a way to fall, isn't it?

Look up. Who are you holding up? And why are you holding them up? Is it just because they are above you on the corporate ladder? Or is it because all of you together get rich of some poor productive soul all the way down there, at the bottom of your particular piramid? Do you feel obliged to hold those above you up, or do you expect they will do something for you?

I believe there are a lot of organisations that have redundant management layers. They strive to maintain their existence by growth and create redundant management layers while doing that.

The piramid of power

Sometimes I look at a structure, at an organisation, and I wonder who is actually doing the value added work. This, by the way, is not a new thought for me. I had the same worries when I was part of one of the big 4 audit & advisory firms. The piramid is a piramid of power, and it is very apparent in such structures. The grunts are doing all the menial tasks, the experts are in the middle, being worked hard and supported by the grunt, and those people on top ... well, with some noteworthy exceptions, a lot of them are first and foremost marketeers, selling the wares but not really performing much of the work. The revenue models used in those organisations do not allow those high cost profiles to be deeply involved with the work.

That being said, the audit & advisory firms are still among the most flat organisations out there. Look at other hierarchical organisations. There are still a lot of those around. There are those producing the stuff that is actually brought to the market and then there is the entire superstructure surrounding that product and how it is being brought to the market. A lot of organisations have turned into administrations. Even organisations with initially lean objectives turn into administrations very, very quickly, if left unchecked.

But we need managers to coordinate the work, I hear you say. But do we?

Proximity was essential, once

It's a simple question, is it not? We needed managers once. The owners needed profiles that were capable of growing the business without an inate need to take over the entire company. Perhaps even more telling is that the move from the home, where most production was done in the 18th and 19th century, to the workfloor in the mid to late 19th and early 20th century was predicated by the proximity to a unique and highly expensive power source. That source, most often a steam engine, powered many machines. Not being close to that machine meant not getting any work. And work paid wages, and wages put food on the table. No wages, no food, no future.

The hierarchy was a means to control larger structures. Given that the optimal number of direct reports is somewhere between 5 and 10 people (I've often heard it put at 7 people), controlling large production structures became a question of layering enough. Communication then was face to face communication, often accompanied by show and tell. We call that on the job training now. In that day and age, the only way to do the work was using this model.

Old solutions are no longer relevant

Times have changed. We are in the internet age now. With some noteworthy exceptions, mainly on mainland Africa, power sources are available and power costs are going down more then going up. And it is not just that. Communication has been modernized too. There are a myriad of ways to communicate with each other. The use of hierarchical structures where people talked to people who in turn talked to people is no longer required. The problem is that the hierarchy apparently did not receive the memo yet.

Now, rather than assisting organisations in taking the next step in their growth, in the next step in their evolution, those hierarchical managers are preventing the organisations from doing that. They are now, more than ever, the overhead. And you know what is so dangerous about overhead, right? Well, it usually is over your head. Which puts you at risk when it will eventually will come tumbling down.

And unless organisations, especially hierarchical administrations get the message, we run the risk of incurring significant costs of organisational destruction and clean-up. Because marketeers all the way down is not a viable, sustainable situation.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The death of information asymmetry

Alcoholism and opium

As I understand from my sparse reading of the history of the beginning of the last century - the history of the industrial revolution - many people were left at a loss what to do with their lives once the industrialisation took hold. This led to for example a high degree of alcohol and opium abuse. A large part of a generation was lost.

Change happens

I've seen similar scenes, albeit on a much smaller scale, when I was working in Eastern Europe in the middle of the 1990's, as an auditor. A generation of Eastern Europeans, fresh from UK and US universities, came back to their fatherlands and made redundant an entire generation of traditionally schooled "managers".

Change happens, and change impacts us all, some more than others.

Access to information meant power

The same is happening with the internet. And that change is impacting the layers of management whose sole purpose was to transfer and synthesize information. Their role was essential in the past. Their role was extremely powerful. Some people had and hoarded information. Hoarding information meant controlling access to that information. Fundamentally, information was power, and determined position. If I knew something you did not, and if you were willing to pay for that information, I had a business model. Taken one step further, if I had information you needed, I had power over you.

The role of information managers

Information hoarding, or information "management" - because hoarding is such a bad word - became a thing. We had knowledge managers, people whose sole purpose in professional life existed in identifying sources of information and providing them to us. Some of that information existed freely in the world. Some of that information was behind paywalls, in walled gardens. Some of that information did not exist at all.

Internet meant free availability of information

Enter the internet and the evolution of passive information gathering tools. As an information user, I no longer have to go look for a lot of information. If I take the time to adequately set up search queries and alerts in different services, the information will come to me as soon as it is available.

A generation unfamiliar with the tools

This poses, of course, a number of other challenges, and a number of potential linked business models. First, there is an entire generation that is not necessarily familiar with the available tools. These are the current 35+ somethings. They did not grow up with the internet. The whole thing is new and slightly alien. These people need to be trained in what information can be found where, and they need to learn how they can set up notifications.

Drinking from the fire hydrant

The second challenge is the most important one, and one that will likely stay and increase further. We are not capable of dealing with the information fire hydrant that has been switched on and that keeps pushing information in our faces. If we dare to put our face in the streaming water, we risk getting knocked out by the sheer force of the volume of information. How do we ever make a choice in what to read and what not?

g! Scott Hanselman talk webstock, in his excellent talk on personal productivity, has a great suggestion. He suggests to find appropriate information aggregators. These are people or organisations in your field that assist you in reviewing the information and synthetizing it to a point where the time you invest in reading it pays of. Of course, some will say, what is the difference with the former knowledge manager?

Information provider independence

That difference is very simple: he or she is no longer embedded in your own organisation. He has no direct value in shielding certain information, in hoarding it. Rather, the aggregator is in constant competition with other aggregators. To be a sustainable business, he needs to be the best quality aggregator around.

The information aggregator as a business model

So here is a prediction: the growth of the aggregator we see in certain industries, especially the tech industry, occurring, will start to occur in other industries as well. Content aggregators will start to appear in other industries as well, not motivated by the hold on information, but motivated by bringing you the best available information as soon and as complete as possible.

We did not eliminate the middle man. We converted his role and made his function a business model all by itself. Interesting.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Kourosh writes again

The approaches ...

There is GTD, and 7 habits, and scrum, and many more approaches, for lack of a better word, which aim to help us with our personal productivity. I for one started with 7 habits and graduated to a personal adaptation of GTD with some agile put in there to ensure I actually produce instead of tinker.

The science ...

Then there is the science behind the approaches. One such study on GTD done at a Belgian University (pride!) explains how GTD actually works.

The understanding

And then there is deeper, almost intuitive understanding of the subject matter of personal productivity. It differs from the science in that it resonates at a deeper, more essential level. It may be storytelling about science, and perhaps less exact, but it leads to a fundamental comprehension of how personal productivity approaches work. And one such book is Kourosh Dini's Workflow Mastery - building from the basics.

A comfy blanket

For those not familiar with Kourosh' work, he is a psychiatrist working out of Chicago who has written and blogged extensively on personal productivity. I for one feel we need to reserve a special place in our hearts for people working out of Chicago. I would likely be wrapped in large comfy blankets the entire time, not getting any work done.

Deep resonation leads to deep understanding

All kiddin' aside, Kourosh provides us in this update - actually, it's an entire overhaul - of his original book with some very deep insights into what is behind personal productivity. It goes beyond that. When I read an advanced draft version of the book, I was struck by how deeply the content resonated with me and felt true at an almost intuitive level. It makes sense, in that it comes very close to making clear why we function how we do when we aim to achieve a higher personal productivity. And that approach, more than many approaches I've read and studied before, actually allows you to enhance your current workflow.

Not for the uninitiated

This book may not be the book for the uninitiated in GTD or any other personal productivity approach. For that, I would suggest you go and read David Allen's GTD or Covey's 7 Habits. However, if you have a personal productivity workflow - as I assume most of you have - this book is most certainly worth reading, because the deeper understanding it leads to will allow you to both better understand your own ways of working and allow you to tweak and enhance that approach.

A carefully crafted piece of a master

In addition, and that alone is worth the price of admission, Kourosh writes beautifully. As a non-native speaker of the English language and schooled in traditional European languages such as Dutch (close to German) and French (close to, well, French ;-)) I adore well crafted words, sentences and paragraphs. Kourosh almost composes an intricate piece of music when writing. Which should surprise given his background as a classically schooled pianist and musician.

Mindful at its core

It also shows you that the practice of mindfulness, which is ever present in the book, leads to amazing results. The book, clearly written in a very mindful state, exudes the benefits of mindfulness by its very nature.

If I seem to be very enthousiast about this book, well, I am. Kourosh contacted me a couple of months ago, when he was in the final stages of writing this book, and asked me to reread it. Which I did, and I learned a lot along the way. Some of my practices started to make sense. And I most certainly started to practice a significantly more mindful attitude. Which is highly conductive to higher and especially more relevant performance.

A free update for owners of version 1

For those who purchased his Workflow Mastery book before, this entirely new book is a free update. For those who have yet to purchase it, go do it now and read it. It will be well worth your time.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

A lean government needs strategic internal audit

In the short period of 1999 to 2003, the Belgian federal government was making some real progress, at least conceptually, in improving its functioning. The Copernicus reform, which eventually failed, had some essential ideas on how to turn the Belgian federal public sector into a (reasonably) lean organisation.

Come the 2008-2009 financial crisis, and we find a federal public sector that no longer wants reforms after what it suffered through under the past reform. But what it wants is not relevant, as it is forced into significant restructuring of operations, because the money is no longer there to support what many stakeholders (the population) believe to be bloated institutions. But rather than a concerted, structured effort to optimize and make the government organisations lean, cuts were being imposed across the board, with little consideration for efficiency and optimizing service performance. Many inside of government believed we no longer had the time to critically assess and optimize, we just needed to reduce expenditure. No one believed there were change agents in place to guide government services through this optimization process.

The notion there were no instruments of change available to ministers in 2009 is incorrect. Even more, these agents of change reside inside of the administrations and can assist in making the required analyses to optimize the cuts. Those resources are called internal auditors. But right now, they are not used to the maximum extent possible.

Why are the current crop of internal auditors not ready nor used? Because, not always by their own will, they have been limited in scope to just their role in internal controls assurance. This is a traditional internal audit role from the early 1980's and modern internal audit departments have moved far beyond that role.

Let's examine what internal audit could offer to a public sector that has all but forgotten about it.

Assessing the effectiveness

Once certain "new" public sector tools are structurally put in place, such as management agreements - tools currently already being used by many state owned companies - internal audit can provide reasonable assurance on the effectiveness of the government entity in reaching the strategic and operational objectives as defined in the management agreements. Effectiveness is about doing the right things. Internal audit can provide the key stakeholders of the federal government service, usually the minister and his cabinet, a reasonable assurance on whether the government service's management team is actually doing what it is supposed to be doing.

In addition, this work allows the management team to communicate, through internal audit, about the incompleteness of such management agreements. If a government service is doing a lot of work which is essential but not adequately represented in a management agreement, perhaps the agreement is incomplete. Or perhaps the federal government service is doing work that is no longer deemed relevant.

Providing key stakeholders with information about what the auditees are actually doing as compared to what they are supposed to be doing is a core competence of an internal audit department.


If effectiveness is about doing the right things, efficiency is about doing things right, in the correct and ideally in the most economical manner. This is important for government administrations as they need to provide the same or better services to their stakeholders in a reality of reduced budgets. Internal audit can assess the efficiency of government operations as well, by benchmarking activities. We're actually missing a wonderful opportunity to cross benchmark administrative services which are comparable across different government services, and looking for good practices.

But what I have described thus far is a quite traditional internal audit, in both public and private sectors. While these assessments bring true added value, they are but the top of the iceberg when considering what internal audit can bring to the table. Which is why it is quite surprising that some of the assessments described above are not executed by internal auditors, but by external consultants, whose added value in process improvement if not adequately immersed in the organization's culture is limited at best.

Internal audit's tactical added value

Internal audit has a role to play in risk management. Attempts have been made to implement the concepts of risk management in many organisations, among which some of the federal public sector organisations. I co-authored one of the methodologies which was en is still used in several public sector entities. The problem is that risk management has not reached the level of maturity which sees it taking its place among other management tools, such as balanced scorecards and key performance indicators. There is a lot of talk about risk management, but only limited action.

Internal audit, however, has traditionally used risk analyses to plan its short, medium and long term audit activities. Risk analyses scan for risks within and around the organisation by using a combination of questionnaires, self assessments, historical data and, most important of all, common sense.

Risk management assumes an organisation is a car, not a train. It needs frequent tugs at the steering wheel, and if a corner presents itself in the road to the objectives, action needs to be taken.

Internal audit is allowed to take on certain roles in assisting the organisation in implementing risk management as a true management tool. It'll no longer be internal audit in the crow's nest, without binoculars, screaming 'iceberg' just a minute too late ... rather, the entire organisation will be aware of the fact that no matter how well designed your internal controls, there are problems out there that may not be resolved by putting in yet another internal control.

Internal audit's future: a strategic added value

But creating awareness and teaching people to look around before engaging as an organisation is not where internal audit's responsibility should end. After all, knowing something big and bad is heading our way is not enough to avoid it. I believe internal audit has a responsibility to assess the adequacy of an organisation's governance structures to evaluate it's respons readiness to the evolving situation on the road to achieving its objectives.

For a long time, we believed that governance, the foundation of the organisation, should be cast in stone. But recent experience has shown that the only certainty is uncertainty. No one structure is capable of dealing with all eventualities.

Internal audit, with its deep knowledge of the organisation has a responsibility to provide its stakeholders with insight in the adequacy of the current structures in responding to risks as well as providing recommendations on how these governance structures would best be adapted to most adequately respond to these risks.

By providing these insights to stakeholders and management team alike, internal audit will really live to the fullest its strategic role.

It also shows why internal audit should never be too far removed from the organisation it's auditing. The auditors are (currently still) there. Why are we not using them?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

My bad time travel habits

Two books I've read in recent months made me acutely aware of my bad time travel habits. I know, it may come as a shock I can travel through time. It most certainly surprised me. You may believe it's a gift, but it is really more of a curse.

Now, before we go any further, I carry some bad news I really need to share with you: you are likely cursed with the same affliction. I'm quite sure you travel through time as well, and not in a good way. I understand that in order to proof that, I first need to show you that we can travel through time and actually do pretty much all of the time. Let's go.

Frequent time travel can and will hurt you

But perhaps not in the way you think it may. This time travelling business is not about travelling back in time and accidentally killing your dad resulting in you never being born in the first place. That would be a paradox. Paradoxes are not real. They exist only in your mind. keep that thought on mind and paradoxes for a minute while I explain something else first.

When are you?

Now, I would like to invite you, right now, to think about when you are. Not where you are, but when. Sounds confusing? Let me give you some examples:

I often find myself 5 minutes, a couple of hours or even a couple of days in the future, thinking about what I will be saying to someone, or how I will be dealing with a difficult situation or a reluctant audit client. Rehearsing how I will act in a meeting, and what I will say.

While I may not physically be there, or rather then, for all intents and purposes my mind is. Let's compare it to a feeling most of us are familiar with. You can drive your car and go through the motions of driving without really being present. Your life is on automatic pilot, while your mind dwells somewhere else. Be honest, how often have you caught yourself doing just that?

Sometimes I find myself back in the past. I am be thinking about what happened in a meeting, or during a discussion, or during the execution of a specific audit activity. And if it was a particularly difficult meeting, I will go through it again and again, considering the reactions of the people present, trying to understand what they meant, chewing over what I said and what I should have, could have said ... over and over.

That again illustrates a pretty typical situation in which I am not now but rather back then with most of my mind. What is now is just my body and some of the basic functions that keep me alive. My internal collision avoidance system, so to speak.

Being somewhen else makes sense some of the time

Let me be very clear: none of these actions are bad for me if they occur at the proper place and time. For example, thinking about a presentation and rehearsing it can be a part of preparation. Thinking about what I still need to do for a specific audit may be part of planning. Reflecting on what happened in a meeting yesterday may be done in the context of dealing with my notes and next actions, while I'm working through my backlog. That's often called processing. In those instances it makes sense to not be now, but somewhen else. But those blocks should be limited. And to most people, they are not.

The transparant sauce pan lid of the mind

The problem is we often fail to give these thoughts and ideas the appropriate time and place to begin with. And of course that does not make them go away. Rather, they tend to bubble up through our minds. Mind is not necessarily the wonderful instrument that most would want you to believe, right?

Our minds are like a transparant lid on a sauce pan in which a sauce is merrily bubbling away. When the sauce is starting to get warm, you can barely make out the surface through the mists of condensation. And then it gets hotter, and hotter, and hotter. You cannot avoid the bubbling of your unconscious, but if you don't turn down that heat by using a couple of specific techniques, the bubbling will eventually lead to sauce spattered all over the glass lid of your conscious mind. Your mind will react and try to wipe the stains away. It will consider each of the stains. It drifts off to somewhen else. And if the heat is particularly high, there's going to be a lot of spatter. Lots and lots of reasons to be somewhen else.

Being in the zone

It is not all negative. You, like me, have periods when you are now. Those are the periods of deep, concentrated production. The moments you are "in the zone".

For me, for example, I get in the zone when I am writing, like I am now. I have my notes, I have what is in my head, and I write. I also am now when I teach. I've taught classes when I didn't even notice how time progressed.

These are the moments you are deeply focused and actively present. You are fully aware and in tune with what you are doing. That can be your text, or your class. There is no sensed passage of time, there is just now. There is no consideration of things outside of my awareness. There is just what I feel, which can be a group of people or a concept I am trying to catch into a set of words. It may even be something entirely different.

We're learning to ride horses. It's a fun family activity. While initially there was a certain apprehension - horses are very big up close - I've been relaxing into it, becoming somewhat aware of the fact that there was a silent participant in all of this, the horse. By the way, it's a she, and she's called Fox. Last weekend, I fell off. I did. Actually, entirely through my own stupidity, I was more or less catapulted off when learning to properly gallop. Now, I had been very focused on things going on around me, especially behind me, where my wife and kids were riding and where there were discussions going on (my kids are rather vocal) ... and then suddenly I was now, in the dirt, after having flown a couple of feet. I got back up on the horse ... and became very aware of how she had become scared by what had just happened. I could feel, really feel her insecurity. What then happened was the best gallop in my very short career gallopping. Because I was fully and totally there, entirely committed.

Now is the only moment

Now is not a moment. Now is the only moment. All the rest is what we believe was or will be, and it is tainted by mind projecting through very strong filters. Now is when it happens. Only now. All time spent anywhen else but now outside of specifically assigned spaces for such reflection is wasted time.

Techniques to manage the heat

I'm coming back to my sauce pan. We need to control the heat. There are a couple of techniques that assist you in doing that which are relevant here:

One of them is David Allen's weekly review, to which I've added David Sparks' daily review. These well known GTD practices help you to both look forward and look backwards in time, serving as a very good basis for planning.

About the second technique: I'm always surprised on how much of the sauce splatters I consider during the review actually get discarted. They were noise in my system, things I believe I needed to react to, but really did not have anything to act on or to work with. Still, it would not pay to simply discard these feelings, ideas, frustrations and whatever. That's why I like journaling so much as a technique. My weapon of choice here is Day One, an excellent Mac and iOS app, but you can use any tool you want. Writing in my journal allows me to consider what happened in the past day, and how I see that figuring in the broader scope of my life.

Constructs of an over active mind

Now, remember those paradoxes that only exist in the mind? The past and the future are constructs of your over active mind as well. Best to dwell on them within the correct context, but not to give them free reign, because they will distract you from the now. When you are in the now, you are no longer aware of time. Ask any athlete that is operating at peak performance ... but also look at yourself when you are at your best.

And now is the only moment you have to do something, to produce something, to do the work. Spend as much as you can in the now. So get to it. Now.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Are you a contract killer or a primary care physician?

The contract killer

I've known quite a few internal auditors who took pride in the number of people they managed to take out as a consequence of their audit reports. The arguments? Most often they argued the people had failed to do what they were told to do by the procedures. Or they considered the people to be incompetent or bent in many ways. Whatever reason they felt justified them in approaching their job as they did, to me, it is still fundamentally the wrong way to look at our profession. Because we are not contract killers. Rather, I believe we are the primary care physicians of businesses. Let me explain.

A small town doctor

I would like you to think about a typical small town primary care physician. Yes, this is an older gentleman or lady, wizened with the years. This is someone who knows you and your family intimately. Perhaps they even assisted delivering you to this world. That's the type of physician I'm talking about. Well, a good internal auditor should be like that.

Closeness breeds understanding

A good primary care physician knows you and has known you for a long time. A good internal auditor knows the environment he or she is working in. They know it intimately. They live in it, they work in it, they breathe in it. They are not entirely part of it, there is a significant and necessary amount of independence there, but they are very, very close to the organization.

By being so close to his or her patients, the good primary care physician cares deeply about them. Likewise, by being so close to the organization, the internal auditor cares deeply about it. We care so deeply about it, that we can be very harsh if we see significant failings that may threaten or significantly harm the organization. While a doctor may care about seeing one of the young ones of the family take up smoking, we may care deeply about a repeating pattern of procedural neglect in a certain area. Being harsh in our reporting is often a way to deliver a clear and concise wake-up call to the organization that has lost its way.

Forgiveness encourages evolution

A primary care physician is also forgiving. When he sees marked improvement, because someone is consistent in taking their medicin and doing their exercises, they will consider that as a positive element come the follow-up exam. The internal auditor, even seeing that everything is not A+ yet, will be considerate for the department that really made the effort to implement certain recommendations, even if they are not yet fully implemented yet.

Deep understanding creates perspective

A good primary care physician is close to the family, and knows the family stories and the family crosses. Some things need to be known, but only on a need to know basis. An internal auditor, confronted with some issues from the past that were correctly resolved, bears no grudge. It is not about what happened in the past, but what will happen in the future, taking in account everything that has happened in that past. This requires a deep understanding that many a hired gun - a contracted internal external auditor - does not have because he will never have access to that information. A good internal auditor engenders trust and earns it.

Awareness leads to relevant action

A good primary care physician also knows when to call the ambulance and transfer the emergency care to a specialist. An internal auditor, when confronted with a significant problem, will likewise immediately alert the correct people at the board level or even beyond. Some problems cannot be solved by internal controls, good risk management or governance improvements. However, that does not mean the good internal auditor hands over and lets go. Rather, he remains close and makes sure that the organization is comforted and supported during a difficult period.

Communication shines a light on issues

A good primary care physician communicates well, because he or she understands that communication is one of the most important keys to identifying whether something is wrong. A good internal auditor understands the value of excellent communication as well. The best among the internal auditors know that something is wrong in the organization because they feel the change in the air before someone has even communicated something to them. That's experience.

A quick illustration

One of the key reasons for auditor independence is auditor objectivity. Think about that primary care physician now. He is close enough to the organization to objectively and with some measure of emotion assess that something is wrong. He is not taken by emotion in a way that it prevents him from functioning. Rather, he is the one that calls the ambulance when everyone else around is crying and wandering around aimlessly.

Much in the same way, the great internal auditor knows something is wrong but remains able to act and to assist the organization in getting all of its proverbial ducks in a row. He does not drown in the organizational emotional fear, but remains detached in such a way that he can advise on the most appropriate actions.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Death of The Manager

Examining my dictionary

What is a manager? My dictionary states that a manager is:

"a person responsible for controlling or administering an organization or group of staff"

But there is an implicit assumption here, which is the following: that an organization or a group of staff need managing. And that's what it used to be.

The traditional paradigm valued its human resources at replacement cost

Our traditional production paradigms dictated a structure of managers to keep the resources well organized. The resources, those were the inputs, the machinery and ultimately the ones using the machinery to produce something, anything. Which were the workers.

Sadly, in that scheme, the workers were easiest to replace. Machines cost money. Firing employees, especially blue collar employees, not so much. Resources cost money. If those resources are reasonably rare raw material, their price fluctuates with any market that cares to provide them. But you can always find more people.

Education was and still remains a trap

Education became a trap for many people. In my opinion, and I'm very opinionated about education, it still is to an extent. People were being trained to be good little production units, standardized, easily replaceable, easy to manage. What was seen as a way out of the poverty trap many blue collar workers had been caught in, turned out to be a lifelong commitment to the McJob. It paid good money, but it remained a trap nevertheless.

Becoming one of them

The ultimate promotion that could be had, was to become one of them. One of the ruling class. One of the managers. You needed higher education for that. And higher. And higher ... master upon master upon master, with requirements skyrocketing. All these qualifications apparently required to rise to a level where you could manage the McEmployees in their McJobs. Each single unit of work had the potential for a number of productive years but was easily replaceable if needed. And that replacement was performed every time the employees became too costly. Or too unruly. Unions were formed, but turned out to become companies on their own, with their own employees who held on to their jobs. And even the managers turned out to be McManagers, reporting to another McManager higher up in the hierarchy, each of them as easily replaceable as the next McManager. Tower of Babel, anyone? Because at the end of the day, each McManager is a McEmployee as well, and holds on to his McJob for dear life.

Where is the added value of the manager?

There is a problem with all of this: the hierarchical chain responsible for controlling or administering that organization does not deliver a significant added value on its own, but they do cost a lot just to control or administer. They used to coordinate workers in order to deliver products and results. That system, when pushed to its logical extreme, led to Just In Time resource delivery to Just In Time production lines which fed large shopping malls which wanted to hold as little inventory as possible and used Just In Time delivery to the store. To a large extent, the world, which is a consumption oriented world, still functions like this. But we are realizing more and more there is little to no added value of the manager other than coordination.

The decreasing need and relevance for coordination

And that coordination is becoming less and less relevant today. Higher and higher baseline education levels mean that many more people understand what they are doing, even if they work on a conveyor belt slapping small thingies to other slightly larger thingies. And they are not the only ones.

The first real enterpreneurial generation

The really creative work is no longer being done in large businesses, but by knowledge workers who are by nature more self managing than most professions we ever had, during the entire human history, other than true enterpreneurs. They constitute, perhaps, the real first enterpreneurial generation. These knowledge workers use a true multitude of online tools to find each other, addressing needs they have not by finding the closest available person that can do the job, but the best available person anywhere in the world.

More leadership, less management

The role of the person responsible for controlling or administering an organization or group of staff, the manager, is becoming redundant. We no longer need any managers. We need visionaries that will provide direction for the engaged, independent knowledge workers, who will create ideas, solutions, products that self-governing teams of skilled workers will build, not because they have to, but because they are interested in it. The key motivational components so eloquently described in Dan Pink's excellent book Drive will not just power the educated knowledge worker, but the traditional blue collar worker as well.

Death of a salesman

But it will mean the death of the manager. I imagine that death a bit as a scene from Arthur Miller's Death of a Salesman. No longer relevant, the manager will try to hold on to unrealistic dreams and expectations, and may even try to influence just one more generation. I believe we need to start providing for these people, and ensure they have a good home for their retirement, because we owe them that much. What we do want to avoid is that they crash their cars, like Miller's main character does, killing himself with all good intentions.

And our organizations will need to start to adapt to that inevitable change.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Context reporting

Another link to an absolutely worthwhile article.

Michael Lopp offers an excellent suggestion in the following article on context reporting. He suggests:

"A context report documents the reason why (and to a lesser extent how) you’re completing these actions and I suspect this information is far more useful to everyone involved."

I invite you to go through the - extreme - examples he suggests. I for one can see some significant added value coming out of this approach, and I'll seriously consider using this as a value added recommendation whenever I come upon communication efficiency issues in an audit.

Which, as seasoned auditors know, is pretty much every audit.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Questions to consider when choosing projects to support and fund

I'm very deep into some work and have limited time to blog, but that's an excellent opportunity to refer to work done by some great writers and thinkers, in my specific subject area.

Here is an excellent article by Simon Perks, a former colleague of mine, who is now working out of his own organization (respect, Simon!) on elements to consider when making choices about projects.

What he writes rings very true. Considering feasibility, I often feel people want projects to achieve desired outcomes, and that want replaces a calm, careful and concise assessment. Well, it should not. We need to remain aware of significant biases in decisions and not let too much emotion creep into the decision.

By the way, do visit Simon's excellent blog at his site, here. He has more excellence where that came from.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Risk versus risk sources

It has been quite a busy week, so I've not been able to write for the blog. I have, however, been reading a lot.

While it was not primarily on my agenda, this article on risk management caught my eye. It makes a concise and very clear distinction between risks and risk sources. A recommended read!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Some thoughts on note taking for internal auditors

There is a lot of information available on academic note taking

Good note taking is a craft all by itself. Look at any website of any itself respecting college or university and you will find at least one class on advanced note taking skills. Do a search on the web and you will find many a pdf and even youtube videos demonstrating the essentials and even the more advanced aspects of note taking in an academic context. Clearly, note taking is important.

Most of these courses focus on capturing information gleaned from monologues for the purpose of understanding and learning. And that is logical, because undergraduate and graduate students alike need to attend lectures, most often delivered by a person in front of a class room.

But there is little information on note taking for internal auditors out there

But would it surprise you that there are few, very few results for a search as simple as "note taking for internal auditors"? There is this exchange on LinkedIn by the ever excellent Robert Berry, with both the article and the comments providing insight in techniques. Still, that is pretty much what is out there. And that's a shame, because I believe note taking for internal auditors is a lot more complex than traditional note taking. Let's explore why for a minute:

Notes need to reflect what was said

Internal audit note taking needs to provide an accurate reflection of what the auditee said, not of what the auditor thought he or she understood. This is important because interviews are part of internal audit evidence (albeit it a weaker part) and we want to make sure that even preliminary, further to be audited findings are based on what was said, not on our interpretation.

Notes need to lead to a better understanding in real time

However, at the same time, your notes need to lead you to a better understanding of the subject matter you are interviewing about. Because if you are just verbatim copying what is said, without any understanding happening along the way, you will need to do your understanding later, and the clarification will then burden your interviewee long after he or she has walked away from the interview.

Notes need to allow you to put markers where you need clarification

In addition, notes need to allow the note taker, the auditor, to identify areas for further clarification during the interview. Whereas understanding deals with the width of the understanding of a process under review, we need to get the necessary depth as well. Often, you will not be able to immediately interrupt your interviewee to ask for clarification, so your note taking system needs to allow you to put markers in places you want to come back to later, but still during the interview.

Juggling plates

Adding to this complexity is that audit interview notes are being taken during not a monologue, but a conversation. You cannot, as an auditor, enter into a trance and come out 90 minutes later with the goods, without any interaction with the auditee. On the contrary, you will need to engage in very active listening, identifying those points where the conversation blocks, halts or provides any indications of issues, coaxing your auditee to touch all aspects of the matter under review, but while still maintaining an as accurate record.

Yes, good internal audit interviewing does start to feel like juggling a mighty number of plates at the same time.

Reconverting the Cornell Note Taking Technique

The question then becomes, how can you make this work in a very practical way? Well, we can actually reconvert an old, but trusted college note taking technique, the Cornell Note Taking Technique for our purposes.

I like the Cornell Note Taking Technique because it is a very simple technique that allows you to take high quality notes with only limited logistical preparation. It does not require special software, it does not require high tech tools such as audio recorders, it just requires a pen, an adequate supply of paper, and the clarity of your mind.

Note taking phases

I want to take you through a number of phases which I follow when taking notes:


To use the Cornell Note Taking Technique, you need to do a little bit of preparatory work. It takes all of five seconds, if you are used to it, on a white piece of letter or A4 paper.

We want to divide our page into three blocks: two columns and one block at the bottom. Let's do the block at the bottom first. You need to reserve about 2 inches or 5 cm of space at the bottom, which will become your summary block for that page. Then you need to draw a line about 7 cm or 2 1/2 inches from the left side of the page. The left column will become your cue column and the right column, which is about 6 inches or 15 cm wide, will become your note taking column. And that is the logistical part of the exercise.

There is another dimension to the preparation, which is content preparation. I like to list an initial structure of the interview on the very first page of my notes. This structure covers the key topics I want to cover during the interview. If the interviewee would go off track, I have a reference structure I can fall back on. For some interviewees whom I know to tend to go wide, I will even put that structure on a flipchart, which they can refer to.

During the interview

During the interview I use the large note taking column to write down my notes. It's impossible to write down the transcript of the meeting verbatim and I don't want to use a voice recorder because using it will create a significant initial barrier between me and the interviewee. It's just not accepted practice. What I do is to make notes of the key points of what has been said by using active listening skills, including confirmation of understanding.

I also write down the literal question I ask to trigger a response from an interviewee. To me, this is essential because the way you ask the question will influence the response you will get. A response without the initial question becomes a lot harder to interpret later.

Now, whenever I have questions, attention points or needs for further clarification, I will avoid interrupting the interviewee. I will rather note down a short code or indicator in the cue column which I can refer back to once the interviewee has stopped speaking.

The reason for this is simple: it may well be that the interviewee will answer the question I currently have in a couple of phrases, without me needing to explicitly ask the question. It would be a waste of time and effort to interrupt the train of thought of my interviewee for some information he or she was about to provide me with.

Let's look at the codes I most often use in the cue column:

  • Q indicates a question I need to ask
  • ? indicates that I need some clarification on a point raised
  • ! indicates an important point that I need to consider as part of my summary
  • TD indicates a to do for myself, which I need to enter in my task list
  • TD (NAME) indicates a to do for someone else which I need to email them of transfer them in some other way

So, during my note taking I also use these codes in the cue column. Whenever the interviewee has finished explaining an aspect of the area under review or has just answered a question, I move up along to cue column and find the first short code that has not been crossed out yet. I then ask the questions (Q), the clarifications (?) or I confirm my understanding of the important points (!) which I wrote down. Whenever a point is cleared, I cross it out and move down in the cue column, to the next short code. In this way, I cover all the open points up to the final one.

End of the meeting

I usually try to digest my notes as soon as possible after a meeting. This goes in two passes through the material. First, I go through the notes integrally. I note important points, already often indicated by the exclamation mark (!) and I write them in the cue column.

After that first pass, I revisit the cue column and make a summary of the key points in the summary space at the bottom of the page. I usually try to make these whole sentences, because that's how I internalize best. I also deal with the specific action items I left a short code for. These are my to do's or to do's I need to assign to someone else.

The summary notes are then transcribed in a meeting summary, which may, depending on the circumstances, be sent to the interviewee for validation. Usually, these summary notes are just the sentences which I already wrote down in the summary space strung together into a coherent text. To me, it makes little sense to transcribe all my notes, but I want the summary in a standard txt file and in our Basecamp workspace. The notes are scanned and the PDF scan is attached to the summary note in Basecamp.

A final point of attention

When you are processing your notes in the summary space, you need to make sure that you have clarity on all points covered during your interview. If you fail to clarify all the elements, you run the risk of misinterpretation, which will influence further testing and lead you astray, costing you time and resources.

A conclusion

While this method of note taking may seem extensive, it allows me to ensure both a proper understanding of the content and the intent of the interviewee as well as appropriating the material gathered. This enables me to ask the difficult questions later.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Short practical guide to audit documentation in Basecamp

I've been surprised by the level of interest about my recent post on using Basecamp as the base application for internal audit working papers. While by no means a representative sample, I feel the interest indicates that current working paper solutions fail to address a number of concerns or needs which the simplicity and flexibility of Basecamp does answer. Therefore I've decided to write this "practical guide" to using Basecamp as the "basecamp" for internal audit documentation. It is a way, not necessarily The Way. But, if you keep waiting for The Way to appear, it's likely you'll never get anything done.

What Basecamp does not allow you to do

Before we go into what you can do with Basecamp, let's first make clear what it does not allow you to do. Basecamp is not a standard working paper documentation solution for internal audit purposes. That means that it does not provide a number of functionalities these solutions provide out of the box.

For example, if you are looking for a solution with an integrated risk identification and mapping functionality, you will not find that with Basecamp. If you want your solution to highlight key control weaknesses as a standard report, Basecamp will not provide this for you. If you are looking for any kind of automatically generated report, you should turn away, because you will not find it.

Traditional packages cramped our style

We worked with such software for a while - actually less than a year - and we found that it did not fit well with our needs. None of these packages provided us with the flexibility we wanted. Rather, they assume that you buy in to their methodology, and use it to the exclusion of anything else. Sadly, the type of work we do as auditors in development aid does not allow us to buy into any one methodology. Rather, we need a lot of flexibility. Our working papers need to be exactly that: traditional structured repositories of information on work planned and work executed, leading to a set of findings and conclusions, where possible supported by relevant recommendations. The very simplicity and flexibility of Basecamp provided us with the means to structure just that.

One of the reasons I react so negatively to structured software is because it takes away the need to think and reflect. Often, audits are mere mechanical executions of tasks, without any real in-depth consideration of how and why the task needs to be executed. And these systems do not provide the necessary flexibility to allow for a non-standard project to be integrated in that approach. If you then take into account that in addition to our traditional assurance projects we also manage a number of advisory projects each year as well as documenting all integrity and corruption complaints in this system, you understand that a highly standardized approach was not an option for us.

Now, the very simplistic structure of Basecamp means that you will need to do some "configuration" and abide by some ground rules while using it. These rules need to be well understood and consistently applied by everyone using the system. There are not inherently present. That being said, any auditor that is not able to follow simple instructions as to documentation is not worth the title.

Auditor versus client

Basecamp provides you with the ability to define a participant in the project room as either a team member or a client. A client can be prevented from seeing certain documents, if the team member posting the information excludes the client from seeing it.

It's a very simple, but very powerful concept. We now invite our auditees into our working papers, where they can share their comments on the documents we open up to them. Usually, we open up questions and information requests, the so called Prepared By Auditee (PBA) documents. This allows them to answer questions and provide information directly in the working papers, which reduces our administration and allows us to work from so called raw documents, i.e. information received directly from and directly traceable to the auditee providing us with that information.

There are two ground rules here: first, you need to set up the system with the names and email addresses of your auditees, as well as informing them of the fact you will be using Basecamp as an information repository. The second ground rule is that you make sure you do not post anything to all users of the project room that is eyes only to the auditor. This is a risk, as the starting point is that information is shared with all users. Nevertheless, I find it focuses the auditors really well on the nature of the information they put in the system.

We also share preliminary findings and related recommendations with the auditees. This way, they really see the audit report developing almost before their eyes, and they have the possibility to provide comments or correct factual mistakes.

The central nature of the to do-list

Basecamp has a number of standard document types which can be either uploaded (such as files) or generated (such as to do lists, text notes or dates, which are calendar entries.) Now, our working papers are traditionally a reflection of the proper execution of a work program, which in turn is built based on initially gathered and analysed information.

Basecamp allows you to develop and structure this as you go along. Our analysis of initially gathered or researched information, based on standard audit initiation work program, leads to the development of a audit scope memorandum, which is the basis for the work program which will guide the execution of the audit. Basecamp's to do lists allow us to built that work program in phases.

The audit initiation work program is a standard work program. Like any other work program, it consists of audit activities focused on gathering information and performing preliminary analyses, including but not limited to interviews, which feed the development of an audit scope memorandum or ASM. This ASM describes what we will and will not be auditing. How we will be auditing it then becomes the subject of the work program for that audit. The work program is an evolving beast. It is a set of to do lists that together comprise all the work that needs to be executed for that audit. We recognize three types of work program activities which we capture in Basecamp's to do lists:

  • Information requests, sometimes also referred to as PBA's (documents Prepared By the Auditees) are requests for information or data sent out to the auditees. This can range from a simple organization chart to a full accounting data set, or any other type of information. Information requests are purely requests to the auditees to provide us with some information, without further requirements to provide some explanation about it. We do not want to be influenced by the opinion or the idea of an auditee on this data, we just want the data for analysis now or later in the audit.
  • Questions are exactly that. Based on our analysis, we have certain things we do not understand or need more information or clarification about. We will then ask questions of the auditees. They can answer directly in Basecamp, which saves us significant time in administration. Perhaps funny, but some of our auditees actually enjoy the possibility of answering questions in a more formal, written manner.
  • Audit activities are those tests, analyses and other activities to be executed by internal auditors to test the assertions made by the auditees. After all, we are not journalists and need to make sure that what we write has been tested. Audit activities may include reconciliations, specific data analyses, IDEA tests comparing two information sources for data completeness etc.

Each of the to do lists which together form part of the overall work program has at least one and in most cases all of these activities. Additionally, each activity in the work program needs to be identified as one of these activities.

As stated above, a work program usually consists of more than one to do list. We develop one to do list per subject area under audit. Subject areas are determined based on the ASM (remember, audit scope memorandum). This implies that each to do list comprises all audit related activities (information requests, questions and audit activities) that need to be executed to thoroughly audit a subject area under audit. For example, we currently have an audit ongoing on our budget processes. The structure of the to do lists is the following:

  1. Audit initiation work program: this is a standard work program that we apply to every audit;
  2. Audit activities related to the budget process at headquarters level
  3. Audit activities related to the budget process at local office level
  4. Audit activities related to the budget process in programs and projects
  5. Audit activities related to the internal organization of controlling in the context of the budget process
  6. Audit activities related to other departments' roles in the budget process

In addition, we have two other to do lists which we maintain:

  • Draft findings and related recommendations
  • Draft improvement ideas other than findings

Document creation in Basecamp

Given the central role of the to do-list in our use of Basecamp, there should be no other document that is created outside of the to do-lists. There are three exceptions to this:

  • Forwarded mails are mails that are directly mailed in to the system. These are usually forwards of essential mails received from an auditee where we want to maintain not only the information but also the mail itself. A forwarded mail needs to be URL-linked directly to a to do item via the comments.
  • Text documents are documents which we use in the context of findings and other improvement ideas, and are to be linked to the two separate to do lists mentioned above. The text document format in Basecamp allows for a more elaborate text development. We use it because it is easy to copy-paste into the final report. The documentation of findings follows a standard structure and each finding needs to be URL linked to both the supporting evidence and the finding in the to do list. Having that to do list makes it a lot easier to check for completeness of the final report.
  • Dates are used as a calendar for both auditors and auditees. They allow us to indicate, in broad terms, to the auditees where we will be and what we will be doing when.

The need for URL linking

As documented in an earlier post, it is essential that we take the time to properly link documents to each other in both directions: whenever we document a finding, we need to link to the supporting evidence, but the supporting evidence needs to link back up to the finding. The best way to do it is to embed internal links into the comment fields. As Basecamp is a web based solution, internal links are URL links and hence usable by anyone with access to the project space in which we are documenting.

In conclusion

While Basecamp may require a bit more care than other solutions, its flexibility more than makes up for the bit of extra investment in time. In case you have more questions on its use, don't hesitate to ask.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Make sure you know what you did

Looking for better methods

I was recently reading a paper by Kieran Healy of Duke University on workflow applications. I am always on the lookout for workflows that simplify or optimize our way of generating reports and this one came highly recommended by Dr. Drang, so I had to go and take a look. You can find this interesting and well written paper, titled "Choosing your workflow applications" on his blog, which is an excellent read as well.

Striking a chord

In his paper, Prof. Healy lists some basic principles to adhere to when researching and writing scolarly papers. One of these principles really struck a chord with the auditor in me:

"(...) Perhaps the most important thing is to do your work in a way that leaves a coherent record of your actions. (...)"

This piece of advice is essential for any internal auditor. In whatever we do, in any type of audit activity we perform, we need to explain what we did and how we performed the work. Sadly, that is often not the case.

A disconnect between workprogram and working papers

I conducted my first peer review in 2003, and I've done quite a number of them since. One of the most frequent findings is a disconnect between the workprogram on the one hand and the audit documentation, the so called working papers on the other hand. For clarity, the workprogram dictates what the auditor should do, while the working papers should bear witness to what the auditor has done. Logically, a well executed audit would consist of workprogram steps that are linked to working paper documentation.

Now, I'm not implying that the audits I reviewed that showed this deficiency were bad audits. On the contrary, most of the deviations from the initial plan as documented in the workprogram made sense ... once the auditor in charge had reviewed the working papers, spent some time reflecting on what had happened and then explained to me why they had to deviate from the plan. Which begs the simple question: why not document it properly from the outset?

Audits are often intense events in which a lot of work needs to be performed in a limited amount of available time. Especially when you are working remote, you only have a limited time to perform the work. Working paper documentation is understood to be essential, but is sometimes neglected. The same with adaptations to workprograms. And while I understand that resource constraints impose a lot of pressure on audit teams to go ahead and start the new audit, documentation really needs to be done right. Here is why:

Three reasons to document appropriately and timely

There are three important reasons why both workprogram and working papers need to be correctly documented:

  1. If you are subjected to a formal peer review, one of the aspects the reviewer will focus on is the alignment between workprogram and working papers. They expect you to be able to show you have been complete in your work, and this is the only evidence that exists of that;
  2. If you document it now, you will spend less time than if you need to document it later. Going back after a couple of months, chances are you will barely remember why you made certain adaptations to the workprogram. Remember that recollection is fickle and very subjective. It is therefore likely your documentation will be less complete if you need to document retroactively;
  3. Not all of your audit findings will be appreciated or even accepted by the auditees. Hence, it is very important to appropriately document your work while you are doing it. It avoids you having to redo certain analyses or certain work in case the findings are contested.

Accurate and complete working papers, including properly signed off workprograms that accurately reflect the work done are essential to the fiability of your work and the trust the auditees and the board can put in your work. Now that's a good reason to properly and timely document what you do and how you do it, even if it takes a bit more time than you anticipated.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

A is for Anchoring - cognitive biases in internal audit


I really enjoy reading an audit report or audit working papers because quite often we see the cognitive biases of the auditor at work. Let's be clear, I am as much a potential victim of cognitive biases as any other auditor. However, being aware of their existence will make you more attentive to them, and perhaps allow you to at least take them into account when doing your work.

I enjoy biases so much that I decided to do a little series, in some kind of alphabetical order. Let's see how far we can take this.


The first cognitive bias I want to review with you is one called "anchoring".

Anchoring is a cognitive bias which makes us attribute most importance to the first piece of information we come across and use it as the point of reference for further assessments or judgments. You anchor (yes, like a boat) your perception, and any change in your perception will be an incremental change from that initial starting point, or anchor.

It gets worse: you are more likely to reject out of hand or doubt information which you receive later which is opposed to that initial information. You are more likely to qualify such information as an exception or an outlier.

An anchoring example

Years ago, I was part of a team assessing the functioning of a production plant in the UK. We started by touring the facilities and talking to the blue collar workers on the floor. They provided us with a lot of information on the state of the machines and the maintenance performed on them.

Even before we started our audit, we had already been anchored by the information we had received on the workfloor. We were provided information on the state of maintenance of the machinery, which was contrary to the information we received on the workfloor. Nevertheless, we spent significant time investigating this (ultimately non-)issue further, time we would have otherwise more productively spent on other audit activities.

Research such as referred to in this Wikipedia article appears to indicate that anchoring is very difficult to avoid.

And again, it gets even worse: an intelligent auditee can anchor an auditor, if he wants to. I have a good story about that as well.

An intelligent auditee can anchor an auditor

In the beginning of my career, I worked as an external auditor. Most of those my age did. I had a client who stated the number of intentional errors he had introduced in the accounting. This client, the CFO of this organization, was a former auditor himself, and enjoyed challenging us. We worked very hard until we believed we had found all the exceptions. One year he actually overstated the number of exceptions present. We kept on looking for the exception until the final meeting, where he admitted he had anchored us.

Of course, that works once. But once is often enough to throw your audit in the entirely wrong direction.

Guarding against anchoring

Even though it appears difficult, there are ways to guard against anchoring. It comes down to making sure you anchor yourself prior to the first contact with the audit environment. So it all comes down to proper preparation.

A possible solution would be to baseline and hence anchor yourself as an auditor based on available best practices for the industry. Of course you are then entirely dependent on the quality of information available that define those baselines. In other words, if the entire industry is off, this will not assist you much.

The issue of past anchoring

There is another anchoring risk an auditor can be exposed to, and that's anchoring that occurred in prior period working papers. We usually review prior period working papers in order to get a feel for the situation we're going into. Any biases introduced in those working papers may establish an anchor for the current period auditor.

In conclusion

It appears hard to avoid anchoring. Nevertheless, be aware it can happen, and be aware it may skew or even completely direct your audit effort. Make sure you baseline your expectations on as neutral and objective a source you can have, and don't go into an audit unprepared.

This bias is one of the best examples why it pays to do the necessary preparatory work.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

What about a meeting-free day?

The designated meeting day

In order to improve the efficiency and the effectiveness of their teams working from multiple locations, organizations are proposing or even imposing that certain days are to be designated as "meeting days". On these days, remote workers are expected to be present at the office to participate in meetings. Now, while it makes sense to have these people present at the office in certain situations, I feel it puts the accent in exactly the wrong place.

The message such an organization sends to its collaborators is that having meetings is the most important thing they can do. After all, as an organization we are blocking a specific day in the week for just that purpose. And we explicitly communicate about it. So it must be important. Now, is that really the message we want to send?

This is why I would like to propose to complement such an initiative with another one, that puts the accent where it should be according to me: on creative production. I believe - I hope - my employer hired me not for my ability to conduct and participate in meetings, but rather for the contribution I can bring to the realization of the vision of the organization.

The meeting free day

So let's also impose a strictly meeting free day. During that day, our collaborators have the obligation to work instead of spending their times in meetings that may or may not yield any significant added value for the organization. Such a meeting free day should allow collaborators to get real work done. That work could be processing notes from the many meetings they had in previous days, over extracting the to do's from those notes, planning them and actually doing the work of those to do's. Because a to do strives to evolve to a done. And that's unlikely to happen in meetings. Ideally, such a day should be an email free day as well. No distractions, no excuses to not focus on what matters most: getting work done.

However, with meetings taking the place of actual work in many organizations, it appears they are evolving to structures where many speak and few act. We exchange a lot of opinions and a lot of ideas. We may even agree. But when there is work to be done, we don't have the time. After all, we're important. We have to attend another meeting.

And in those other meetings, everyone has an opinion about what others have done or failed to do, but little to no assessment of our own concrete contribution. Now, this means that our total cost per unit of work done increases: all other things remaining equal, the work will have to be done by fewer people, because more people are in meetings. That spells trouble, for such a situation is hardly sustainable.

So let's use that meeting free day figuring out how to do what needs to be done and then getting it done, rather than just talking about work.

Knowledge work environment or extractive industry?

Blocking longer periods for reflection and work, at whatever location collaborators see fit for their specific purposes, is the hallmark of a mature organization that considers its collaborators as mature knowledge workers. Other organizations appear more as an extractive industry, aiming to reap hours from collaborators but never considering that not every hour is created equal, and productive time is not necessarily and most often not the same as time spent in meetings.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

2014 Gates Annual Letter: Myths about Foreign Aid

Okay, you need to go and read this. It's quite long but it's very informative.

As an internal auditor, I especially liked the following part on a fraud discovered and reported on in the press:

"I appreciate the concern, and it’s a good thing when the press holds institutions accountable. But the press didn’t uncover this scheme. The Global Fund did, during an internal audit. In finding and fixing the problem, The Global Fund did exactly what it should be doing. It would be odd to demand that they root out corruption and then punish them for tracking down the small percentage that gets misused."

Whenever we are fighting against fraud and corruption, and make no mistake about it, we are vehemently doing that, we patch holes in processes. However, these holes exist in other processes outside of development aid, and there they are not considered to be as damaging as they are to our activities.

The battle against fraud and corruption is an evolution, rather than a revolution. But we get better each and every day.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

"Says who?" and "So what?"

Most audit reports are too long

Most of the internal audit reports I have read in my life have one thing in common. They are just too long. Sometimes I get the feeling that internal auditors need to motivate their existence by the sheer amount of paper we produce. Because I am guilty of this as well. I sometimes still slip up when it comes to writing concise audit reports.

Now, in our defense, we tend to get the executive summary right, but when it comes to the detailed report, we still over-motivate our work or provide too much context. And with board members having other things to do than just reading our audit reports, we need to be as concrete as possible but without oversimplifying.

A lesson from an old manager and mentor

Whenever I read one of our own draft reports that is just too long and I want to improve it, I use a technique I have been taught a long time ago by one of my former managers and mentors. It goes something like this:

Of every section, paragraph and even sentence in your report, you need to ask yourself the following two basic yet essential questions:

  • "Says who?"
  • "So what?"

Says who?

This may appear weird, but let's look at this in a bit more detail. When asking yourself that first question: "So what?" you are actually testing two of four traditional quality criteria on audit evidence underlying the position you are taking or the argument you are making in the audit report.

First, "Says who?" asks whether the evidence can be considered to be sufficient. Sawyer's Guide to Internal Auditing, 6the edition defines sufficient as "factual, adequate and convincing so that a prudent, informed person would reach the same conclusions as the auditor."

In addition, this apparently simple question also queries whether the evidence is reliable. The same source argues that in order to be reliable, the evidence needs to be the best attainable information through the use of appropriate engagement techniques.

So, by asking a very simple question, you do some quality testing on the information in your report. But what if the answers indicate that the evidence is not sufficient nor reliable? Well, then that position should not be in your audit report, because it is not adequately supported by the evidence. Ideally, you need to go back and get more sufficient, more reliable evidence. If that is not an option, the point needs to be removed from the audit report. Your working papers need to show why it has been removed.

So what?

When asking yourself that second question: "So what?" you are testing the other two of four evidence quality criteria.

First, by asking "So what?" you assess the relevance of your position and thus of the underlying audit evidence in the overall context of the report. Fundamentally, you want to know whether that point really matters. Is it material, will it contribute to the overall quality of the report, its findings and its recommendations or is it just page filler that may well be removed without impacting the cohesion of the report? Sawyer defines relevant evidence as evidence that supports the engagement objectives and recommendations and is consistent with the audit's objectives.

Additionally, "so what?" also questions the usefulness of the statements and the related audit evidence in the report. Does the finding, the position, the recommendation contribute, as Sawyer states, to the goal of the organization? Will working on this make a difference?

Tthe moment there is any doubt about the answer to these questions, the evidence is not relevant or not useful. That means we need to either revisit the audit subject matter or we need to abandon the point.

In conclusion

Asking these two simple but powerful questions of the content of our audit reports will have two effects: first, they are likely to get significantly shorter, because information in audit reports can sometimes be pure inference by the auditor or based on evidence that is just not adequate. And even if it is, using a lot of words does not mean you have something to say. They should also turn out to be a bit more relevant.

And which director or board member can say no to shorter, more relevant reports?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Clarifying questions

Steps to understanding a process

Gaining a clear understanding of the functioning of a process or how it aligns with tactical or strategic objectives of an organization is not necessarily the easiest challenge for an auditor. Often, the counterparts interviewed are not fully aware of either why they do what they do (lack of tactical or strategic insight) or how certain functions are performed in reality (lack of operational insight.)

Effective information gathering

But how do you go about gathering as much relevant information as possible in the most effective manner? How do you ensure that you have thoroughly exhausted all relevant lines of questioning before you disengage and move to the next step in the audit process?

Depending on the direction of questioning, you can ask clarifying questions to further enhance your understanding of the process or the context in which the process occurs.


Imagine you are interviewing a blue collar worker on how a certain process occurs in reality, rather than as described on paper. You are performing an interview on the workfloor or in the field. The first thing you want to understand is the functioning of the process itself. In order to do this, you can ask "How?" questions. For example:

Auditor: Can you explain how you label the product?
Blue collar worker: Certainly. First, I print a ticket.
Auditor: And how do you print a ticket?
Blue collar worker: Well, I put a black ticket in the printer.
Auditor: And how ...

As you can imagine, "how?" takes you deeper and deeper into the operational activity itself, to a more granular level of the activity.

Of course, at a certain point you reach an adequately granular level for the purposes of your audit. That is usually the point where you need to bridge to the next step in the process. A bridging question can be, for example:

Auditor: Okay, I understand that. So then you do ...?

That question will take you to the next "activity" which you then can examine to the required depth by asking new "how?" questions.

In too deep

But what if the answer provided is at too high a level of detail for the purposes of your audit? We've just discussed how to perform a deep dive into the procedural, operational aspects of an activity. If that detail is too much, you need a question to go back up a level.

The question which clarifies tactics or even strategy is the "why?" question. For example:

Auditor: So why do you put that paper in the printer?
Blue collar worker: Because I am required to print a ticket.
Auditor: Okay, and why do you print that ticket?
Blue collar worker: Because I need to label the product.
Auditor: Interesting. And why do you need to label the product?
Blue collar worker: Because my boss tells me to do that.

That or a similar answer is eventually what you will reach when going up. It's essentially the "I have no clue" answer, provided by people who have no answers to the questions you ask.

Interesting questions, interesting answers

As an auditor charged with auditing a process, you then will move up the hierarchical structure and conduct interviews with the hierarchical superiors. Eventually, ideally, the "why?" question should take you all the way up to the strategic intent of the board. Again, this is in most cases a theoretical situation, because I am not very sure that most organizations would pass such a test with flying colors.

Quite interesting is also the comparison in answers provided by the different hierarchical levels. If they match, you can surmise that there is at least a modicum of operational, tactical and strategic alignment. If not, you can be certain that at least the communication on purpose and objectives of the process and potentially even the organization is hampered.

Building a cathedral?

All in all, it reminds me a bit of the story of the medieval scribe that toured works and met a man. When he asked the man what he did, the man replied he stacked bricks. The scribe walked a bit further along and met another man who was engaged in the same activity. He enquired as to what he was doing, to which the man replied he was building a wall. A bit later, the scribe met another man, who appeared to be doing the same thing the other men had been doing. When asked what he was doing, the man looked up with pride and said: "Sir, I, I am building a cathedral."

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx