The real relevance of internal controls and their development

Mutual exclusivity?

I'm hearing a lot of comments about the relevance and the redundancy of internal controls and especially internal controls development and internal controls training. A number of new management philosophies such as this one - pretty much unknown outside of the French speaking world, but mirrorred in philosophies such as the one of Ricardo Semler - talk about ownership and responsibility of the collaborators. I've written about this most recently here.

What surprises me is that these approaches are seen as mutually exclusive. As if internal controls are something bad, or something redundant or even limiting in a context where collaborators are given individual freedom. First, what any given responsibility comes the ability to respond, but also the obligation to explain what was done and how means (both budgets and people) were used. Well designed internal controls increase the likelihood the use was appropriate, effective and efficient.

More than a response to a single issue

But we should not see internal controls as just a procedure or a procedural aspect. We need to see it as a training for eventualities which will most certainly occur. The real value of using and learning about internal controls is that it teaches people to handle those unexpected occurrences which we will be confronted with, whether we like it or not. The best internal controls teach our collaborators to handle eventualities, even outside of the reach of those controls, because the habits of working with the controls have become so engrained that they become second nature in any type of situation.

Think about budget usage controls which are used at work and find their way into the home, leading to better budgetary control and a better life for a family. Or consider solvability checks required at the start of a contract being executed at regular intervals, ensuring the organisation doing the work remains capable of executing that work well. These are but a few examples.

Developing muscle memory

More than just considering the narrow scope of internal controls, consider the use, the training and the development of internal controls as the exercise leading to muscle memory, to a direct response when faced with a control deficiency stimulus.

And let's remain aware that the untrained will never be able to decently dance the tango of work and life. Even if we encourage them to take their responsibilities, we have an obligation to provide them with tools that allow them to appropriately take these responsibilities. Internal controls are one of these tools.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

So what do you do when you don't do what you're usually doing?

A strange question

Okay, I admit, that may be a rather strange question. But think about it for a second ... do you have other projects than professional ones?

Yes, I know you have your family and friends, but do you have objectives, very specific aims you want to achieve with or for them? And if you are alone, do you have hobbies? Are you very clear on what you want to achieve in those?

Look, this is far from a plea to quantify every single thing you do in your life. Life should most certainly not always be about performance, about results. But perhaps being here and now is partly about clearly understanding why you are here, now instead of somewhere else.

Now only has limited meaning without a clear sense of purpose

Without a clear sense of purpose, now only has limited meaning. Now becomes the moment between what was and what will be. Not to be lived, but to be ensured, to be bridged. Those around you at that moment will experience you bridging that moment, not living it, because you will not be there. At those moments you are either living in the past, going over what has happened, or you live in the future, preparing for what will be.

You are only this moment

The point is, you are not here, now. While you are just and only here and now. You are not different from this moment ... and this one ... and this one. It's important that as many of these small moments make sense and are lived to the fullest. As Annie Dillard said: "How we spend our days is, of course, how we spend our lives."

Because it is so easy to drop into bridging behavior, it makes sense to formulate a clear purpose and sense of objectives in each area of responsibility in your life. Your significant other, your kids, your friends deserve to be part of one of your projects. They have the right to figure in your life, more so than any job related person or entity has that right.

If you fail to identify the relevant areas of responsibility in your life, you will not give yourself and those around you the authorisation to experience you and your presence in all areas of your life. And whomever you are, that would be a loss, not just for those around you, but for yourself most of all.

So, what do you do when you don't do what you're usually doing?

Here are four steps that will at least get you on the way

Step 1 - Get out of limbo

That waiting area that some of us spend quite a lot of our lives in has a name. It's called limbo. It's that place where you are in between other things. We all spend too much of our lives in limbo.

The best way to get out of limbo is by identifying our areas of focus, as David Allen refers to it in his GTD book. This Simple Dollar post describes more in detail what areas of focus are.

Ideally, you identify all the areas of focus you cover when consciously awake. Not just those areas you deem important, but also those areas you may not be really aware of. Using a time and activity tracker, such as RescueTime for example, is a good first step to understand what - on your computer at least - you are up to. I believe you may actually be surprised. After a couple of days, you will at least be aware of what you are actually spending time on.

One of my key areas of focus which does not get enough attention is 'being a father to my children'. Note this is not being an adult around smaller people. No, this is about being a dad.

Step 2 - Define objectives for each area of focus

Take your time and define at least one objective, something you want to realize in each of the areas of focus you identified in the previous step. This objective can be a simple answer to the question: what do I want to do for the people which I interact with in this area of focus.

In my area of focus 'being a father to my children', I have the objective to "make my children laugh".

Step 3 - Identify projects that allow you to achieve those objectives

Once it is clear to you what you are trying to achieve in the chosen area of focus, it becomes a lot easier to define a project that will lead to the achievement of those objectives. It proves the point that asking the right question is often the most difficult part in approaches such as GTD.

I had a couple of days off last week, and one of my projects was to visit entertaining statues in Brussels, such as this one and this one. I concede Belgium can be a confusing places. My kids did laugh once the initial surprise and shock wore off.

Step 4 - Make a conscious choice to commit and then be there, then

You are but this moment. Each moment, you have the choice to be here, or not to be here. We often forget we have that choice. But remember, as David Foster Wallace said, "this is water". If you chose to be here, now, you will be here in a mindful manner.

I'm sure there were a myriad of more productive ways I could have spent my day off. None of them would have been as good fun as that day in Brussels turned out to be. I choose to be there, not somewhere else. I was in the middle of the water.

GTD as an approach provides you with the essential tools to be mindfully present in the moment. We just have to use them the right way in all the areas of our lives.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Brett's courage

Much respect to Brett Terpstra for opening up about his past in this extremely personal post. I've never struggled with substance abuse myself, but I was a very, very heavy smoker from 1988 until late 2007. I'm defining heavy smoker as ranging from one pack to two packs of Camels per day. I had gone through numerous attempts to kick the habit before finally being able to quit in October 2007, thanks to good advice from a couple of colleagues.

I find it simply amazing that a strong and focused person can turn around his life in such an inspiring way. Each and every day something Brett made touches my life when I work on my computer. Whenever I work on texts, Marked 2 is one service call away. I use Searchlink for each blog post I write. I arrived at my editor of choice, Byword, after consulting Brett's crowd sourced list of text editors for Mac.

So Brett, thanks for sticking around and making a difference for a lot of us, Mac users. And happy belated birthday!

And for those not yet supporting Brett, he has an open support model running which allows you to support his work. You may consider doing that.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Risk management maturity - moving beyond risk registers?

An interesting article on risk register obsolescence

I recently read this article by Michael Werneburg which was subsequently updated here. The article deals with the evolution of risk management in organisations beyond the use of risk registers into a risk mature organisation. It restates and reiterates a number of points that have been made by Matthew Leitch in the past on his blog Working in Uncertainty. The basic gist of the argument put forward is that risk mature organisations no longer need risk registers or any kind of specific risk management procedure because they have embedded the risk (management) dimension into their daily management practices.

Well, I can tell you that I am torn by that position. On the one hand, I do believe that the authors have a point as far as risk mature organisations are concerned. A well established risk management practice will lead to risk thinking becoming embedded in management's mind and integrating in management's agenda.

Risk maturity requires an evolution

However, I do not agree at all with the assumption that is being put forward which states that because this is the case, we can take the training wheels of any organisation, abandoning a formal, procedural approach to risk management and evolve straight into risk maturity without passing through a risk learning process. I think that position is fundamentally wrong. Werneburg describes in his update how risk maturity came about, and while details are limited, it appears the organisation underwent a significant evolution to come to a risk mature structure.

Organisations do not self-mature. People don't either (not really)

Now, why do I react so vehemently to this type of thinking? I am very much aware that this thinking fits into the self-maturing organisation thinking some management philosophies currently embrace. They imply that if you leave your collaborators alone, they will make mistakes but will learn from them and evolve based on that learning to a mature state.

First, this is an assumption that is based on scant evidence at best. For every maverick like Ricardo Semler that succeeds in implementing such a change in an organisation, there are tens of organisations that fail to appropriately implement this kind of self-rule. If this would work, the banking crisis would have been avoided all together. However, individuals are often selfish rather than selfless operators.

Gambling with tax payers' money

Second, especially in a public sector context, this type of laissez-faire attitude is a gamble with tax payers' money. As public sector transparancy is already much under scrutiny, consciously risking budgets for a 'learning experience in risk' while very hard budget choices need to be made with very real effects on very real people, can hardly be considered as mature behavior.

Public sector organisations need their risk training wheels

As far as managing risk exposure is concerned, a lot of public sector organisations still need their risk training wheels. They also need a strong, directive management, especially in light of the significant personnel cuts which are not always in line with the real needs in the different departments.

Establishing a common language by means of a risk model, ensuring that appropriate risk identification is timely and consistently performed and using the risk model as an aggregating structure to bring together solutions that actually work in specific situations is an approach that organisations that have not yet reached risk maturity need.

Falling on their proverbial faces

Any management team that fails to put in place these essential systems and practices cannot expect to escape the confrontation with reality unscathed. They will fall on their proverbial faces. Much to my regret, experience and common sense cannot be transferred through osmosis. It's not by standing next to greatness or experience that you will become more experienced. Unless someone clearly explains the dynamic or organisations and their management teams auto-magically becoming risk mature without doing the work and the learning, my cynical internal auditor's heart will have to assume it is not happening.

Trust, but verify

Let us not forget the Russian proverb "doveryai no proveryai", which translates to English as "trust, but verify", which became Ronald Reagan's signature phrase in the US-Soviet Union relations of the mid and late 1980's. A risk model based risk management system for a young or maturing organisation as contained in a written and applied risk management process, combined with a well functioning internal audit department provides a decent basis for this verification component. You may trust, but internal audit will make sure it gets verified.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Slow writing: more beautiful words

Reading The Cramped

Lately, there's been a movement towards more tactile writing experiences, especially those writing experiences involving pen and paper. Excellent sites like The Cramped show people who are perhaps not aware of the beauty and the advantages of writing with a (fountain) pen on paper just what it's all about. I can only recommend the site, not only because of its content, but because it has some wonderful writers as well.

Fundamentally different writing experiences

In my personal experience, there is a marked difference between writing on a computer and using your hand - better even, your whole body - to form the words with some kind of writing instrument instead of tapping with just your fingers. Even your choice of writing instrument will influence the speed and care with which you write, altering the entire writing experience. Take a pencil, for example. Then a gel pen. Then a fountain pen. You'll see.

Speed of writing

The slower and more careful your instrument obliges you to write, the more aware you become of writing and of your writing, and the more considerate your writing will be. Your words are being formed more beautifully on paper, and that extra moment of consideration makes the words used more beautiful, more relevant as well.

Let me illustrate: I most often take meeting notes with a gel pen. It's a quick writing instrument, ideal for capturing words which are not my own. That writing is not beautiful writing. It is entirely functional, aimed at providing capture of and some quick reflection on what was said during the meeting.

On the other hand, I think with a fountain pen. A fountain pen requires a more considerate, slower approach. Legibility, such as the avoidance of smearing ink all over the place, is entirely down to my presence when writing. If I do not take the time to form the words, thinking about them as I write them down, I end up with a lot of colored smudges on paper, bearly legible and disjounted, and not much else.

Mindfulness

These fundamental differences make writing on paper with a fountain pen one of the most deliberate and present, aware experiences I know. It is one of the most mindful experiences I know.

I do invite you to try it. You'll see.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Tone & content audit report = f(audience)

Writing an audit report is serious business. But for auditors, it usually is one of the last things to do before closing the audit job and going to the next one. Not all auditors writing the audit report are necessarily familiar with the audience of their report. And that results in a failure to hit the right tone and language for the report. In my opinion,

the audience should determine both content and tone of the audit report

But why is that, and why is writing a good quality audit report so difficult?

On the one hand, your target audience is not necessarily as literate in organisational language and procedures as the internal auditors or the auditees are. After all, the members of the audit committee are selected on the competences and experience they can add to the organisation to strengthen its governance structures. They bring often very specific expertise, be it financial or subject matter. The in-depth understanding of the inner workings of the organisation are not necessarily present in an audit committee.

On the other hand, an internal audit report is often a technical assessment of an issue or a set of issues in an organisational process or a set of processes. Nuance can make all the difference between adapting the procedural framework to enhance existing controls or surpressing the activity all together because the exposure is deemed too important to patch.

A high quality audit report brings both clarity for the audit committee member and nuance for the auditee.

The internal audit report needs to be concise. It needs to be read and understood by each member of the audit committee in as little time as possible. It should also provide an adequate base for nuanced recommendations. Combining these challenges into one approach is not an easy task, but one a good auditor should master. I use a couple of guidelines which work for me.

Guideline 1 - Say what you have to say upfront

I've read quite a few audit reports which lose themselves and their readers in pages and pages of scope exceptions before coming to the point. While it is okay and even advisable to write a short introduction which describes the context and limitations of the audit, the formal scope limitations can be pushed towards the back of the report, even to the appendices.

Rather, as an auditor you need to get to the point as quickly as possible without losing your audience. By preference, state your conclusion in the very first page of the summary, then go about explaining how you got to that conclusion.

Guideline 2 - Speak clearly, concisely and understandably

If the subject matter is technical, auditors tend to adopt the organisational language. This may make us feel safe because we adopt the language of the auditee, but it is confusing to the audit committee members. They will get confused and before long abandon reading the report all together.

At best, you'll get a lot of very critical questions from the highly irritated audit committee, at worst you'll get nothing at all.

If you fail to convince your audit committee of the relevance of your audit and your findings, you will not only have invalidated the work on that specific report. You will have jeopardised your own continued relevance as internal auditor as well.

Guideline 3 - Conclude sensibly

Findings are one thing, but at the end of the day it's not the finding that will make the difference. Your conclusion and the subsequent recommendations are what will assist the organisation in improving its internal controls, risk management and governance. Your recommendations need to be understandable, as per guideline 2, but they also need to be sensible.

A sensible recommendation is the best possible, realistic, implementable recommendation. But in order to develop those, you need to ...

Guideline 4 - Involve your auditees in validation and recommendation

You need to involve your auditees, not only in developing the recommendations, but in the validation of the findings and conclusions as well. There is nothing more unnerving to an audit committee member than being faced with a technical disagreement between auditee and auditor during the presentation of a report to the audit committee. That simply shows the auditor did not adequately perform his work.

Confronted with that situation, audit committee members will drop out of the conversation, get confused and eventually become highly insecure as to the relevance of the findings, the conclusions and the audit report as a whole. They should and will send you back.

To avoid that, you need to make sure that most if not all potential points of friction have been adequately cleared before going into the audit committee meeting.

Guideline 5 - Drop information irrelevant to the audit committee

This one will hurt. I know that fear of lack of audit report volume is a known abberation of internal auditors. We fear the long days, nights, weeks and sometimes even months slaving on audit tests will never be properly represented by a mere 20 pages of audit report. But we fail to understand that fat reports indicate an inability to appropriately synthesize, a major deficiency for an internal auditor.

If technical information is essential, put it in an appendix, or even better, put it in a separate report for the auditee, provided it has been appropriately reconciled with the report to the audit committee. This will ensure completeness of both reports.

To recap

If you ...

  • say what you have to say,
  • speak (or write) clearly, concisely and understandably,
  • conclude sensibly,
  • involve your auditees in validation and recommendation, and
  • drop information irrelevant to the audit committee.

You may find your audit reports to be a lit shorter, lighter and significantly more appreciated by your audit committee members. And remember, all the details are in your working papers ... or at least, that's where they should be. Not in your audit report.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

5 simple steps to remaining on target

It's been too long since I've posted a blog entry. Between work and adapting the curriculum of a venerable training program in my new role as academic director, there were not too many words left in my head or fingers.

The juggling of multiple projects and responsibilities has made me more aware of the challenges of remaining on-target. When managing multiple activity streams which are competing for my attention all the time, I noticed I did not stand a chance of achieving any kind of productive result unless I took the time to consider their relevance now and how to practically move forward on each of them. It turned out to be very easy to be very active yet not make any progress on my priorities. That had to end, and this is how I did it. This is not rocket science. It works for me, and it may work for you:

Step 1 - categorizing my projects

The first thing I did was (re)categorizing my projects. This is a pretty simple application of the Getting Things Done methodology where the higher altitudes of planning correspond with your areas of responsibility.

Actually, I have adapted these areas of responsibility a little bit. I translated them into objectives which closely align with my areas of responsibility, but which are ordered in order of importance for myself. For example:

The first objective on my list is "Ensure a healthy family life". This corresponds closely with my areas of responsibility "husband", "father" and "son/brother-in-law". Now, while I can imagine projects I can do to ensure a healthy family life, it's a bit harder to imagine projects I can "do" to be a husband, a father or a son/brother-in-law.

And another example:

A bit lower on my list is the objective "Make your clients happy" Now, I have quite a few clients, which align with my areas of responsibility of "Chief audit executive at BTC", "Executive Professor at the Antwerp Management School", "Faculty at the Solvay Brussels School" and "Partner at CasMo". Now, while my clients in each of these areas of responsibility are very different, such as the board at BTC or my participants at both Universities, the key objective is to ensure they are happy. Relevant projects are only those projects that will ultimately lead to the clients being happier than before.

The interesting thing about this approach is that it shows you where you tend to overcommit and where you undercommit to your priorities. There is a reason I put family life soo high on my agenda. If in the daily hubhub of work life I tend to undercommit to my wife or children, I see it immediately. If I put that responsibility further down, I may forget it or ignore it too long. And that would not be honoring my own priorities.

Step 2 - Developing a purpose statement and a description of project success

This one was born out of project management training. I go through my list of projects and for each of them, I try to write why I'm doing that particular project and what success of that project would look like. for example:

I have this project which is titled "Put all your photos online". I'm doing this to preserve my photos and make them accessible to my family members and close friends. That's a purpose statement. Success would be if all my good photographs are saved online one month after having been taken, with access given to family members and close friends depending on the content. Birthday pictures get a wider distribution than vacation pictures, for example. That's a definition of project success.

This exercise takes some time, but it serves a dual purpose. First, it clearly defines why I do what I do and what success looks like. However, if you do this exercise, you may find out that formulating a why on some projects is not that easy. And even if you can define a why, what success looks like is not always that simple either. Think about this: if I cannot define why I am doing a project, perhaps I should not be doing it, because it does not contribute to my larger objectives. If I cannot define what success of a project looks like, that means I will not know when I have achieved that success. I won't know when it's done, when I can stop. That usually means I have not adequately considered the project, and it needs to be refined. For example:

Recently, I found a project on my task list which was titled "Assist in developing strategic plan for entity Y" in the context of my work for BTC. When I was considering the purpose statement, I realized that it's not up to internal audit to actively assist in developing a strategic plan. I actually started a project where I was just supporting the management team by identifying a number of people that could support them. This did not warrant a project, nor the time I would spend considering a next action on this. This was just a to do in a miscellaneous task list. I quickly killed that project.

Either way, I will put this project on hold and I will consider it further during a review. I need to reconsider it before going forward on it, before spending precious time on it.

Step 3 - Defining project outputs

For each project that remains alive after that culling, I define a maximum of three tangible project outputs. I list what I believe to be essential deliverables of the project. These may be intermediate deliverables, but they are things a project should realize in order to be successful. Quite often, a good purpose statement and success statement will hold keys to these project outputs. For example:

Going back to my "Put all your photo's online" project, I defined my outputs as "A procedure to timely (one month) review all your photo's, remove the bad ones and put the good ones online", "Access to the photo's for all relevant family members and close friends" and "Proper segregation of access depending on status". These are tangible outputs in the sense that they either exist or they don't. If they exist, the project can be considered a success. If they are not in place, the project has not (yet) achieved success.

The tangible outputs need to lead to success. They are the larger steps in the project, but by themselves they do not consist of specific actions. They are too large for that. I actually work with outputs instead of activities because it is easier to get lost in activities. If you do not define your activities well, you are likely to lose time in determining what to do in order to "do" the activity. An output is easier, in the sense that actions either lead to the output or they don't. Outputs tend to make it easier to define actions, which is the next step.

Step 4 - Define the actions that lead to the outputs

Once we know what outputs we need to achieve success, we need to start work on making sure those outputs are produced. That is the development of the actions. It will not always be easy to define what all the consecutive actions are you need to take to develop the output. However, the next action is usually very easy to identify. Once that is done, the next action becomes easy to define, and so on. In GTD parlance, this is runway level stuff, but only after we have done the higher altitude work, not the inverse. If there is too much stuff on the runway, it becomes very easy to get distracted. And stuff on the runway that should not be there will lead to crashes. So you need to ensure that your runway is cleared for take-off, which you do by defining your deliverables, your outputs in a very clear manner. For example:

In my "Put all your photo's online" project, I defined "Proper segregation of access depending on status" as an output. The next action there is: make a list of people that need access to my photos. The next action after that is: make categories for your photos depending on their nature. The next action after that is: determine who on my list of people gets access to which category ...

After having defined the output, the next action becomes easy to define. You are not very likely to get from where you are to your output on all of your projects, but your project actions will become a lot clearer.

Step 5 - Daily top three priority projects

Each day, I go through my list of active projects in all my areas of responsibility and I pick three projects on which I want to make progress that specific day. Only three, and each day is a different day. Take a weekend:

On weekends, for example, my focus will be less on making my clients happy and more on ensuring a healthy family life. I will only look at one keeping clients happy project and put most of my focus on a healthy family life, by working on my photos project and on another project which actively involves the kids. Or I may forego client projects all together and work on some maintenance projects.

Or, for contrast, a weekday:

On weekdays, my focus is solidly on making my clients happy. If this is a traditional working day, I will select two BTC projects and one maintenance activity with a direct impact on my BTC work, such as "Maintain audit working papers".

I aim to spend 80% of my time that day on those three projects, and I try to clear at least one next action for each of those projects. Quite often, I clear more, because I am very focused on what I am doing.

Today, for example, I was working on my "Make and maintain professional connections" category, which has a running project called "Blog on Exploring the Black Box". It had a next action which was titled "Write blog post on remaining on target" which relates to the output "Write one blog article per month on personal productivity".

Conclusion

Procrastination is everywhere, and it hides in the small details. We may work hard but end up unfulfilled because we failed to do meaningful work. Meaningful work becomes easier to define if we know what brings meaning in our lives. This very practical process is one way that helps me ensure I do just that: meaningful work.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The (in)flexibility of corporate governance

Thinking about corporate governance

When we think about corporate governance, most if us think about a large and quite often unwieldy set of organisational structures and processes which keep the organisation aligned and on course towards its explicit objectives. And that is what governance has been portrayed as ... An immovable aspect of an organisation, set in concrete, and difficult if not impossible to change.

Wikipedia defines corporate governance as

"[...] the system of structures, rights, duties, and obligations by which corporations are directed and controlled. The governance structure specifies the distribution of rights and responsibilities among different participants in the corporation (such as the board of directors, managers, shareholders, creditors, auditors, regulators, and other stakeholders) and specifies the rules and procedures for making decisions in corporate affairs. Governance provides the structure through which corporations set and pursue their objectives, while reflecting the context of the social, regulatory and market environment. Governance is a mechanism for monitoring the actions, policies and decisions of corporations. Governance involves the alignment of interests among the stakeholders." (emphasis added by me)

Failing to understand the needs of corporate governance structures

While governance is indeed one of the more stable aspects of current day business performance, with codes having been published throughout most of the world dictating what at a minimum a good governance structure should look like, I have a feeling a lot of people fail to understand that a good governance in an organisation is nothing more nor less than an essential scaffolding for goal oriented performance of that organisation, within a set of normative boundaries.

We can dive deep into governance, and I want to and will later on this year, when I'm preparing my course material for the classes I will be teaching on that subject matter at the Antwerp Management School, but now I want to make a very specific point on most of those codes and frameworks that have been established ... because I believe internal audit's current interpretation of its role with respect to these frameworks fails to address a key aspect.

Corporate governance is a blueprint ... only a blueprint

I've referred to governance as a scaffolding, but let's consider it more like a blueprint of a vessel that will take the organisation towards its goals. A blueprint, or even a set of DNA-coded rules that will provide an organisation, if properly applied, with a stable structural basis to develop from.

There is, however, a problem ... we often fail to consider our evolving needs when we build our first house. DNA instructions only kick in under specific circumstances, and not under others. The same goes with organisations. The structures considered relevant at a certain point of maturity of the organisation are often no longer that relevant once an organisation evolves and matures. Just like a small dingy will do well to sail on a calm lake, it cannot withstand an ocean in gale-force winds. The context has changed, and so the governance needs to change. And herein lies the problem, a problem internal audit is excellently positioned to address if it lets go of its traditional approach to its roles and responsibilities and embraces its strategic role in the organisation.

Resistance to change

Governance structures are often inherently resistant to change. They are built that way. By definition, they are there to avoid organisation becoming severely dented from multiple impacts of risk events. They have been developed to endure and thus they endure ... beyond their relevance. They are, so to speak, the plastic containers of the soft drink. Long after the soft drink is gone, long after we are gone, the plastic container endures. Much like that container, we often find relics of original governance structures deeply embedded in organisations, sometimes even at the core, where their irrelevance to the new reality in which the organisation plays actually impedes that organisation from developing at the required pace to keep up with the competition.

A core task of the internal auditor

The interesting thing is that it is one of internal audit's core tasks to provide the organisation and its board with timely indications on the continued relevance of its governance processes. It is right there in the definition of internal auditing:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." (emphasis added by me)

A quick trip down memory lane

How did we get there? Internal audit started out as the guardian of the internal control systems. If the internal controls were well, all was well. Well, not so much, it turned out. The 1980's clearly showed that that line of thinking was an error. Even with no failures in internal controls, those controls may well have been built in the wrong places given the evolving risk profile of an organisation. Internal controls were clearly not the ultimate solution to organisational issues.

The scope of internal audit activities was extended to cover risk management systems as well. We were no longer just looking at internal controls, but also at the circumstances that required us to build those internal controls in the first place, the risks impacting an organisation on its way from its current position to its intended objectives. Sadly, that still did not prove to be adequate to avoid major problems. Enron and Worldcom showed that even with some measure of risk management systems present in an organisation and internal audit actively monitoring those systems, a structural lack of governance - window dressing, as it were - can lead to significant issues which could not be mitigated by an active second and third line of defense.

Enron and Worldcom were addressed in the US by the passing of the Sarbanes-Oxley act. Much has been written about that, and we are not going to revisit those discussion. I believe that while intended well, Sarbanes-Oxley may have gone about solving this issue in the wrong way. Internal audit should have gone on to play an even more explicit and important role in signaling governance issues. What happened was the contrary. Internal auditors became process mapping experts and started to tick the boxes on the adequacy of internal control structures. So instead of a step forward, internal audit took a step backward.

Exiting the dark ages of internal auditing

We're slowly leaving those dark ages (okay, years) of internal auditing. The banking crisis of 2008 emphasized the need for an independent oversight of existing governance structures. Essentially, the questions to be answered are the questions that are invoked in the definition of internal auditing:

  • Do these governance structures exist?
  • Are the governance structures being used and respected as they should be?
  • Are the governance structures still relevant?

However, it is no longer just the governance structures that need to be reviewed and where needed renewed. We will have to train an entirely new generation of internal auditors as well. Internal auditors with the capabilities to not gravitate towards ticking the boxes but with a capability to review and provide assurance and advice on the adequacy of governance structures.

This will prove to be a key challenge, a challenge we will go about addressing in our master classes at the Antwerp Management School. In 2014-2015, they still will be given in Dutch, as of 2015-2016 we're planning to establish a master class internal auditing in English as well. I will be developing some of these ideas on these pages. I hope you will take the time to share your ideas as well on the platforms I will be posting these ideas on.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Audit interviews: exploratory versus digging questions

Failing to bring home the goods

I believe most of us have been in a situation such as the following: we send out a young staff member on an interview, most often one of their first, only to have them come back with less than the information we expected them to. Then we hit ourselves over the head for not having briefed them at length. This wastes both their time, our time and our auditee's time. And all of that time costs money.

Understanding the questions

It's a rather common occurrence that young auditors often either don't dig deep enough when interviewing, or fail to identify the entirety of the information an interviewee can provide them with. The reason? They often lack a basic understanding of different types and uses of interview questions, how to approach an interview, how to properly prepare for it and how to spread the questions to extract the maximum available information. Interviewing is an essential skill for any internal auditor. As we all know, there are many different aspects to a good interview. In the context of the issue above, I want to focus on a very narrow but important aspect of an interview: the nature of the questions you ask.

An interview as a key audit tool

An interview is an important audit tool. When you are conducting an interview, you essentially try to get a better understanding of the subject matter you interview a subject about. Interviews are a great way to get some essential information quickly, if you conduct them the right way.

There are, however, as with any tool, a few caveats. Keep in mind that interviews will - on the whole - provide you with less objective information than a document review will. Situations, occurrences, issues, problems are communicated to you after having been interpreted by the person you are interviewing. You see the information they provide you like it passed through their perception filter. Add to that your own perceptual filters, and you have quite subjective information.

It is therefore quite important to get a feel for an interviewee's position towards specific issues in order to be able to interpret their comments correctly.

On the other hand, you may be confronted with reams and reams of information you have no chance getting through before your audit ends. You may be sure that you have the essential information, the smoking gun so to speak, available in the truckload of data that has been provided to you, but you need to find it first. A well conducted interview may help you with just that.

On an aside, I have the impression that the easier it is to transfer data, with the enormous load of data that is available, the more difficult it gets for the internal auditor to find the issues in all that information. Which explains to popularity of data analysis tools such as ACL and IDEA.

In order to be able to manage an interview well, you need to know there are many types of questions you can ask your interviewee. I usually distinguish between exploratory questions and digging questions. Each of these questions has their specific uses.

Exploratory questions

Exploratory questions are questions which allow you to explore the field of knowledge or information your interviewee has information about. They don't necessarily tell you what the interviewee knows but they will tell you what they know about. The lines of questioning therefore do not dive deep into the information, but more or less scan the available information which we can gain access to through the interviewee. These questions are essential, as they allow the auditor to determine what the interviewee can provide in the context of the audit. You could compare it to reading the tables of contents of quite a few books and asking some questions about those. Exploratory questions allow you to determine what information is available, and whether or not that information has any relevance for your audit.

An exploratory question could for example be when you ask the foreman of a plant who is responsible for the maintenance of certain key infrastructure. He may answer "Pete" which then leads you to conclude that he does not necessarily know about the state of maintenance and that you need to talk to Pete. If he answers "me", you know that he can provide you with information on the state of maintenance. This is likely important, but not enough information. After all, you need to understand what his subjective position towards infrastructural maintenance is. Is he against what he may consider an overly careful maintenance schedule, because it reduces output and thus bonus potential. Or does he find that the people get pushed too hard, with not enough maintenance work being done and working conditions being dangerous. Remember we talked about a subjective interpretation? Well, that information can provide you with insights in how the issues he has information on may be perceived.

Digging questions

Once you have a good view of the lay of the land, of the information your interviewee can provide you with, you need to identify what the information is you want to dig out. The digging is done by means of very specific questions that provide you with access to the information the auditee knows about. By using digging questions, the auditor focuses on a specific subject. You want your interviewee to provide you with everything he or she knows about that specific subject matter.

Digging questions are usually a combination of an open-ended question to start off with, clarification questions to clarify understanding of certain issues and then closed questions to confirm your understanding. For example:

Imagine the foreman has confirmed that he knows about maintenance of the infrastructure. You could then dig in with "Can you tell me about the maintenance of these machines in the past 2 years?" After having heard him, he may be indicating, but not yet entirely volunteering some issues with one of the machines. You could then ask "I seem to hear you say that machine A's maintenance schedule was not respected. Can you tell me more about that?" After having heard the full explanation, you can confirm your understanding: "I understand that you feel that the production pressure leads to a reduction of the maintenance schedule of machine A, with in turn leads to safety issues for the team, am I correct?"

In conclusion

It's important to be quick on your feet and to ensure that you do the digging in the right spot. It's a bit like a treasure hunt, but there are no maps with X-es on them. Rather, an auditor needs to find the map, interpret the map, mark the spot, then go and digg and bring back the goods.

A well structured interview approach in which the interviewer is very conscious of what he is doing is an essential tool in the toolbelt of any auditor.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Efficiency overkill

Working on efficiency

We've been working a lot on efficiency aspects lately, so I got to thinking about the boundaries of efficiency quite a lot in recent days and weeks. Efficiency is very important, especially in a public sector environment. We are using taxpayers' money, so it is essential that we make the best possible use of that money. Best possible use means producing quality output. And quality, in turn, can be defined as an result reached effectively and efficiently. Quality output means we are doing the right things the right way. And as with a lot of processes in public and private environments, there is a lot of room for improvement.

Going too far

But can we go too far? Can a relentless push for efficiency lead us to a place where we have lost the essence of what we were trying to achieve? I think this is a real possibility, probably one that was experienced by many private sector organisations in that first wave of reengineering in the 1980's and beginning of the 1990's. A too relentless push for efficiency can destroy the identity of the team and the organisation.

So what now? Is there a certain threshold where we need to let go of trying to achieve efficiency in our approaches? And where would that threshold be? Is it not a quite individual appreciation? Or are there other means? Other ways of looking at this problem.

The meta-nature of the Japanese tea ceremony

I like to look at the Japanese tea ceremony as a wonderful example. Deeply rooted in Zen Buddhism, the tea ceremony is a practice that has a set of clear objectives and follows a strict set of practices. It is both effective and efficient as a process in its own right. But it forces the participants to focus on the moment, to be really there, deeply attentive and immersed in the experience. It is a practice that obeys the rules of the game (i.e. it needs to reflect quality) but, by its nature, it forces the participants to consider not just the process but also the entire circumstances of the process. It brings the participants back to the essential aspects of what they are doing, in this case, making and consuming tea.

Retaining our identity

Why that example? Because in our relentless search for efficiency, we need to keep in mind why we are doing that and whom we are doing it with. We need to ensure that identity is maintained throughout the exercise. We need to respect certain traditions that makes us reflect on who we are and why we are doing what we are doing.

Any initiative aimed at improving efficiency and effectiveness needs to reserve a spot, be it a place in time or a physical location, where we can reflect on why we are doing what we are doing, and how it relates to the wider whole of the organisational objectives. If we fail to do that, the ultimate efficient and effective process or organisation we will build will be but a husk, a mere reflection in troubled waters of what we were ultimately trying to achieve: build a process that understood humans are humans.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Quick thoughts on development aid

Development aid is not about punishing people. Not our own people, not our beneficiaries. It should never be about guilt, or about a debt owed. It should be about using our intelligence, our creativity, to make the world more inclusive.

It should never be about the typical Catholic rap of: "you should feel bad because you have it so good." We need to look at all possible ways of bootstrapping our beneficiaries, pull them up to where we are, and continue together, beyond where we are now. Fundamentally, it's about leaving this place a better place because we've been in it.

We should also dare to be open for the non-traditional solution, which may not perhaps be on or right next to the trodden path. As Robert Frost so eloquently wrote:

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.

You know, I've never really known whether this was a positive or a negative poem. But perhaps life is like that.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Some ideas on democratic administrations (updated)

There is a old "new" management wave roaring through the organisational straights again, and it is lapping up on the shores of public administrations. I'm talking about the workplace democracy model that was made famous by the success of Brazil based Semco in the 1990's. The general idea is that reducing management in favor of direct decision making by the collaborators themselves will significantly increase performance without sacrificing efficiency, effectiveness and compliance. The Semco experiment has shown this model can work in a for profit environment, where the participants stand to gain from maximizing their own input as it translates directly in monetary values. The question is whether this model would also function in a public sector environment.

A more fundamental analysis of the uses and issues with such a model in a public sector environment is probably an excellent subject for a doctoral thesis. I have no data to support or reject the use of this model, other than some narratives which are, as evidence goes, rather limited. But there are a number of factors which we need to consider when implementing this type of model in a public sector environment. Let's consider a few ...

It's not your money

Problems with workplace democracy in a for profit environment directly impacts the collaborators themselves, as it hits their personal bottom line. They have a direct, tangible incentive to correct problems because they stand to gain less if the issues are not resolved in a timely manner.
In a public sector environment, the money is not theirs, or not theirs directly. The tragedy of the commons problem will tend to occur, where key maintenance activities - I consider internal controls as maintenance activities - are neglected to get the most use out of the available means without considering longer term impacts.

Corruption and fraud

When a person actively abuses means from a for profit organisation, he harms the shareholders. These shareholders are those colleagues around him. These people have - under certain assumptions - a vested interest to ensure that the abuse does not take place. If the direct (financial and other) benefit of participation is significant, participants will automatically tend to curb free rider behavior of one or more players. You will have some misuse, but it should not, in principle, dominate.
However, the same Nash equilibrium will not necessarily be reached because the circumstances are fundamentally different. The pay-off for each of the participants in a public sector context is quite different from that in a for profit context. The risk of abuse of public means may be significantly higher.

Need for strategic audit

Some of the proponents of the workplace democracy idea would like to do away with control and audit, because self-regulating organisms regulate themselves. There would no longer be a need for such control and oversight systems. That may be taking that particular turn at too high a speed, however.
Self-regulating organisms either regulate themselves, or die. If they die, they die because their particular solution is not adequately adapted to the circumstances on which it was brought to bear. Hence, we need to ensure that the circumstances for workplace democracy in public sector are adapted. To me, and subject to significant further research, this would mean having adequate internal control systems as well as clear governance in place, including internal audit structures, to ensure that the taxpayer's money is used in the most effective and efficient manner for the intended purposes.

Update - responsible autonomy

A good friend and reader mentioned the following article on wikipedia on responsible autonomy. What I really like about the article is that it does mention the need for "clearly defined boundaries at which external direction stops".

If we consider this, the need for an independent and objective group of people, such as auditors, to assess both the relevance and the continued compliance with those boundaries becomes very obvious indeed.

Internal audit can assess whether circumstances validate for example an extension of the boundaries or, on the contrary, require a contraction of those boundaries. Factors need not only be internal control issues, but may also be related to external factors changing. These factors could be identified through risk analysis, for example.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Marketeers all the way

Turtles all the way

There's this story I must have read in one of Terry Pratchett's wonderful diskworld novels. In a conference open to the public, a scientist is approached by an older lady. She contests the round world hypothesis and points out that the world is a disk, carried on four elephants, who stand on the shell of an enormous turtle. The scientist then asks her what the turtle stands on. To which the old lady replies: "Sir, that's a faulty question. It's turtles all the way down."

Looking up and looking down

Look down. On whose shoulders do you stand? And how high is that piramid that is holding you up? Are you more towards the bottom, groaning under the weight of those above you but with some sense that if, no, when it will all come falling down you will not get hurt that much ... or at least not from the fall? You may still get crushed, but that's another problem. Or are you dizzy with vertigo from the height you find yourself at? Quite a way to fall, isn't it?

Look up. Who are you holding up? And why are you holding them up? Is it just because they are above you on the corporate ladder? Or is it because all of you together get rich of some poor productive soul all the way down there, at the bottom of your particular piramid? Do you feel obliged to hold those above you up, or do you expect they will do something for you?

I believe there are a lot of organisations that have redundant management layers. They strive to maintain their existence by growth and create redundant management layers while doing that.

The piramid of power

Sometimes I look at a structure, at an organisation, and I wonder who is actually doing the value added work. This, by the way, is not a new thought for me. I had the same worries when I was part of one of the big 4 audit & advisory firms. The piramid is a piramid of power, and it is very apparent in such structures. The grunts are doing all the menial tasks, the experts are in the middle, being worked hard and supported by the grunt, and those people on top ... well, with some noteworthy exceptions, a lot of them are first and foremost marketeers, selling the wares but not really performing much of the work. The revenue models used in those organisations do not allow those high cost profiles to be deeply involved with the work.

That being said, the audit & advisory firms are still among the most flat organisations out there. Look at other hierarchical organisations. There are still a lot of those around. There are those producing the stuff that is actually brought to the market and then there is the entire superstructure surrounding that product and how it is being brought to the market. A lot of organisations have turned into administrations. Even organisations with initially lean objectives turn into administrations very, very quickly, if left unchecked.

But we need managers to coordinate the work, I hear you say. But do we?

Proximity was essential, once

It's a simple question, is it not? We needed managers once. The owners needed profiles that were capable of growing the business without an inate need to take over the entire company. Perhaps even more telling is that the move from the home, where most production was done in the 18th and 19th century, to the workfloor in the mid to late 19th and early 20th century was predicated by the proximity to a unique and highly expensive power source. That source, most often a steam engine, powered many machines. Not being close to that machine meant not getting any work. And work paid wages, and wages put food on the table. No wages, no food, no future.

The hierarchy was a means to control larger structures. Given that the optimal number of direct reports is somewhere between 5 and 10 people (I've often heard it put at 7 people), controlling large production structures became a question of layering enough. Communication then was face to face communication, often accompanied by show and tell. We call that on the job training now. In that day and age, the only way to do the work was using this model.

Old solutions are no longer relevant

Times have changed. We are in the internet age now. With some noteworthy exceptions, mainly on mainland Africa, power sources are available and power costs are going down more then going up. And it is not just that. Communication has been modernized too. There are a myriad of ways to communicate with each other. The use of hierarchical structures where people talked to people who in turn talked to people is no longer required. The problem is that the hierarchy apparently did not receive the memo yet.

Now, rather than assisting organisations in taking the next step in their growth, in the next step in their evolution, those hierarchical managers are preventing the organisations from doing that. They are now, more than ever, the overhead. And you know what is so dangerous about overhead, right? Well, it usually is over your head. Which puts you at risk when it will eventually will come tumbling down.

And unless organisations, especially hierarchical administrations get the message, we run the risk of incurring significant costs of organisational destruction and clean-up. Because marketeers all the way down is not a viable, sustainable situation.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The death of information asymmetry

Alcoholism and opium

As I understand from my sparse reading of the history of the beginning of the last century - the history of the industrial revolution - many people were left at a loss what to do with their lives once the industrialisation took hold. This led to for example a high degree of alcohol and opium abuse. A large part of a generation was lost.

Change happens

I've seen similar scenes, albeit on a much smaller scale, when I was working in Eastern Europe in the middle of the 1990's, as an auditor. A generation of Eastern Europeans, fresh from UK and US universities, came back to their fatherlands and made redundant an entire generation of traditionally schooled "managers".

Change happens, and change impacts us all, some more than others.

Access to information meant power

The same is happening with the internet. And that change is impacting the layers of management whose sole purpose was to transfer and synthesize information. Their role was essential in the past. Their role was extremely powerful. Some people had and hoarded information. Hoarding information meant controlling access to that information. Fundamentally, information was power, and determined position. If I knew something you did not, and if you were willing to pay for that information, I had a business model. Taken one step further, if I had information you needed, I had power over you.

The role of information managers

Information hoarding, or information "management" - because hoarding is such a bad word - became a thing. We had knowledge managers, people whose sole purpose in professional life existed in identifying sources of information and providing them to us. Some of that information existed freely in the world. Some of that information was behind paywalls, in walled gardens. Some of that information did not exist at all.

Internet meant free availability of information

Enter the internet and the evolution of passive information gathering tools. As an information user, I no longer have to go look for a lot of information. If I take the time to adequately set up search queries and alerts in different services, the information will come to me as soon as it is available.

A generation unfamiliar with the tools

This poses, of course, a number of other challenges, and a number of potential linked business models. First, there is an entire generation that is not necessarily familiar with the available tools. These are the current 35+ somethings. They did not grow up with the internet. The whole thing is new and slightly alien. These people need to be trained in what information can be found where, and they need to learn how they can set up notifications.

Drinking from the fire hydrant

The second challenge is the most important one, and one that will likely stay and increase further. We are not capable of dealing with the information fire hydrant that has been switched on and that keeps pushing information in our faces. If we dare to put our face in the streaming water, we risk getting knocked out by the sheer force of the volume of information. How do we ever make a choice in what to read and what not?

g! Scott Hanselman talk webstock, in his excellent talk on personal productivity, has a great suggestion. He suggests to find appropriate information aggregators. These are people or organisations in your field that assist you in reviewing the information and synthetizing it to a point where the time you invest in reading it pays of. Of course, some will say, what is the difference with the former knowledge manager?

Information provider independence

That difference is very simple: he or she is no longer embedded in your own organisation. He has no direct value in shielding certain information, in hoarding it. Rather, the aggregator is in constant competition with other aggregators. To be a sustainable business, he needs to be the best quality aggregator around.

The information aggregator as a business model

So here is a prediction: the growth of the aggregator we see in certain industries, especially the tech industry, occurring, will start to occur in other industries as well. Content aggregators will start to appear in other industries as well, not motivated by the hold on information, but motivated by bringing you the best available information as soon and as complete as possible.

We did not eliminate the middle man. We converted his role and made his function a business model all by itself. Interesting.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Kourosh writes again

The approaches ...

There is GTD, and 7 habits, and scrum, and many more approaches, for lack of a better word, which aim to help us with our personal productivity. I for one started with 7 habits and graduated to a personal adaptation of GTD with some agile put in there to ensure I actually produce instead of tinker.

The science ...

Then there is the science behind the approaches. One such study on GTD done at a Belgian University (pride!) explains how GTD actually works.

The understanding

And then there is deeper, almost intuitive understanding of the subject matter of personal productivity. It differs from the science in that it resonates at a deeper, more essential level. It may be storytelling about science, and perhaps less exact, but it leads to a fundamental comprehension of how personal productivity approaches work. And one such book is Kourosh Dini's Workflow Mastery - building from the basics.

A comfy blanket

For those not familiar with Kourosh' work, he is a psychiatrist working out of Chicago who has written and blogged extensively on personal productivity. I for one feel we need to reserve a special place in our hearts for people working out of Chicago. I would likely be wrapped in large comfy blankets the entire time, not getting any work done.

Deep resonation leads to deep understanding

All kiddin' aside, Kourosh provides us in this update - actually, it's an entire overhaul - of his original book with some very deep insights into what is behind personal productivity. It goes beyond that. When I read an advanced draft version of the book, I was struck by how deeply the content resonated with me and felt true at an almost intuitive level. It makes sense, in that it comes very close to making clear why we function how we do when we aim to achieve a higher personal productivity. And that approach, more than many approaches I've read and studied before, actually allows you to enhance your current workflow.

Not for the uninitiated

This book may not be the book for the uninitiated in GTD or any other personal productivity approach. For that, I would suggest you go and read David Allen's GTD or Covey's 7 Habits. However, if you have a personal productivity workflow - as I assume most of you have - this book is most certainly worth reading, because the deeper understanding it leads to will allow you to both better understand your own ways of working and allow you to tweak and enhance that approach.

A carefully crafted piece of a master

In addition, and that alone is worth the price of admission, Kourosh writes beautifully. As a non-native speaker of the English language and schooled in traditional European languages such as Dutch (close to German) and French (close to, well, French ;-)) I adore well crafted words, sentences and paragraphs. Kourosh almost composes an intricate piece of music when writing. Which should surprise given his background as a classically schooled pianist and musician.

Mindful at its core

It also shows you that the practice of mindfulness, which is ever present in the book, leads to amazing results. The book, clearly written in a very mindful state, exudes the benefits of mindfulness by its very nature.

If I seem to be very enthousiast about this book, well, I am. Kourosh contacted me a couple of months ago, when he was in the final stages of writing this book, and asked me to reread it. Which I did, and I learned a lot along the way. Some of my practices started to make sense. And I most certainly started to practice a significantly more mindful attitude. Which is highly conductive to higher and especially more relevant performance.

A free update for owners of version 1

For those who purchased his Workflow Mastery book before, this entirely new book is a free update. For those who have yet to purchase it, go do it now and read it. It will be well worth your time.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

A lean government needs strategic internal audit

In the short period of 1999 to 2003, the Belgian federal government was making some real progress, at least conceptually, in improving its functioning. The Copernicus reform, which eventually failed, had some essential ideas on how to turn the Belgian federal public sector into a (reasonably) lean organisation.

Come the 2008-2009 financial crisis, and we find a federal public sector that no longer wants reforms after what it suffered through under the past reform. But what it wants is not relevant, as it is forced into significant restructuring of operations, because the money is no longer there to support what many stakeholders (the population) believe to be bloated institutions. But rather than a concerted, structured effort to optimize and make the government organisations lean, cuts were being imposed across the board, with little consideration for efficiency and optimizing service performance. Many inside of government believed we no longer had the time to critically assess and optimize, we just needed to reduce expenditure. No one believed there were change agents in place to guide government services through this optimization process.

The notion there were no instruments of change available to ministers in 2009 is incorrect. Even more, these agents of change reside inside of the administrations and can assist in making the required analyses to optimize the cuts. Those resources are called internal auditors. But right now, they are not used to the maximum extent possible.

Why are the current crop of internal auditors not ready nor used? Because, not always by their own will, they have been limited in scope to just their role in internal controls assurance. This is a traditional internal audit role from the early 1980's and modern internal audit departments have moved far beyond that role.

Let's examine what internal audit could offer to a public sector that has all but forgotten about it.

Assessing the effectiveness

Once certain "new" public sector tools are structurally put in place, such as management agreements - tools currently already being used by many state owned companies - internal audit can provide reasonable assurance on the effectiveness of the government entity in reaching the strategic and operational objectives as defined in the management agreements. Effectiveness is about doing the right things. Internal audit can provide the key stakeholders of the federal government service, usually the minister and his cabinet, a reasonable assurance on whether the government service's management team is actually doing what it is supposed to be doing.

In addition, this work allows the management team to communicate, through internal audit, about the incompleteness of such management agreements. If a government service is doing a lot of work which is essential but not adequately represented in a management agreement, perhaps the agreement is incomplete. Or perhaps the federal government service is doing work that is no longer deemed relevant.

Providing key stakeholders with information about what the auditees are actually doing as compared to what they are supposed to be doing is a core competence of an internal audit department.

Efficiency

If effectiveness is about doing the right things, efficiency is about doing things right, in the correct and ideally in the most economical manner. This is important for government administrations as they need to provide the same or better services to their stakeholders in a reality of reduced budgets. Internal audit can assess the efficiency of government operations as well, by benchmarking activities. We're actually missing a wonderful opportunity to cross benchmark administrative services which are comparable across different government services, and looking for good practices.

But what I have described thus far is a quite traditional internal audit, in both public and private sectors. While these assessments bring true added value, they are but the top of the iceberg when considering what internal audit can bring to the table. Which is why it is quite surprising that some of the assessments described above are not executed by internal auditors, but by external consultants, whose added value in process improvement if not adequately immersed in the organization's culture is limited at best.

Internal audit's tactical added value

Internal audit has a role to play in risk management. Attempts have been made to implement the concepts of risk management in many organisations, among which some of the federal public sector organisations. I co-authored one of the methodologies which was en is still used in several public sector entities. The problem is that risk management has not reached the level of maturity which sees it taking its place among other management tools, such as balanced scorecards and key performance indicators. There is a lot of talk about risk management, but only limited action.

Internal audit, however, has traditionally used risk analyses to plan its short, medium and long term audit activities. Risk analyses scan for risks within and around the organisation by using a combination of questionnaires, self assessments, historical data and, most important of all, common sense.

Risk management assumes an organisation is a car, not a train. It needs frequent tugs at the steering wheel, and if a corner presents itself in the road to the objectives, action needs to be taken.

Internal audit is allowed to take on certain roles in assisting the organisation in implementing risk management as a true management tool. It'll no longer be internal audit in the crow's nest, without binoculars, screaming 'iceberg' just a minute too late ... rather, the entire organisation will be aware of the fact that no matter how well designed your internal controls, there are problems out there that may not be resolved by putting in yet another internal control.

Internal audit's future: a strategic added value

But creating awareness and teaching people to look around before engaging as an organisation is not where internal audit's responsibility should end. After all, knowing something big and bad is heading our way is not enough to avoid it. I believe internal audit has a responsibility to assess the adequacy of an organisation's governance structures to evaluate it's respons readiness to the evolving situation on the road to achieving its objectives.

For a long time, we believed that governance, the foundation of the organisation, should be cast in stone. But recent experience has shown that the only certainty is uncertainty. No one structure is capable of dealing with all eventualities.

Internal audit, with its deep knowledge of the organisation has a responsibility to provide its stakeholders with insight in the adequacy of the current structures in responding to risks as well as providing recommendations on how these governance structures would best be adapted to most adequately respond to these risks.

By providing these insights to stakeholders and management team alike, internal audit will really live to the fullest its strategic role.

It also shows why internal audit should never be too far removed from the organisation it's auditing. The auditors are (currently still) there. Why are we not using them?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

My bad time travel habits

Two books I've read in recent months made me acutely aware of my bad time travel habits. I know, it may come as a shock I can travel through time. It most certainly surprised me. You may believe it's a gift, but it is really more of a curse.

Now, before we go any further, I carry some bad news I really need to share with you: you are likely cursed with the same affliction. I'm quite sure you travel through time as well, and not in a good way. I understand that in order to proof that, I first need to show you that we can travel through time and actually do pretty much all of the time. Let's go.

Frequent time travel can and will hurt you

But perhaps not in the way you think it may. This time travelling business is not about travelling back in time and accidentally killing your dad resulting in you never being born in the first place. That would be a paradox. Paradoxes are not real. They exist only in your mind. keep that thought on mind and paradoxes for a minute while I explain something else first.

When are you?

Now, I would like to invite you, right now, to think about when you are. Not where you are, but when. Sounds confusing? Let me give you some examples:

I often find myself 5 minutes, a couple of hours or even a couple of days in the future, thinking about what I will be saying to someone, or how I will be dealing with a difficult situation or a reluctant audit client. Rehearsing how I will act in a meeting, and what I will say.

While I may not physically be there, or rather then, for all intents and purposes my mind is. Let's compare it to a feeling most of us are familiar with. You can drive your car and go through the motions of driving without really being present. Your life is on automatic pilot, while your mind dwells somewhere else. Be honest, how often have you caught yourself doing just that?

Sometimes I find myself back in the past. I am be thinking about what happened in a meeting, or during a discussion, or during the execution of a specific audit activity. And if it was a particularly difficult meeting, I will go through it again and again, considering the reactions of the people present, trying to understand what they meant, chewing over what I said and what I should have, could have said ... over and over.

That again illustrates a pretty typical situation in which I am not now but rather back then with most of my mind. What is now is just my body and some of the basic functions that keep me alive. My internal collision avoidance system, so to speak.

Being somewhen else makes sense some of the time

Let me be very clear: none of these actions are bad for me if they occur at the proper place and time. For example, thinking about a presentation and rehearsing it can be a part of preparation. Thinking about what I still need to do for a specific audit may be part of planning. Reflecting on what happened in a meeting yesterday may be done in the context of dealing with my notes and next actions, while I'm working through my backlog. That's often called processing. In those instances it makes sense to not be now, but somewhen else. But those blocks should be limited. And to most people, they are not.

The transparant sauce pan lid of the mind

The problem is we often fail to give these thoughts and ideas the appropriate time and place to begin with. And of course that does not make them go away. Rather, they tend to bubble up through our minds. Mind is not necessarily the wonderful instrument that most would want you to believe, right?

Our minds are like a transparant lid on a sauce pan in which a sauce is merrily bubbling away. When the sauce is starting to get warm, you can barely make out the surface through the mists of condensation. And then it gets hotter, and hotter, and hotter. You cannot avoid the bubbling of your unconscious, but if you don't turn down that heat by using a couple of specific techniques, the bubbling will eventually lead to sauce spattered all over the glass lid of your conscious mind. Your mind will react and try to wipe the stains away. It will consider each of the stains. It drifts off to somewhen else. And if the heat is particularly high, there's going to be a lot of spatter. Lots and lots of reasons to be somewhen else.

Being in the zone

It is not all negative. You, like me, have periods when you are now. Those are the periods of deep, concentrated production. The moments you are "in the zone".

For me, for example, I get in the zone when I am writing, like I am now. I have my notes, I have what is in my head, and I write. I also am now when I teach. I've taught classes when I didn't even notice how time progressed.

These are the moments you are deeply focused and actively present. You are fully aware and in tune with what you are doing. That can be your text, or your class. There is no sensed passage of time, there is just now. There is no consideration of things outside of my awareness. There is just what I feel, which can be a group of people or a concept I am trying to catch into a set of words. It may even be something entirely different.

We're learning to ride horses. It's a fun family activity. While initially there was a certain apprehension - horses are very big up close - I've been relaxing into it, becoming somewhat aware of the fact that there was a silent participant in all of this, the horse. By the way, it's a she, and she's called Fox. Last weekend, I fell off. I did. Actually, entirely through my own stupidity, I was more or less catapulted off when learning to properly gallop. Now, I had been very focused on things going on around me, especially behind me, where my wife and kids were riding and where there were discussions going on (my kids are rather vocal) ... and then suddenly I was now, in the dirt, after having flown a couple of feet. I got back up on the horse ... and became very aware of how she had become scared by what had just happened. I could feel, really feel her insecurity. What then happened was the best gallop in my very short career gallopping. Because I was fully and totally there, entirely committed.

Now is the only moment

Now is not a moment. Now is the only moment. All the rest is what we believe was or will be, and it is tainted by mind projecting through very strong filters. Now is when it happens. Only now. All time spent anywhen else but now outside of specifically assigned spaces for such reflection is wasted time.

Techniques to manage the heat

I'm coming back to my sauce pan. We need to control the heat. There are a couple of techniques that assist you in doing that which are relevant here:

One of them is David Allen's weekly review, to which I've added David Sparks' daily review. These well known GTD practices help you to both look forward and look backwards in time, serving as a very good basis for planning.

About the second technique: I'm always surprised on how much of the sauce splatters I consider during the review actually get discarted. They were noise in my system, things I believe I needed to react to, but really did not have anything to act on or to work with. Still, it would not pay to simply discard these feelings, ideas, frustrations and whatever. That's why I like journaling so much as a technique. My weapon of choice here is Day One, an excellent Mac and iOS app, but you can use any tool you want. Writing in my journal allows me to consider what happened in the past day, and how I see that figuring in the broader scope of my life.

Constructs of an over active mind

Now, remember those paradoxes that only exist in the mind? The past and the future are constructs of your over active mind as well. Best to dwell on them within the correct context, but not to give them free reign, because they will distract you from the now. When you are in the now, you are no longer aware of time. Ask any athlete that is operating at peak performance ... but also look at yourself when you are at your best.

And now is the only moment you have to do something, to produce something, to do the work. Spend as much as you can in the now. So get to it. Now.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Are you a contract killer or a primary care physician?

The contract killer

I've known quite a few internal auditors who took pride in the number of people they managed to take out as a consequence of their audit reports. The arguments? Most often they argued the people had failed to do what they were told to do by the procedures. Or they considered the people to be incompetent or bent in many ways. Whatever reason they felt justified them in approaching their job as they did, to me, it is still fundamentally the wrong way to look at our profession. Because we are not contract killers. Rather, I believe we are the primary care physicians of businesses. Let me explain.

A small town doctor

I would like you to think about a typical small town primary care physician. Yes, this is an older gentleman or lady, wizened with the years. This is someone who knows you and your family intimately. Perhaps they even assisted delivering you to this world. That's the type of physician I'm talking about. Well, a good internal auditor should be like that.

Closeness breeds understanding

A good primary care physician knows you and has known you for a long time. A good internal auditor knows the environment he or she is working in. They know it intimately. They live in it, they work in it, they breathe in it. They are not entirely part of it, there is a significant and necessary amount of independence there, but they are very, very close to the organization.

By being so close to his or her patients, the good primary care physician cares deeply about them. Likewise, by being so close to the organization, the internal auditor cares deeply about it. We care so deeply about it, that we can be very harsh if we see significant failings that may threaten or significantly harm the organization. While a doctor may care about seeing one of the young ones of the family take up smoking, we may care deeply about a repeating pattern of procedural neglect in a certain area. Being harsh in our reporting is often a way to deliver a clear and concise wake-up call to the organization that has lost its way.

Forgiveness encourages evolution

A primary care physician is also forgiving. When he sees marked improvement, because someone is consistent in taking their medicin and doing their exercises, they will consider that as a positive element come the follow-up exam. The internal auditor, even seeing that everything is not A+ yet, will be considerate for the department that really made the effort to implement certain recommendations, even if they are not yet fully implemented yet.

Deep understanding creates perspective

A good primary care physician is close to the family, and knows the family stories and the family crosses. Some things need to be known, but only on a need to know basis. An internal auditor, confronted with some issues from the past that were correctly resolved, bears no grudge. It is not about what happened in the past, but what will happen in the future, taking in account everything that has happened in that past. This requires a deep understanding that many a hired gun - a contracted internal external auditor - does not have because he will never have access to that information. A good internal auditor engenders trust and earns it.

Awareness leads to relevant action

A good primary care physician also knows when to call the ambulance and transfer the emergency care to a specialist. An internal auditor, when confronted with a significant problem, will likewise immediately alert the correct people at the board level or even beyond. Some problems cannot be solved by internal controls, good risk management or governance improvements. However, that does not mean the good internal auditor hands over and lets go. Rather, he remains close and makes sure that the organization is comforted and supported during a difficult period.

Communication shines a light on issues

A good primary care physician communicates well, because he or she understands that communication is one of the most important keys to identifying whether something is wrong. A good internal auditor understands the value of excellent communication as well. The best among the internal auditors know that something is wrong in the organization because they feel the change in the air before someone has even communicated something to them. That's experience.

A quick illustration

One of the key reasons for auditor independence is auditor objectivity. Think about that primary care physician now. He is close enough to the organization to objectively and with some measure of emotion assess that something is wrong. He is not taken by emotion in a way that it prevents him from functioning. Rather, he is the one that calls the ambulance when everyone else around is crying and wandering around aimlessly.

Much in the same way, the great internal auditor knows something is wrong but remains able to act and to assist the organization in getting all of its proverbial ducks in a row. He does not drown in the organizational emotional fear, but remains detached in such a way that he can advise on the most appropriate actions.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Death of The Manager

Examining my dictionary

What is a manager? My dictionary states that a manager is:

"a person responsible for controlling or administering an organization or group of staff"

But there is an implicit assumption here, which is the following: that an organization or a group of staff need managing. And that's what it used to be.

The traditional paradigm valued its human resources at replacement cost

Our traditional production paradigms dictated a structure of managers to keep the resources well organized. The resources, those were the inputs, the machinery and ultimately the ones using the machinery to produce something, anything. Which were the workers.

Sadly, in that scheme, the workers were easiest to replace. Machines cost money. Firing employees, especially blue collar employees, not so much. Resources cost money. If those resources are reasonably rare raw material, their price fluctuates with any market that cares to provide them. But you can always find more people.

Education was and still remains a trap

Education became a trap for many people. In my opinion, and I'm very opinionated about education, it still is to an extent. People were being trained to be good little production units, standardized, easily replaceable, easy to manage. What was seen as a way out of the poverty trap many blue collar workers had been caught in, turned out to be a lifelong commitment to the McJob. It paid good money, but it remained a trap nevertheless.

Becoming one of them

The ultimate promotion that could be had, was to become one of them. One of the ruling class. One of the managers. You needed higher education for that. And higher. And higher ... master upon master upon master, with requirements skyrocketing. All these qualifications apparently required to rise to a level where you could manage the McEmployees in their McJobs. Each single unit of work had the potential for a number of productive years but was easily replaceable if needed. And that replacement was performed every time the employees became too costly. Or too unruly. Unions were formed, but turned out to become companies on their own, with their own employees who held on to their jobs. And even the managers turned out to be McManagers, reporting to another McManager higher up in the hierarchy, each of them as easily replaceable as the next McManager. Tower of Babel, anyone? Because at the end of the day, each McManager is a McEmployee as well, and holds on to his McJob for dear life.

Where is the added value of the manager?

There is a problem with all of this: the hierarchical chain responsible for controlling or administering that organization does not deliver a significant added value on its own, but they do cost a lot just to control or administer. They used to coordinate workers in order to deliver products and results. That system, when pushed to its logical extreme, led to Just In Time resource delivery to Just In Time production lines which fed large shopping malls which wanted to hold as little inventory as possible and used Just In Time delivery to the store. To a large extent, the world, which is a consumption oriented world, still functions like this. But we are realizing more and more there is little to no added value of the manager other than coordination.

The decreasing need and relevance for coordination

And that coordination is becoming less and less relevant today. Higher and higher baseline education levels mean that many more people understand what they are doing, even if they work on a conveyor belt slapping small thingies to other slightly larger thingies. And they are not the only ones.

The first real enterpreneurial generation

The really creative work is no longer being done in large businesses, but by knowledge workers who are by nature more self managing than most professions we ever had, during the entire human history, other than true enterpreneurs. They constitute, perhaps, the real first enterpreneurial generation. These knowledge workers use a true multitude of online tools to find each other, addressing needs they have not by finding the closest available person that can do the job, but the best available person anywhere in the world.

More leadership, less management

The role of the person responsible for controlling or administering an organization or group of staff, the manager, is becoming redundant. We no longer need any managers. We need visionaries that will provide direction for the engaged, independent knowledge workers, who will create ideas, solutions, products that self-governing teams of skilled workers will build, not because they have to, but because they are interested in it. The key motivational components so eloquently described in Dan Pink's excellent book Drive will not just power the educated knowledge worker, but the traditional blue collar worker as well.

Death of a salesman

But it will mean the death of the manager. I imagine that death a bit as a scene from Arthur Miller's Death of a Salesman. No longer relevant, the manager will try to hold on to unrealistic dreams and expectations, and may even try to influence just one more generation. I believe we need to start providing for these people, and ensure they have a good home for their retirement, because we owe them that much. What we do want to avoid is that they crash their cars, like Miller's main character does, killing himself with all good intentions.

And our organizations will need to start to adapt to that inevitable change.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Context reporting

Another link to an absolutely worthwhile article.

Michael Lopp offers an excellent suggestion in the following article on context reporting. He suggests:

"A context report documents the reason why (and to a lesser extent how) you’re completing these actions and I suspect this information is far more useful to everyone involved."

I invite you to go through the - extreme - examples he suggests. I for one can see some significant added value coming out of this approach, and I'll seriously consider using this as a value added recommendation whenever I come upon communication efficiency issues in an audit.

Which, as seasoned auditors know, is pretty much every audit.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx