Kourosh writes again

The approaches ...

There is GTD, and 7 habits, and scrum, and many more approaches, for lack of a better word, which aim to help us with our personal productivity. I for one started with 7 habits and graduated to a personal adaptation of GTD with some agile put in there to ensure I actually produce instead of tinker.

The science ...

Then there is the science behind the approaches. One such study on GTD done at a Belgian University (pride!) explains how GTD actually works.

The understanding

And then there is deeper, almost intuitive understanding of the subject matter of personal productivity. It differs from the science in that it resonates at a deeper, more essential level. It may be storytelling about science, and perhaps less exact, but it leads to a fundamental comprehension of how personal productivity approaches work. And one such book is Kourosh Dini's Workflow Mastery - building from the basics.

A comfy blanket

For those not familiar with Kourosh' work, he is a psychiatrist working out of Chicago who has written and blogged extensively on personal productivity. I for one feel we need to reserve a special place in our hearts for people working out of Chicago. I would likely be wrapped in large comfy blankets the entire time, not getting any work done.

Deep resonation leads to deep understanding

All kiddin' aside, Kourosh provides us in this update - actually, it's an entire overhaul - of his original book with some very deep insights into what is behind personal productivity. It goes beyond that. When I read an advanced draft version of the book, I was struck by how deeply the content resonated with me and felt true at an almost intuitive level. It makes sense, in that it comes very close to making clear why we function how we do when we aim to achieve a higher personal productivity. And that approach, more than many approaches I've read and studied before, actually allows you to enhance your current workflow.

Not for the uninitiated

This book may not be the book for the uninitiated in GTD or any other personal productivity approach. For that, I would suggest you go and read David Allen's GTD or Covey's 7 Habits. However, if you have a personal productivity workflow - as I assume most of you have - this book is most certainly worth reading, because the deeper understanding it leads to will allow you to both better understand your own ways of working and allow you to tweak and enhance that approach.

A carefully crafted piece of a master

In addition, and that alone is worth the price of admission, Kourosh writes beautifully. As a non-native speaker of the English language and schooled in traditional European languages such as Dutch (close to German) and French (close to, well, French ;-)) I adore well crafted words, sentences and paragraphs. Kourosh almost composes an intricate piece of music when writing. Which should surprise given his background as a classically schooled pianist and musician.

Mindful at its core

It also shows you that the practice of mindfulness, which is ever present in the book, leads to amazing results. The book, clearly written in a very mindful state, exudes the benefits of mindfulness by its very nature.

If I seem to be very enthousiast about this book, well, I am. Kourosh contacted me a couple of months ago, when he was in the final stages of writing this book, and asked me to reread it. Which I did, and I learned a lot along the way. Some of my practices started to make sense. And I most certainly started to practice a significantly more mindful attitude. Which is highly conductive to higher and especially more relevant performance.

A free update for owners of version 1

For those who purchased his Workflow Mastery book before, this entirely new book is a free update. For those who have yet to purchase it, go do it now and read it. It will be well worth your time.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

A lean government needs strategic internal audit

In the short period of 1999 to 2003, the Belgian federal government was making some real progress, at least conceptually, in improving its functioning. The Copernicus reform, which eventually failed, had some essential ideas on how to turn the Belgian federal public sector into a (reasonably) lean organisation.

Come the 2008-2009 financial crisis, and we find a federal public sector that no longer wants reforms after what it suffered through under the past reform. But what it wants is not relevant, as it is forced into significant restructuring of operations, because the money is no longer there to support what many stakeholders (the population) believe to be bloated institutions. But rather than a concerted, structured effort to optimize and make the government organisations lean, cuts were being imposed across the board, with little consideration for efficiency and optimizing service performance. Many inside of government believed we no longer had the time to critically assess and optimize, we just needed to reduce expenditure. No one believed there were change agents in place to guide government services through this optimization process.

The notion there were no instruments of change available to ministers in 2009 is incorrect. Even more, these agents of change reside inside of the administrations and can assist in making the required analyses to optimize the cuts. Those resources are called internal auditors. But right now, they are not used to the maximum extent possible.

Why are the current crop of internal auditors not ready nor used? Because, not always by their own will, they have been limited in scope to just their role in internal controls assurance. This is a traditional internal audit role from the early 1980's and modern internal audit departments have moved far beyond that role.

Let's examine what internal audit could offer to a public sector that has all but forgotten about it.

Assessing the effectiveness

Once certain "new" public sector tools are structurally put in place, such as management agreements - tools currently already being used by many state owned companies - internal audit can provide reasonable assurance on the effectiveness of the government entity in reaching the strategic and operational objectives as defined in the management agreements. Effectiveness is about doing the right things. Internal audit can provide the key stakeholders of the federal government service, usually the minister and his cabinet, a reasonable assurance on whether the government service's management team is actually doing what it is supposed to be doing.

In addition, this work allows the management team to communicate, through internal audit, about the incompleteness of such management agreements. If a government service is doing a lot of work which is essential but not adequately represented in a management agreement, perhaps the agreement is incomplete. Or perhaps the federal government service is doing work that is no longer deemed relevant.

Providing key stakeholders with information about what the auditees are actually doing as compared to what they are supposed to be doing is a core competence of an internal audit department.

Efficiency

If effectiveness is about doing the right things, efficiency is about doing things right, in the correct and ideally in the most economical manner. This is important for government administrations as they need to provide the same or better services to their stakeholders in a reality of reduced budgets. Internal audit can assess the efficiency of government operations as well, by benchmarking activities. We're actually missing a wonderful opportunity to cross benchmark administrative services which are comparable across different government services, and looking for good practices.

But what I have described thus far is a quite traditional internal audit, in both public and private sectors. While these assessments bring true added value, they are but the top of the iceberg when considering what internal audit can bring to the table. Which is why it is quite surprising that some of the assessments described above are not executed by internal auditors, but by external consultants, whose added value in process improvement if not adequately immersed in the organization's culture is limited at best.

Internal audit's tactical added value

Internal audit has a role to play in risk management. Attempts have been made to implement the concepts of risk management in many organisations, among which some of the federal public sector organisations. I co-authored one of the methodologies which was en is still used in several public sector entities. The problem is that risk management has not reached the level of maturity which sees it taking its place among other management tools, such as balanced scorecards and key performance indicators. There is a lot of talk about risk management, but only limited action.

Internal audit, however, has traditionally used risk analyses to plan its short, medium and long term audit activities. Risk analyses scan for risks within and around the organisation by using a combination of questionnaires, self assessments, historical data and, most important of all, common sense.

Risk management assumes an organisation is a car, not a train. It needs frequent tugs at the steering wheel, and if a corner presents itself in the road to the objectives, action needs to be taken.

Internal audit is allowed to take on certain roles in assisting the organisation in implementing risk management as a true management tool. It'll no longer be internal audit in the crow's nest, without binoculars, screaming 'iceberg' just a minute too late ... rather, the entire organisation will be aware of the fact that no matter how well designed your internal controls, there are problems out there that may not be resolved by putting in yet another internal control.

Internal audit's future: a strategic added value

But creating awareness and teaching people to look around before engaging as an organisation is not where internal audit's responsibility should end. After all, knowing something big and bad is heading our way is not enough to avoid it. I believe internal audit has a responsibility to assess the adequacy of an organisation's governance structures to evaluate it's respons readiness to the evolving situation on the road to achieving its objectives.

For a long time, we believed that governance, the foundation of the organisation, should be cast in stone. But recent experience has shown that the only certainty is uncertainty. No one structure is capable of dealing with all eventualities.

Internal audit, with its deep knowledge of the organisation has a responsibility to provide its stakeholders with insight in the adequacy of the current structures in responding to risks as well as providing recommendations on how these governance structures would best be adapted to most adequately respond to these risks.

By providing these insights to stakeholders and management team alike, internal audit will really live to the fullest its strategic role.

It also shows why internal audit should never be too far removed from the organisation it's auditing. The auditors are (currently still) there. Why are we not using them?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

My bad time travel habits

Two books I've read in recent months made me acutely aware of my bad time travel habits. I know, it may come as a shock I can travel through time. It most certainly surprised me. You may believe it's a gift, but it is really more of a curse.

Now, before we go any further, I carry some bad news I really need to share with you: you are likely cursed with the same affliction. I'm quite sure you travel through time as well, and not in a good way. I understand that in order to proof that, I first need to show you that we can travel through time and actually do pretty much all of the time. Let's go.

Frequent time travel can and will hurt you

But perhaps not in the way you think it may. This time travelling business is not about travelling back in time and accidentally killing your dad resulting in you never being born in the first place. That would be a paradox. Paradoxes are not real. They exist only in your mind. keep that thought on mind and paradoxes for a minute while I explain something else first.

When are you?

Now, I would like to invite you, right now, to think about when you are. Not where you are, but when. Sounds confusing? Let me give you some examples:

I often find myself 5 minutes, a couple of hours or even a couple of days in the future, thinking about what I will be saying to someone, or how I will be dealing with a difficult situation or a reluctant audit client. Rehearsing how I will act in a meeting, and what I will say.

While I may not physically be there, or rather then, for all intents and purposes my mind is. Let's compare it to a feeling most of us are familiar with. You can drive your car and go through the motions of driving without really being present. Your life is on automatic pilot, while your mind dwells somewhere else. Be honest, how often have you caught yourself doing just that?

Sometimes I find myself back in the past. I am be thinking about what happened in a meeting, or during a discussion, or during the execution of a specific audit activity. And if it was a particularly difficult meeting, I will go through it again and again, considering the reactions of the people present, trying to understand what they meant, chewing over what I said and what I should have, could have said ... over and over.

That again illustrates a pretty typical situation in which I am not now but rather back then with most of my mind. What is now is just my body and some of the basic functions that keep me alive. My internal collision avoidance system, so to speak.

Being somewhen else makes sense some of the time

Let me be very clear: none of these actions are bad for me if they occur at the proper place and time. For example, thinking about a presentation and rehearsing it can be a part of preparation. Thinking about what I still need to do for a specific audit may be part of planning. Reflecting on what happened in a meeting yesterday may be done in the context of dealing with my notes and next actions, while I'm working through my backlog. That's often called processing. In those instances it makes sense to not be now, but somewhen else. But those blocks should be limited. And to most people, they are not.

The transparant sauce pan lid of the mind

The problem is we often fail to give these thoughts and ideas the appropriate time and place to begin with. And of course that does not make them go away. Rather, they tend to bubble up through our minds. Mind is not necessarily the wonderful instrument that most would want you to believe, right?

Our minds are like a transparant lid on a sauce pan in which a sauce is merrily bubbling away. When the sauce is starting to get warm, you can barely make out the surface through the mists of condensation. And then it gets hotter, and hotter, and hotter. You cannot avoid the bubbling of your unconscious, but if you don't turn down that heat by using a couple of specific techniques, the bubbling will eventually lead to sauce spattered all over the glass lid of your conscious mind. Your mind will react and try to wipe the stains away. It will consider each of the stains. It drifts off to somewhen else. And if the heat is particularly high, there's going to be a lot of spatter. Lots and lots of reasons to be somewhen else.

Being in the zone

It is not all negative. You, like me, have periods when you are now. Those are the periods of deep, concentrated production. The moments you are "in the zone".

For me, for example, I get in the zone when I am writing, like I am now. I have my notes, I have what is in my head, and I write. I also am now when I teach. I've taught classes when I didn't even notice how time progressed.

These are the moments you are deeply focused and actively present. You are fully aware and in tune with what you are doing. That can be your text, or your class. There is no sensed passage of time, there is just now. There is no consideration of things outside of my awareness. There is just what I feel, which can be a group of people or a concept I am trying to catch into a set of words. It may even be something entirely different.

We're learning to ride horses. It's a fun family activity. While initially there was a certain apprehension - horses are very big up close - I've been relaxing into it, becoming somewhat aware of the fact that there was a silent participant in all of this, the horse. By the way, it's a she, and she's called Fox. Last weekend, I fell off. I did. Actually, entirely through my own stupidity, I was more or less catapulted off when learning to properly gallop. Now, I had been very focused on things going on around me, especially behind me, where my wife and kids were riding and where there were discussions going on (my kids are rather vocal) ... and then suddenly I was now, in the dirt, after having flown a couple of feet. I got back up on the horse ... and became very aware of how she had become scared by what had just happened. I could feel, really feel her insecurity. What then happened was the best gallop in my very short career gallopping. Because I was fully and totally there, entirely committed.

Now is the only moment

Now is not a moment. Now is the only moment. All the rest is what we believe was or will be, and it is tainted by mind projecting through very strong filters. Now is when it happens. Only now. All time spent anywhen else but now outside of specifically assigned spaces for such reflection is wasted time.

Techniques to manage the heat

I'm coming back to my sauce pan. We need to control the heat. There are a couple of techniques that assist you in doing that which are relevant here:

One of them is David Allen's weekly review, to which I've added David Sparks' daily review. These well known GTD practices help you to both look forward and look backwards in time, serving as a very good basis for planning.

About the second technique: I'm always surprised on how much of the sauce splatters I consider during the review actually get discarted. They were noise in my system, things I believe I needed to react to, but really did not have anything to act on or to work with. Still, it would not pay to simply discard these feelings, ideas, frustrations and whatever. That's why I like journaling so much as a technique. My weapon of choice here is Day One, an excellent Mac and iOS app, but you can use any tool you want. Writing in my journal allows me to consider what happened in the past day, and how I see that figuring in the broader scope of my life.

Constructs of an over active mind

Now, remember those paradoxes that only exist in the mind? The past and the future are constructs of your over active mind as well. Best to dwell on them within the correct context, but not to give them free reign, because they will distract you from the now. When you are in the now, you are no longer aware of time. Ask any athlete that is operating at peak performance ... but also look at yourself when you are at your best.

And now is the only moment you have to do something, to produce something, to do the work. Spend as much as you can in the now. So get to it. Now.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Are you a contract killer or a primary care physician?

The contract killer

I've known quite a few internal auditors who took pride in the number of people they managed to take out as a consequence of their audit reports. The arguments? Most often they argued the people had failed to do what they were told to do by the procedures. Or they considered the people to be incompetent or bent in many ways. Whatever reason they felt justified them in approaching their job as they did, to me, it is still fundamentally the wrong way to look at our profession. Because we are not contract killers. Rather, I believe we are the primary care physicians of businesses. Let me explain.

A small town doctor

I would like you to think about a typical small town primary care physician. Yes, this is an older gentleman or lady, wizened with the years. This is someone who knows you and your family intimately. Perhaps they even assisted delivering you to this world. That's the type of physician I'm talking about. Well, a good internal auditor should be like that.

Closeness breeds understanding

A good primary care physician knows you and has known you for a long time. A good internal auditor knows the environment he or she is working in. They know it intimately. They live in it, they work in it, they breathe in it. They are not entirely part of it, there is a significant and necessary amount of independence there, but they are very, very close to the organization.

By being so close to his or her patients, the good primary care physician cares deeply about them. Likewise, by being so close to the organization, the internal auditor cares deeply about it. We care so deeply about it, that we can be very harsh if we see significant failings that may threaten or significantly harm the organization. While a doctor may care about seeing one of the young ones of the family take up smoking, we may care deeply about a repeating pattern of procedural neglect in a certain area. Being harsh in our reporting is often a way to deliver a clear and concise wake-up call to the organization that has lost its way.

Forgiveness encourages evolution

A primary care physician is also forgiving. When he sees marked improvement, because someone is consistent in taking their medicin and doing their exercises, they will consider that as a positive element come the follow-up exam. The internal auditor, even seeing that everything is not A+ yet, will be considerate for the department that really made the effort to implement certain recommendations, even if they are not yet fully implemented yet.

Deep understanding creates perspective

A good primary care physician is close to the family, and knows the family stories and the family crosses. Some things need to be known, but only on a need to know basis. An internal auditor, confronted with some issues from the past that were correctly resolved, bears no grudge. It is not about what happened in the past, but what will happen in the future, taking in account everything that has happened in that past. This requires a deep understanding that many a hired gun - a contracted internal external auditor - does not have because he will never have access to that information. A good internal auditor engenders trust and earns it.

Awareness leads to relevant action

A good primary care physician also knows when to call the ambulance and transfer the emergency care to a specialist. An internal auditor, when confronted with a significant problem, will likewise immediately alert the correct people at the board level or even beyond. Some problems cannot be solved by internal controls, good risk management or governance improvements. However, that does not mean the good internal auditor hands over and lets go. Rather, he remains close and makes sure that the organization is comforted and supported during a difficult period.

Communication shines a light on issues

A good primary care physician communicates well, because he or she understands that communication is one of the most important keys to identifying whether something is wrong. A good internal auditor understands the value of excellent communication as well. The best among the internal auditors know that something is wrong in the organization because they feel the change in the air before someone has even communicated something to them. That's experience.

A quick illustration

One of the key reasons for auditor independence is auditor objectivity. Think about that primary care physician now. He is close enough to the organization to objectively and with some measure of emotion assess that something is wrong. He is not taken by emotion in a way that it prevents him from functioning. Rather, he is the one that calls the ambulance when everyone else around is crying and wandering around aimlessly.

Much in the same way, the great internal auditor knows something is wrong but remains able to act and to assist the organization in getting all of its proverbial ducks in a row. He does not drown in the organizational emotional fear, but remains detached in such a way that he can advise on the most appropriate actions.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Death of The Manager

Examining my dictionary

What is a manager? My dictionary states that a manager is:

"a person responsible for controlling or administering an organization or group of staff"

But there is an implicit assumption here, which is the following: that an organization or a group of staff need managing. And that's what it used to be.

The traditional paradigm valued its human resources at replacement cost

Our traditional production paradigms dictated a structure of managers to keep the resources well organized. The resources, those were the inputs, the machinery and ultimately the ones using the machinery to produce something, anything. Which were the workers.

Sadly, in that scheme, the workers were easiest to replace. Machines cost money. Firing employees, especially blue collar employees, not so much. Resources cost money. If those resources are reasonably rare raw material, their price fluctuates with any market that cares to provide them. But you can always find more people.

Education was and still remains a trap

Education became a trap for many people. In my opinion, and I'm very opinionated about education, it still is to an extent. People were being trained to be good little production units, standardized, easily replaceable, easy to manage. What was seen as a way out of the poverty trap many blue collar workers had been caught in, turned out to be a lifelong commitment to the McJob. It paid good money, but it remained a trap nevertheless.

Becoming one of them

The ultimate promotion that could be had, was to become one of them. One of the ruling class. One of the managers. You needed higher education for that. And higher. And higher ... master upon master upon master, with requirements skyrocketing. All these qualifications apparently required to rise to a level where you could manage the McEmployees in their McJobs. Each single unit of work had the potential for a number of productive years but was easily replaceable if needed. And that replacement was performed every time the employees became too costly. Or too unruly. Unions were formed, but turned out to become companies on their own, with their own employees who held on to their jobs. And even the managers turned out to be McManagers, reporting to another McManager higher up in the hierarchy, each of them as easily replaceable as the next McManager. Tower of Babel, anyone? Because at the end of the day, each McManager is a McEmployee as well, and holds on to his McJob for dear life.

Where is the added value of the manager?

There is a problem with all of this: the hierarchical chain responsible for controlling or administering that organization does not deliver a significant added value on its own, but they do cost a lot just to control or administer. They used to coordinate workers in order to deliver products and results. That system, when pushed to its logical extreme, led to Just In Time resource delivery to Just In Time production lines which fed large shopping malls which wanted to hold as little inventory as possible and used Just In Time delivery to the store. To a large extent, the world, which is a consumption oriented world, still functions like this. But we are realizing more and more there is little to no added value of the manager other than coordination.

The decreasing need and relevance for coordination

And that coordination is becoming less and less relevant today. Higher and higher baseline education levels mean that many more people understand what they are doing, even if they work on a conveyor belt slapping small thingies to other slightly larger thingies. And they are not the only ones.

The first real enterpreneurial generation

The really creative work is no longer being done in large businesses, but by knowledge workers who are by nature more self managing than most professions we ever had, during the entire human history, other than true enterpreneurs. They constitute, perhaps, the real first enterpreneurial generation. These knowledge workers use a true multitude of online tools to find each other, addressing needs they have not by finding the closest available person that can do the job, but the best available person anywhere in the world.

More leadership, less management

The role of the person responsible for controlling or administering an organization or group of staff, the manager, is becoming redundant. We no longer need any managers. We need visionaries that will provide direction for the engaged, independent knowledge workers, who will create ideas, solutions, products that self-governing teams of skilled workers will build, not because they have to, but because they are interested in it. The key motivational components so eloquently described in Dan Pink's excellent book Drive will not just power the educated knowledge worker, but the traditional blue collar worker as well.

Death of a salesman

But it will mean the death of the manager. I imagine that death a bit as a scene from Arthur Miller's Death of a Salesman. No longer relevant, the manager will try to hold on to unrealistic dreams and expectations, and may even try to influence just one more generation. I believe we need to start providing for these people, and ensure they have a good home for their retirement, because we owe them that much. What we do want to avoid is that they crash their cars, like Miller's main character does, killing himself with all good intentions.

And our organizations will need to start to adapt to that inevitable change.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Context reporting

Another link to an absolutely worthwhile article.

Michael Lopp offers an excellent suggestion in the following article on context reporting. He suggests:

"A context report documents the reason why (and to a lesser extent how) you’re completing these actions and I suspect this information is far more useful to everyone involved."

I invite you to go through the - extreme - examples he suggests. I for one can see some significant added value coming out of this approach, and I'll seriously consider using this as a value added recommendation whenever I come upon communication efficiency issues in an audit.

Which, as seasoned auditors know, is pretty much every audit.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Questions to consider when choosing projects to support and fund

I'm very deep into some work and have limited time to blog, but that's an excellent opportunity to refer to work done by some great writers and thinkers, in my specific subject area.

Here is an excellent article by Simon Perks, a former colleague of mine, who is now working out of his own organization (respect, Simon!) on elements to consider when making choices about projects.

What he writes rings very true. Considering feasibility, I often feel people want projects to achieve desired outcomes, and that want replaces a calm, careful and concise assessment. Well, it should not. We need to remain aware of significant biases in decisions and not let too much emotion creep into the decision.

By the way, do visit Simon's excellent blog at his site, here. He has more excellence where that came from.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Some thoughts on note taking for internal auditors

There is a lot of information available on academic note taking

Good note taking is a craft all by itself. Look at any website of any itself respecting college or university and you will find at least one class on advanced note taking skills. Do a search on the web and you will find many a pdf and even youtube videos demonstrating the essentials and even the more advanced aspects of note taking in an academic context. Clearly, note taking is important.

Most of these courses focus on capturing information gleaned from monologues for the purpose of understanding and learning. And that is logical, because undergraduate and graduate students alike need to attend lectures, most often delivered by a person in front of a class room.

But there is little information on note taking for internal auditors out there

But would it surprise you that there are few, very few results for a search as simple as "note taking for internal auditors"? There is this exchange on LinkedIn by the ever excellent Robert Berry, with both the article and the comments providing insight in techniques. Still, that is pretty much what is out there. And that's a shame, because I believe note taking for internal auditors is a lot more complex than traditional note taking. Let's explore why for a minute:

Notes need to reflect what was said

Internal audit note taking needs to provide an accurate reflection of what the auditee said, not of what the auditor thought he or she understood. This is important because interviews are part of internal audit evidence (albeit it a weaker part) and we want to make sure that even preliminary, further to be audited findings are based on what was said, not on our interpretation.

Notes need to lead to a better understanding in real time

However, at the same time, your notes need to lead you to a better understanding of the subject matter you are interviewing about. Because if you are just verbatim copying what is said, without any understanding happening along the way, you will need to do your understanding later, and the clarification will then burden your interviewee long after he or she has walked away from the interview.

Notes need to allow you to put markers where you need clarification

In addition, notes need to allow the note taker, the auditor, to identify areas for further clarification during the interview. Whereas understanding deals with the width of the understanding of a process under review, we need to get the necessary depth as well. Often, you will not be able to immediately interrupt your interviewee to ask for clarification, so your note taking system needs to allow you to put markers in places you want to come back to later, but still during the interview.

Juggling plates

Adding to this complexity is that audit interview notes are being taken during not a monologue, but a conversation. You cannot, as an auditor, enter into a trance and come out 90 minutes later with the goods, without any interaction with the auditee. On the contrary, you will need to engage in very active listening, identifying those points where the conversation blocks, halts or provides any indications of issues, coaxing your auditee to touch all aspects of the matter under review, but while still maintaining an as accurate record.

Yes, good internal audit interviewing does start to feel like juggling a mighty number of plates at the same time.

Reconverting the Cornell Note Taking Technique

The question then becomes, how can you make this work in a very practical way? Well, we can actually reconvert an old, but trusted college note taking technique, the Cornell Note Taking Technique for our purposes.

I like the Cornell Note Taking Technique because it is a very simple technique that allows you to take high quality notes with only limited logistical preparation. It does not require special software, it does not require high tech tools such as audio recorders, it just requires a pen, an adequate supply of paper, and the clarity of your mind.

Note taking phases

I want to take you through a number of phases which I follow when taking notes:

Preparation

To use the Cornell Note Taking Technique, you need to do a little bit of preparatory work. It takes all of five seconds, if you are used to it, on a white piece of letter or A4 paper.

We want to divide our page into three blocks: two columns and one block at the bottom. Let's do the block at the bottom first. You need to reserve about 2 inches or 5 cm of space at the bottom, which will become your summary block for that page. Then you need to draw a line about 7 cm or 2 1/2 inches from the left side of the page. The left column will become your cue column and the right column, which is about 6 inches or 15 cm wide, will become your note taking column. And that is the logistical part of the exercise.

There is another dimension to the preparation, which is content preparation. I like to list an initial structure of the interview on the very first page of my notes. This structure covers the key topics I want to cover during the interview. If the interviewee would go off track, I have a reference structure I can fall back on. For some interviewees whom I know to tend to go wide, I will even put that structure on a flipchart, which they can refer to.

During the interview

During the interview I use the large note taking column to write down my notes. It's impossible to write down the transcript of the meeting verbatim and I don't want to use a voice recorder because using it will create a significant initial barrier between me and the interviewee. It's just not accepted practice. What I do is to make notes of the key points of what has been said by using active listening skills, including confirmation of understanding.

I also write down the literal question I ask to trigger a response from an interviewee. To me, this is essential because the way you ask the question will influence the response you will get. A response without the initial question becomes a lot harder to interpret later.

Now, whenever I have questions, attention points or needs for further clarification, I will avoid interrupting the interviewee. I will rather note down a short code or indicator in the cue column which I can refer back to once the interviewee has stopped speaking.

The reason for this is simple: it may well be that the interviewee will answer the question I currently have in a couple of phrases, without me needing to explicitly ask the question. It would be a waste of time and effort to interrupt the train of thought of my interviewee for some information he or she was about to provide me with.

Let's look at the codes I most often use in the cue column:

  • Q indicates a question I need to ask
  • ? indicates that I need some clarification on a point raised
  • ! indicates an important point that I need to consider as part of my summary
  • TD indicates a to do for myself, which I need to enter in my task list
  • TD (NAME) indicates a to do for someone else which I need to email them of transfer them in some other way

So, during my note taking I also use these codes in the cue column. Whenever the interviewee has finished explaining an aspect of the area under review or has just answered a question, I move up along to cue column and find the first short code that has not been crossed out yet. I then ask the questions (Q), the clarifications (?) or I confirm my understanding of the important points (!) which I wrote down. Whenever a point is cleared, I cross it out and move down in the cue column, to the next short code. In this way, I cover all the open points up to the final one.

End of the meeting

I usually try to digest my notes as soon as possible after a meeting. This goes in two passes through the material. First, I go through the notes integrally. I note important points, already often indicated by the exclamation mark (!) and I write them in the cue column.

After that first pass, I revisit the cue column and make a summary of the key points in the summary space at the bottom of the page. I usually try to make these whole sentences, because that's how I internalize best. I also deal with the specific action items I left a short code for. These are my to do's or to do's I need to assign to someone else.

The summary notes are then transcribed in a meeting summary, which may, depending on the circumstances, be sent to the interviewee for validation. Usually, these summary notes are just the sentences which I already wrote down in the summary space strung together into a coherent text. To me, it makes little sense to transcribe all my notes, but I want the summary in a standard txt file and in our Basecamp workspace. The notes are scanned and the PDF scan is attached to the summary note in Basecamp.

A final point of attention

When you are processing your notes in the summary space, you need to make sure that you have clarity on all points covered during your interview. If you fail to clarify all the elements, you run the risk of misinterpretation, which will influence further testing and lead you astray, costing you time and resources.

A conclusion

While this method of note taking may seem extensive, it allows me to ensure both a proper understanding of the content and the intent of the interviewee as well as appropriating the material gathered. This enables me to ask the difficult questions later.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Short practical guide to audit documentation in Basecamp

I've been surprised by the level of interest about my recent post on using Basecamp as the base application for internal audit working papers. While by no means a representative sample, I feel the interest indicates that current working paper solutions fail to address a number of concerns or needs which the simplicity and flexibility of Basecamp does answer. Therefore I've decided to write this "practical guide" to using Basecamp as the "basecamp" for internal audit documentation. It is a way, not necessarily The Way. But, if you keep waiting for The Way to appear, it's likely you'll never get anything done.

What Basecamp does not allow you to do

Before we go into what you can do with Basecamp, let's first make clear what it does not allow you to do. Basecamp is not a standard working paper documentation solution for internal audit purposes. That means that it does not provide a number of functionalities these solutions provide out of the box.

For example, if you are looking for a solution with an integrated risk identification and mapping functionality, you will not find that with Basecamp. If you want your solution to highlight key control weaknesses as a standard report, Basecamp will not provide this for you. If you are looking for any kind of automatically generated report, you should turn away, because you will not find it.

Traditional packages cramped our style

We worked with such software for a while - actually less than a year - and we found that it did not fit well with our needs. None of these packages provided us with the flexibility we wanted. Rather, they assume that you buy in to their methodology, and use it to the exclusion of anything else. Sadly, the type of work we do as auditors in development aid does not allow us to buy into any one methodology. Rather, we need a lot of flexibility. Our working papers need to be exactly that: traditional structured repositories of information on work planned and work executed, leading to a set of findings and conclusions, where possible supported by relevant recommendations. The very simplicity and flexibility of Basecamp provided us with the means to structure just that.

One of the reasons I react so negatively to structured software is because it takes away the need to think and reflect. Often, audits are mere mechanical executions of tasks, without any real in-depth consideration of how and why the task needs to be executed. And these systems do not provide the necessary flexibility to allow for a non-standard project to be integrated in that approach. If you then take into account that in addition to our traditional assurance projects we also manage a number of advisory projects each year as well as documenting all integrity and corruption complaints in this system, you understand that a highly standardized approach was not an option for us.

Now, the very simplistic structure of Basecamp means that you will need to do some "configuration" and abide by some ground rules while using it. These rules need to be well understood and consistently applied by everyone using the system. There are not inherently present. That being said, any auditor that is not able to follow simple instructions as to documentation is not worth the title.

Auditor versus client

Basecamp provides you with the ability to define a participant in the project room as either a team member or a client. A client can be prevented from seeing certain documents, if the team member posting the information excludes the client from seeing it.

It's a very simple, but very powerful concept. We now invite our auditees into our working papers, where they can share their comments on the documents we open up to them. Usually, we open up questions and information requests, the so called Prepared By Auditee (PBA) documents. This allows them to answer questions and provide information directly in the working papers, which reduces our administration and allows us to work from so called raw documents, i.e. information received directly from and directly traceable to the auditee providing us with that information.

There are two ground rules here: first, you need to set up the system with the names and email addresses of your auditees, as well as informing them of the fact you will be using Basecamp as an information repository. The second ground rule is that you make sure you do not post anything to all users of the project room that is eyes only to the auditor. This is a risk, as the starting point is that information is shared with all users. Nevertheless, I find it focuses the auditors really well on the nature of the information they put in the system.

We also share preliminary findings and related recommendations with the auditees. This way, they really see the audit report developing almost before their eyes, and they have the possibility to provide comments or correct factual mistakes.

The central nature of the to do-list

Basecamp has a number of standard document types which can be either uploaded (such as files) or generated (such as to do lists, text notes or dates, which are calendar entries.) Now, our working papers are traditionally a reflection of the proper execution of a work program, which in turn is built based on initially gathered and analysed information.

Basecamp allows you to develop and structure this as you go along. Our analysis of initially gathered or researched information, based on standard audit initiation work program, leads to the development of a audit scope memorandum, which is the basis for the work program which will guide the execution of the audit. Basecamp's to do lists allow us to built that work program in phases.

The audit initiation work program is a standard work program. Like any other work program, it consists of audit activities focused on gathering information and performing preliminary analyses, including but not limited to interviews, which feed the development of an audit scope memorandum or ASM. This ASM describes what we will and will not be auditing. How we will be auditing it then becomes the subject of the work program for that audit. The work program is an evolving beast. It is a set of to do lists that together comprise all the work that needs to be executed for that audit. We recognize three types of work program activities which we capture in Basecamp's to do lists:

  • Information requests, sometimes also referred to as PBA's (documents Prepared By the Auditees) are requests for information or data sent out to the auditees. This can range from a simple organization chart to a full accounting data set, or any other type of information. Information requests are purely requests to the auditees to provide us with some information, without further requirements to provide some explanation about it. We do not want to be influenced by the opinion or the idea of an auditee on this data, we just want the data for analysis now or later in the audit.
  • Questions are exactly that. Based on our analysis, we have certain things we do not understand or need more information or clarification about. We will then ask questions of the auditees. They can answer directly in Basecamp, which saves us significant time in administration. Perhaps funny, but some of our auditees actually enjoy the possibility of answering questions in a more formal, written manner.
  • Audit activities are those tests, analyses and other activities to be executed by internal auditors to test the assertions made by the auditees. After all, we are not journalists and need to make sure that what we write has been tested. Audit activities may include reconciliations, specific data analyses, IDEA tests comparing two information sources for data completeness etc.

Each of the to do lists which together form part of the overall work program has at least one and in most cases all of these activities. Additionally, each activity in the work program needs to be identified as one of these activities.

As stated above, a work program usually consists of more than one to do list. We develop one to do list per subject area under audit. Subject areas are determined based on the ASM (remember, audit scope memorandum). This implies that each to do list comprises all audit related activities (information requests, questions and audit activities) that need to be executed to thoroughly audit a subject area under audit. For example, we currently have an audit ongoing on our budget processes. The structure of the to do lists is the following:

  1. Audit initiation work program: this is a standard work program that we apply to every audit;
  2. Audit activities related to the budget process at headquarters level
  3. Audit activities related to the budget process at local office level
  4. Audit activities related to the budget process in programs and projects
  5. Audit activities related to the internal organization of controlling in the context of the budget process
  6. Audit activities related to other departments' roles in the budget process

In addition, we have two other to do lists which we maintain:

  • Draft findings and related recommendations
  • Draft improvement ideas other than findings

Document creation in Basecamp

Given the central role of the to do-list in our use of Basecamp, there should be no other document that is created outside of the to do-lists. There are three exceptions to this:

  • Forwarded mails are mails that are directly mailed in to the system. These are usually forwards of essential mails received from an auditee where we want to maintain not only the information but also the mail itself. A forwarded mail needs to be URL-linked directly to a to do item via the comments.
  • Text documents are documents which we use in the context of findings and other improvement ideas, and are to be linked to the two separate to do lists mentioned above. The text document format in Basecamp allows for a more elaborate text development. We use it because it is easy to copy-paste into the final report. The documentation of findings follows a standard structure and each finding needs to be URL linked to both the supporting evidence and the finding in the to do list. Having that to do list makes it a lot easier to check for completeness of the final report.
  • Dates are used as a calendar for both auditors and auditees. They allow us to indicate, in broad terms, to the auditees where we will be and what we will be doing when.

The need for URL linking

As documented in an earlier post, it is essential that we take the time to properly link documents to each other in both directions: whenever we document a finding, we need to link to the supporting evidence, but the supporting evidence needs to link back up to the finding. The best way to do it is to embed internal links into the comment fields. As Basecamp is a web based solution, internal links are URL links and hence usable by anyone with access to the project space in which we are documenting.

In conclusion

While Basecamp may require a bit more care than other solutions, its flexibility more than makes up for the bit of extra investment in time. In case you have more questions on its use, don't hesitate to ask.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Make sure you know what you did

Looking for better methods

I was recently reading a paper by Kieran Healy of Duke University on workflow applications. I am always on the lookout for workflows that simplify or optimize our way of generating reports and this one came highly recommended by Dr. Drang, so I had to go and take a look. You can find this interesting and well written paper, titled "Choosing your workflow applications" on his blog, which is an excellent read as well.

Striking a chord

In his paper, Prof. Healy lists some basic principles to adhere to when researching and writing scolarly papers. One of these principles really struck a chord with the auditor in me:

"(...) Perhaps the most important thing is to do your work in a way that leaves a coherent record of your actions. (...)"

This piece of advice is essential for any internal auditor. In whatever we do, in any type of audit activity we perform, we need to explain what we did and how we performed the work. Sadly, that is often not the case.

A disconnect between workprogram and working papers

I conducted my first peer review in 2003, and I've done quite a number of them since. One of the most frequent findings is a disconnect between the workprogram on the one hand and the audit documentation, the so called working papers on the other hand. For clarity, the workprogram dictates what the auditor should do, while the working papers should bear witness to what the auditor has done. Logically, a well executed audit would consist of workprogram steps that are linked to working paper documentation.

Now, I'm not implying that the audits I reviewed that showed this deficiency were bad audits. On the contrary, most of the deviations from the initial plan as documented in the workprogram made sense ... once the auditor in charge had reviewed the working papers, spent some time reflecting on what had happened and then explained to me why they had to deviate from the plan. Which begs the simple question: why not document it properly from the outset?

Audits are often intense events in which a lot of work needs to be performed in a limited amount of available time. Especially when you are working remote, you only have a limited time to perform the work. Working paper documentation is understood to be essential, but is sometimes neglected. The same with adaptations to workprograms. And while I understand that resource constraints impose a lot of pressure on audit teams to go ahead and start the new audit, documentation really needs to be done right. Here is why:

Three reasons to document appropriately and timely

There are three important reasons why both workprogram and working papers need to be correctly documented:

  1. If you are subjected to a formal peer review, one of the aspects the reviewer will focus on is the alignment between workprogram and working papers. They expect you to be able to show you have been complete in your work, and this is the only evidence that exists of that;
  2. If you document it now, you will spend less time than if you need to document it later. Going back after a couple of months, chances are you will barely remember why you made certain adaptations to the workprogram. Remember that recollection is fickle and very subjective. It is therefore likely your documentation will be less complete if you need to document retroactively;
  3. Not all of your audit findings will be appreciated or even accepted by the auditees. Hence, it is very important to appropriately document your work while you are doing it. It avoids you having to redo certain analyses or certain work in case the findings are contested.

Accurate and complete working papers, including properly signed off workprograms that accurately reflect the work done are essential to the fiability of your work and the trust the auditees and the board can put in your work. Now that's a good reason to properly and timely document what you do and how you do it, even if it takes a bit more time than you anticipated.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

A is for Anchoring - cognitive biases in internal audit

Introduction

I really enjoy reading an audit report or audit working papers because quite often we see the cognitive biases of the auditor at work. Let's be clear, I am as much a potential victim of cognitive biases as any other auditor. However, being aware of their existence will make you more attentive to them, and perhaps allow you to at least take them into account when doing your work.

I enjoy biases so much that I decided to do a little series, in some kind of alphabetical order. Let's see how far we can take this.

Anchoring

The first cognitive bias I want to review with you is one called "anchoring".

Anchoring is a cognitive bias which makes us attribute most importance to the first piece of information we come across and use it as the point of reference for further assessments or judgments. You anchor (yes, like a boat) your perception, and any change in your perception will be an incremental change from that initial starting point, or anchor.

It gets worse: you are more likely to reject out of hand or doubt information which you receive later which is opposed to that initial information. You are more likely to qualify such information as an exception or an outlier.

An anchoring example

Years ago, I was part of a team assessing the functioning of a production plant in the UK. We started by touring the facilities and talking to the blue collar workers on the floor. They provided us with a lot of information on the state of the machines and the maintenance performed on them.

Even before we started our audit, we had already been anchored by the information we had received on the workfloor. We were provided information on the state of maintenance of the machinery, which was contrary to the information we received on the workfloor. Nevertheless, we spent significant time investigating this (ultimately non-)issue further, time we would have otherwise more productively spent on other audit activities.

Research such as referred to in this Wikipedia article appears to indicate that anchoring is very difficult to avoid.

And again, it gets even worse: an intelligent auditee can anchor an auditor, if he wants to. I have a good story about that as well.

An intelligent auditee can anchor an auditor

In the beginning of my career, I worked as an external auditor. Most of those my age did. I had a client who stated the number of intentional errors he had introduced in the accounting. This client, the CFO of this organization, was a former auditor himself, and enjoyed challenging us. We worked very hard until we believed we had found all the exceptions. One year he actually overstated the number of exceptions present. We kept on looking for the exception until the final meeting, where he admitted he had anchored us.

Of course, that works once. But once is often enough to throw your audit in the entirely wrong direction.

Guarding against anchoring

Even though it appears difficult, there are ways to guard against anchoring. It comes down to making sure you anchor yourself prior to the first contact with the audit environment. So it all comes down to proper preparation.

A possible solution would be to baseline and hence anchor yourself as an auditor based on available best practices for the industry. Of course you are then entirely dependent on the quality of information available that define those baselines. In other words, if the entire industry is off, this will not assist you much.

The issue of past anchoring

There is another anchoring risk an auditor can be exposed to, and that's anchoring that occurred in prior period working papers. We usually review prior period working papers in order to get a feel for the situation we're going into. Any biases introduced in those working papers may establish an anchor for the current period auditor.

In conclusion

It appears hard to avoid anchoring. Nevertheless, be aware it can happen, and be aware it may skew or even completely direct your audit effort. Make sure you baseline your expectations on as neutral and objective a source you can have, and don't go into an audit unprepared.

This bias is one of the best examples why it pays to do the necessary preparatory work.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

What about a meeting-free day?

The designated meeting day

In order to improve the efficiency and the effectiveness of their teams working from multiple locations, organizations are proposing or even imposing that certain days are to be designated as "meeting days". On these days, remote workers are expected to be present at the office to participate in meetings. Now, while it makes sense to have these people present at the office in certain situations, I feel it puts the accent in exactly the wrong place.

The message such an organization sends to its collaborators is that having meetings is the most important thing they can do. After all, as an organization we are blocking a specific day in the week for just that purpose. And we explicitly communicate about it. So it must be important. Now, is that really the message we want to send?

This is why I would like to propose to complement such an initiative with another one, that puts the accent where it should be according to me: on creative production. I believe - I hope - my employer hired me not for my ability to conduct and participate in meetings, but rather for the contribution I can bring to the realization of the vision of the organization.

The meeting free day

So let's also impose a strictly meeting free day. During that day, our collaborators have the obligation to work instead of spending their times in meetings that may or may not yield any significant added value for the organization. Such a meeting free day should allow collaborators to get real work done. That work could be processing notes from the many meetings they had in previous days, over extracting the to do's from those notes, planning them and actually doing the work of those to do's. Because a to do strives to evolve to a done. And that's unlikely to happen in meetings. Ideally, such a day should be an email free day as well. No distractions, no excuses to not focus on what matters most: getting work done.

However, with meetings taking the place of actual work in many organizations, it appears they are evolving to structures where many speak and few act. We exchange a lot of opinions and a lot of ideas. We may even agree. But when there is work to be done, we don't have the time. After all, we're important. We have to attend another meeting.

And in those other meetings, everyone has an opinion about what others have done or failed to do, but little to no assessment of our own concrete contribution. Now, this means that our total cost per unit of work done increases: all other things remaining equal, the work will have to be done by fewer people, because more people are in meetings. That spells trouble, for such a situation is hardly sustainable.

So let's use that meeting free day figuring out how to do what needs to be done and then getting it done, rather than just talking about work.

Knowledge work environment or extractive industry?

Blocking longer periods for reflection and work, at whatever location collaborators see fit for their specific purposes, is the hallmark of a mature organization that considers its collaborators as mature knowledge workers. Other organizations appear more as an extractive industry, aiming to reap hours from collaborators but never considering that not every hour is created equal, and productive time is not necessarily and most often not the same as time spent in meetings.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

2014 Gates Annual Letter: Myths about Foreign Aid

Okay, you need to go and read this. It's quite long but it's very informative.

As an internal auditor, I especially liked the following part on a fraud discovered and reported on in the press:

"I appreciate the concern, and it’s a good thing when the press holds institutions accountable. But the press didn’t uncover this scheme. The Global Fund did, during an internal audit. In finding and fixing the problem, The Global Fund did exactly what it should be doing. It would be odd to demand that they root out corruption and then punish them for tracking down the small percentage that gets misused."

Whenever we are fighting against fraud and corruption, and make no mistake about it, we are vehemently doing that, we patch holes in processes. However, these holes exist in other processes outside of development aid, and there they are not considered to be as damaging as they are to our activities.

The battle against fraud and corruption is an evolution, rather than a revolution. But we get better each and every day.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

"Says who?" and "So what?"

Most audit reports are too long

Most of the internal audit reports I have read in my life have one thing in common. They are just too long. Sometimes I get the feeling that internal auditors need to motivate their existence by the sheer amount of paper we produce. Because I am guilty of this as well. I sometimes still slip up when it comes to writing concise audit reports.

Now, in our defense, we tend to get the executive summary right, but when it comes to the detailed report, we still over-motivate our work or provide too much context. And with board members having other things to do than just reading our audit reports, we need to be as concrete as possible but without oversimplifying.

A lesson from an old manager and mentor

Whenever I read one of our own draft reports that is just too long and I want to improve it, I use a technique I have been taught a long time ago by one of my former managers and mentors. It goes something like this:

Of every section, paragraph and even sentence in your report, you need to ask yourself the following two basic yet essential questions:

  • "Says who?"
  • "So what?"

Says who?

This may appear weird, but let's look at this in a bit more detail. When asking yourself that first question: "So what?" you are actually testing two of four traditional quality criteria on audit evidence underlying the position you are taking or the argument you are making in the audit report.

First, "Says who?" asks whether the evidence can be considered to be sufficient. Sawyer's Guide to Internal Auditing, 6the edition defines sufficient as "factual, adequate and convincing so that a prudent, informed person would reach the same conclusions as the auditor."

In addition, this apparently simple question also queries whether the evidence is reliable. The same source argues that in order to be reliable, the evidence needs to be the best attainable information through the use of appropriate engagement techniques.

So, by asking a very simple question, you do some quality testing on the information in your report. But what if the answers indicate that the evidence is not sufficient nor reliable? Well, then that position should not be in your audit report, because it is not adequately supported by the evidence. Ideally, you need to go back and get more sufficient, more reliable evidence. If that is not an option, the point needs to be removed from the audit report. Your working papers need to show why it has been removed.

So what?

When asking yourself that second question: "So what?" you are testing the other two of four evidence quality criteria.

First, by asking "So what?" you assess the relevance of your position and thus of the underlying audit evidence in the overall context of the report. Fundamentally, you want to know whether that point really matters. Is it material, will it contribute to the overall quality of the report, its findings and its recommendations or is it just page filler that may well be removed without impacting the cohesion of the report? Sawyer defines relevant evidence as evidence that supports the engagement objectives and recommendations and is consistent with the audit's objectives.

Additionally, "so what?" also questions the usefulness of the statements and the related audit evidence in the report. Does the finding, the position, the recommendation contribute, as Sawyer states, to the goal of the organization? Will working on this make a difference?

Tthe moment there is any doubt about the answer to these questions, the evidence is not relevant or not useful. That means we need to either revisit the audit subject matter or we need to abandon the point.

In conclusion

Asking these two simple but powerful questions of the content of our audit reports will have two effects: first, they are likely to get significantly shorter, because information in audit reports can sometimes be pure inference by the auditor or based on evidence that is just not adequate. And even if it is, using a lot of words does not mean you have something to say. They should also turn out to be a bit more relevant.

And which director or board member can say no to shorter, more relevant reports?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Clarifying questions

Steps to understanding a process

Gaining a clear understanding of the functioning of a process or how it aligns with tactical or strategic objectives of an organization is not necessarily the easiest challenge for an auditor. Often, the counterparts interviewed are not fully aware of either why they do what they do (lack of tactical or strategic insight) or how certain functions are performed in reality (lack of operational insight.)

Effective information gathering

But how do you go about gathering as much relevant information as possible in the most effective manner? How do you ensure that you have thoroughly exhausted all relevant lines of questioning before you disengage and move to the next step in the audit process?

Depending on the direction of questioning, you can ask clarifying questions to further enhance your understanding of the process or the context in which the process occurs.

How?

Imagine you are interviewing a blue collar worker on how a certain process occurs in reality, rather than as described on paper. You are performing an interview on the workfloor or in the field. The first thing you want to understand is the functioning of the process itself. In order to do this, you can ask "How?" questions. For example:

Auditor: Can you explain how you label the product?
Blue collar worker: Certainly. First, I print a ticket.
Auditor: And how do you print a ticket?
Blue collar worker: Well, I put a black ticket in the printer.
Auditor: And how ...

As you can imagine, "how?" takes you deeper and deeper into the operational activity itself, to a more granular level of the activity.

Of course, at a certain point you reach an adequately granular level for the purposes of your audit. That is usually the point where you need to bridge to the next step in the process. A bridging question can be, for example:

Auditor: Okay, I understand that. So then you do ...?

That question will take you to the next "activity" which you then can examine to the required depth by asking new "how?" questions.

In too deep

But what if the answer provided is at too high a level of detail for the purposes of your audit? We've just discussed how to perform a deep dive into the procedural, operational aspects of an activity. If that detail is too much, you need a question to go back up a level.

The question which clarifies tactics or even strategy is the "why?" question. For example:

Auditor: So why do you put that paper in the printer?
Blue collar worker: Because I am required to print a ticket.
Auditor: Okay, and why do you print that ticket?
Blue collar worker: Because I need to label the product.
Auditor: Interesting. And why do you need to label the product?
Blue collar worker: Because my boss tells me to do that.

That or a similar answer is eventually what you will reach when going up. It's essentially the "I have no clue" answer, provided by people who have no answers to the questions you ask.

Interesting questions, interesting answers

As an auditor charged with auditing a process, you then will move up the hierarchical structure and conduct interviews with the hierarchical superiors. Eventually, ideally, the "why?" question should take you all the way up to the strategic intent of the board. Again, this is in most cases a theoretical situation, because I am not very sure that most organizations would pass such a test with flying colors.

Quite interesting is also the comparison in answers provided by the different hierarchical levels. If they match, you can surmise that there is at least a modicum of operational, tactical and strategic alignment. If not, you can be certain that at least the communication on purpose and objectives of the process and potentially even the organization is hampered.

Building a cathedral?

All in all, it reminds me a bit of the story of the medieval scribe that toured works and met a man. When he asked the man what he did, the man replied he stacked bricks. The scribe walked a bit further along and met another man who was engaged in the same activity. He enquired as to what he was doing, to which the man replied he was building a wall. A bit later, the scribe met another man, who appeared to be doing the same thing the other men had been doing. When asked what he was doing, the man looked up with pride and said: "Sir, I, I am building a cathedral."

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Leap of faith - trusting your GTD system

The short of it

At a certain point, you need to make a lead of faith and start trusting your GTD system. If you do not do that, you will not be able to test its real relevance to you.

The Last Crusade

There is this great Indiana Jones movie. It is not Raiders of the lost Ark, which is a wonderful movie although it never quite delivers on its promise of suspense of the first 10 minutes. It is not the Temple of doom, which we won't mention ever again. It's not Kingdom of the Crystal skull either, which honestly feels like a lame attempt to breathe new life into an older franchise. No, my favorite Indy movie by far is the Last Crusade.

I love it so much because it builds the suspense from the get-go, combining action on the one hand and mysterious discovery on the other, culminating in that intellectually challenging passage, which almost feels like a rite of passage, to the protector of the holy Grail.

Where logic ends

And then it comes. The most electrifying moment in all of Indy lore. There appears to be no logical solution to the riddle in front of him. There is just a chasm, and no apparent way to cross it. Is this where it ends? Of course not, but logic appears to end here. All Indiana Jones can do is abandon his fears and make a leap of faith.

When GTD escapes us

I have these periods where I struggle with my faith in GTD. It is an insidious struggle, in that it creeps up on me. If I fail to maintain a proper attitude, a good habit of system maintenance, it escapes me. If I'm not as complete as possible in capture, if I fail to assign tasks to the relevant contexts and projects, if I abandon my weekly reviews ... I get lost.

I emotionally start feeling that I am no longer control of my days. It grates. Not in a cheese grater kind of way, more in a soft sandpaper-ish kind of way. It slips between my fingers. I am no longer in control, but rather circumstances start controlling me. And this is not a good feeling.

I am wondering whether you know that feeling? You know, I think you do.

Reconnecting through good meta practice

I firmly believe that the struggle will be eternal, or at least as long as we live. That is not a bad thing, but it's an important point of attention. Knowing that a situation where we are no longer happening to things, but things are happening to us (Leonardo Da Vinci), is present just around the corner should help us in performing our required routines. We may not necessarily enjoy them, but they are necessary. Just like flossing, they are an essential sanitary habit.

In the end, at a certain point you just let go

But even if we properly perform all the meta-tasks GTD requires us, daring to let go, daring to let things slip out of our consciousness still requires a leap of faith from ourselves. We need to trust the system enough to let go. There is no real logic behind it.

Now, the funny thing is that the only way to gain even a little bit of certainty about the trustworthiness of our system is to engage fully in the daily and weekly practice. In other words, our meta-tasks and their quality provide us with insights into the quality of our life management system.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Presence versus contribution

Why you should not be responsible of answering every email immediately

Imagine a situation where you are putting a small stool next to your post box. Rather than doing anything useful, you just sit there, trying to get things done while stopping every five minutes to open the post box, just to make sure nothing has been dropped into it. That would surely be the action of a mad man.

Or imagine your fixed phone line. Imagine you are sitting in your office chair, not willing to go away because someone might be trying to reach you. You try to get things done, but every five minutes you glance up to see whether the bright LCD display does not show a number of missed calls. That would be quite unhealthy situation, right?

Or imagine your email and your phone would all of a sudden become portable. Oh, but they already are, aren't they? Now, as anything else changed?

Satisfaction is a formula

Fundamentally, nothing has changed, other than the expectations of those around you. Which is where my good old formula comes into play again.

There are productivity consultants out there that will tell you you are not responsible for other people's expectations. This may be true, but their satisfaction will have a significant impact on you and your life. Especially if they pay you. That is why it is extremely important that you are able to manage their expectations.

Our old friend, the formula

Sisdovere.png

Which is where my formula comes in, again. If S is the satisfaction of the people around you, you will find it is determined by both your delivery, or B and their expectations, or E. In other words, the better your delivery holds up against their expectations, the higher their satisfaction will be. Now, knowing this does not make it easier. Understanding and playing with the available time difference will.

The time difference

What you need to understand is that barring extreme cases, expectations always come first. People engage with you because they believe you can bring something that has a certain value to them. They, in other words, expect something from you. Now, prior to delivery, you are in the engagement process and you have a responsibility to manage those expectations. We know that few people do this correctly. They feel so happy that someone, anyone will engage with them, that they fail to clarify and subsequantly manage the expectations. And that is a problem.

Overpromising

Another problem occurs if the person managing the initial engagement is not responsible for the delivery. If he or she will not be held accountable for delivery and is not intent on building a longer-term relationship with this client, they tend to overpromise. Even if you would manage to deliver to the anticipated specifications, which will be quite a challenge, your client will just feel you met his expectations.

Okay Ben, quite interesting, but what does that have to do with email?

The people you work for are your clients

Imagine the people you work with and for are your clients. Because, let's be clear, they pretty much are. They pay you for the performance of services. Prior to starting your engagement with them, you need to take the time to understand their expectations and manage them.

Availability is not a deliverable

You need to make them understand that "availability" and "reachability" are not a deliverable and will not contribute value in the longer term. You need to make them understand that by not being available all the time, you are actually protecting their valuable resource - you - from abuse and loss of focus, allowing yourself to do better work and enhancing the actual deliverable.

Presence versus contribution

If you manage to disconnect availability from the expectations that govern your relationship, I believe you will have gained an important victory that will directly enhance your productivity and your personal quality of life. In a world where being available appears to have taken precedence over being accountable for high quality delivery, you will have carved out a foothold that, in term, can lead to a solid basis for delivering value for money.

Because your work - and your life - will no longer be measured in presence but in contribution.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Regular expressions for internal auditors

Back to the past

I still remember the time when we had to audit large data sets by hand. You may think that is a long time ago, but I'm talking about the mid to late 1990s. That was in my youth as an auditor. I remember spending hours waiting next to a large printer that was crunching out reams of paper which I knew I had to tabulate and check the totals for. We did that by adding those columns by hand, using calculators with really large buttons. Those buttons were there because it was so easy to miss-type. And if that happened, you could start all over again.

How representative were our tests? I wouldn't feel too comfortable about them now. But that was all we had at that time. Large reams of paper, a calculator and time.

And on to the future

Data and data sets have significantly evolved over the past 15 to 20 years. Enterprise resource planning systems or highly complex accounting systems are commonplace. And it's not only financial information, but also operational information that is getting captured more and more in extensive data sets.

Internal auditors have evolved with the system's evolutions. There is a complete field in auditing which does nothing but auditing IT systems. Of course, as a knowledge manager, director, or chief audit executive, it becomes difficult to graps the issues underlying problems identified by these experts. Which is why I believe that as an internal auditor we need to be ready to dive into this ocean of data. However, do this without adequate preparation and you are likely to drown. And we do not want to happen, now do we?

Auditors need to get their hands on the raw, core data

If we really want to get hold of the information present in those large data sets, we need to get our hands on that data. There are a couple of ways to do it, but let me distinguish the two big ones: the right way and the wrong way.

The wrong way

Let's start with the wrong way first. The internal auditor asks the ICT department or the responsible ICT experts in the accounting department to provide the data, cleaned out and prepared for review according to a specific format, on a server somewhere. There's a number of issues with this. First, if you ask a third party to clean data, you stand to lose a lot of highly relevant information. The information provided to you by these experts likely has gone through a number of manipulations. It is not the original data. It is some reflection of that original data. And if the data was pulled out of the system based on algorithms in the system, how will you ever know if those algorithms did not influence or change the data? In short, there's too many steps between the actual transactional data when it is generated and data presented to the auditor. You can write scope exceptions as much as you want, there's a significant risk that a number of errors will not be identified.

So, then, what's the alternative? Is there an alternative? You do not want us to go and take millions of individual records and analyze them, now do you?

The right way

Well, in a way I would like you to do exactly that. Or at least something rather close to that. You need to go to the core of the data. The core is the original transactional data that is generated the moment a transaction occurs in the system. That transaction can be anything. It may be an accounting transaction, a stock receipt, a personnel movements,…

Okay, but wait, even for a smaller organization that means literally hundreds of thousands of transactions. I know. The reason why you need to get as close as possible to the core data is because you want to avoid issues when that core data is manipulated in the system. Remember, we wanted to avoid that black box feeling where all we had is belief that our experts are expert enough.

So you need to get a data set of the raw transactions. The problem with these data sets is that they are quite often not very clean. It's likely that you can get the data in a CSV or comparable format. if we're talking about millions of transactions, excel will not let you work with these. And even if you use a program such as IDEA, like we do, you need to make sure that you clean up your data set. Ideally, you select those elements you need within that data set and use that for your analysis.

An easy way to work with that raw data

And there is an easy way to do this. And that way is called regular expressions. "A regular expression is a sequence of characters that forms a search pattern, mainly for use in pattern matching with strings, or string matching, i.e. find and replace like operations," as Wikipedia defines it. Most text editors support regular expressions and most CSV files can easily be imported in a text editor. Using regular expressions actually comes down to using the find and replace functionality of your text editor as a one or two line programming engine.

Wikipedia provides a number of simple examples. You can for example identify and select all instances where the name of a person is spelled in different ways, that way ensuring that you have all transactions related to that person and not only the transactions linked to a certain spelling of his or her name.

Another thing you can do it regular expressions is to replace multiple spaces with comma's, ensuring that import in other programs for further analysis is clean. Regular expressions can even be used to do extensive searches on certain occurrences within a data set without need for a complex program other than a good text editor.

And best of all, regular expressions are not difficult. If you can state the problem in ordinary English, and you know the simple, basic concepts of the syntax, which is not difficult at all, it is just your creativity as an auditor that will limit what you can do with that raw data set in your hands.

The sky is the limit

Imagine that, just by performing a limited number of these tests, you can get additional assurance that the work done by your highly paid consultants which came in to help you analyze that new ERP system, are actually worth what you pay them. That's quite a strong use case. Combining regular expressions with tools such as IDEA or other comparable tools can liberate even a small internal audit department from its high degree of dependency on third-party suppliers for basic data analysis. That means that the budgets available can be used to ask the difficult questions of your consultants. And that's a good use of money.

An accessible book

I recently bumped into a short, but highly accessible book on regular expressions. Do not be fooled by the name or by the fact that it's still being developed. It is well-written and it has helped me to get my head around this amazing set of tools, for lack of a better word. The book is called "the Bastards Book of regular expressions" which was written by Dan Nguyen. in principle you can download it for as little as zero USD, but I would suggest that you consider the inherent worth of the book and pay the author for his work.

I know that regular expressions will really change the way that we deal with data in our audit environment. I hope it will assist you to. Enjoy the learning!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Using Basecamp for internal audit documentation

Ah, old times!

I was brought up as an internal auditor in a day and age when computer aided auditing was still to become mainstream. I know that dates me, but so be it. My first years of auditing consisted of performing audit tests as described in a paper work program. I was responsible for documenting the work performed in a concisely prescribed manner on large yellow 14 column papers as well as hauling large stacks of working papers to and from the client, both current and prior-period documents that could barely fit in one large case. My back still remembers the pain of carrying thosecases around when I think about that time. I also remember taking a lot of photocopies. And making lots of pots of very strong, black coffee for my seniors. Ah, old times!

A paper based paradigm

Traditional working papers had an established structure that carried over from audit to audit, which made reviewing the work easy. I learned to appreciate the existence of that structure when I was a senior and a manager and had multiple clients to review. now, the purpose of those working papers was dual: they were both a proof of the work that had been performed as well as a support for the material findings that would eventually make their way into the final report. The hierachical structure was developed in such a way that referencing your report for completeness and accuracy became very easy indeed. This paper-based paradigm was essential in a period where paper was what we had.

The inertia of older partners

The transition from a paper-based system to a computer supported system went rather slow. The successful software emulated the paper-based paradigm. This software was successful because it was recognizable. We gained acceptability. We lost a lot of the flexibility inherent in these new systems. However, most of the older partners who have final word on the investments were not ready to adopt an entirely new way of working.

A high level overview of our current approach

But how do we go about our work now, as internal auditors? After a preliminary risk analysis based on information gathered from the entity to be audited, prior period work papers if these exist and other sources of information, we develop a risk analysis. That risk analysis is the basis for the development of a high-level work program. At the start of the actual fieldwork, during initial interviews and procedural testing, we gather evidence that leads us to develop a more in-depth work program which aims to gather additional information and perform more specific tests, eventually proving or disproving any assumptions that we may have made at the outset. Combining different sources of information, we home in on an eventual conclusion. We do this for all relevant aspects of the function or activity we are auditing, within the limitations of the scope of the work.

We document the work we have done, sign off on it in preparation for review by a peer or a superior. In certain cases, our findings are material and our conclusions result in a finding, which can give rise to a recommendation. These findings, and in certain cases the recommendations together will form the bulk of the report. This is pretty much Sawyer 101.

A report is a linchpin

Now, a report is a special document. it is the linchpin document of the entire audit, holding everything together. It is important that all the findings, if considered material, are properly represented in the report. Our working papers need to show that the finding is relevant, by means of our documented work, and that all relevant findings have been appropriately integrated in the report. If a finding is not reported on, it needs to be clear why. The report needs to be easily reconcilable with the documentation of the work done.

The traditional solutions were not flexible enough

The problem we faced at BTC is that the current crop of working paper solutions, most of them software as a service, are just not flexible enough. They provide you with plenty of tools that work fine if you work in their specific manner. However, our reality, one of auditing development aid programs in the field, often in the middle of Sub Saharan Africa, requires us to have a significant amount of flexibility just not adequately offered by the current, popular systems. So after a year of test driving a traditional system, we decided to migrate to 37Signals Basecamp. And although not perfect, we are quite happy with the results. we currently use Basecamp not only as a working paper repository, it also acts as our general audit information and documentation hub and we use it in our collaboration and exchange programs, both for internal projects as well as projects with other parties.

We integrate communications with auditees

Whenever we start a new audit, we create a new project in Basecamp. We write a text file with the motivation for of the audit, the audit scope etc. Any communication with the auditee is forwarded to the email address exclusive to that specific project. This way, we have a complete trace over all communication relating to the project.

To do lists play a central role

During the preliminary phase, all documentation relating to assessments, interviews etc. is posted to Basecamp. This work eventually leads to a high-level work program, for which we develop a to do list, one of Basecamp's core functions. All tasks to be executed as a part of that work program are assigned to a collaborator, who does the work and provides adequate documentation in the comments section of the to do activity. Basecamp's to do's allow you to attach files and even, if that is your poison, provides links to Google docs.

Clearing tasks is up to the reviewer

From a practical point of view, a collaborator does not check off the task after having executed the work. Rather, he reassigns this to the responsible reviewer, who will review and, if so required, will create a finding in a separate list, which is just another to do list, aptly named Findings. During our review, we ensure that all tasks have been properly cleared by the correct person. If we feel the work is not appropriately done, we comment, open up the point again, and reassign it to a collaborator.

Using a separate findings list

Eventually, after due consideration and review of the underlying evidence, we publish a finding to the findings list. When we publish a finding to the findings list, it is URL linked to the evidence in the Basecamp project. This way, a reviewer with the right authorization to access the project can easily review the underlying documentation in order to assess the validity of the findings. This is ideal for thorough peer reviews.

URL linking everything together

Ultimately, the draft report is an integration, in one document, of the retained findings and recommendations. To ensure easy links to the findings, that draft report contains links to each of the findings as presence in the project Basecamp space.

After receiving comments on the draft report, we forward that information to our project space. Our final report is linked to the draft report, as well as to the comments we received. Any comments received but not included contains a motivated disposition on why it was not included. The final report is in turn linked to a presentation which is prepared for presentation to the audit committee. Of course this presentation can also be found back in our project space, where we post a version that contains links to each of the findings presented to the audit committee.

Cleaning up after ourselves

After we presented the report to the audit committee, we clean up our Basecamp project space. For this we use a closing out checklist. This checklist requires us to go through each document in the project space and review its relevance. Documents which do not support findings or recommendations or have no other relevance in the context of the project, can be removed. We actually move those documents to a separate just in case project space where they will reside until the end of the year, when we clean out our Basecamp space.

Once the project is cleaned up and all links have been checked, we archive the project. By archiving, we ensure that no one can change the information present in that audit file.

Our evaluation

Is this system perfect? No, it is not. When we are working remotely, with that Internet connections, we need to document locally to our drives and upload later, whenever we are close to a good Internet connection. Mailing in the documents is an alternative which is provided by Basecamp, but that does not reduce the effort of the ex post reconciliation. If 37Signals would ever consider off-line mode, we would be very happy. Having said that, the simplicity of their current solution augments its flexibility, which is why we chose it in the first place.

This should provide you, dear reader, with some insights into how we Basecamp as work paper documentation for our internal audit work.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx