Working papers: it's not about you ...

It seems obvious, but it isn't

One of the key requirements of quality working papers is that they contain neither irrelevant information nor personal, subjective statements or opinions. It seems obvious, but during a recent external file review I was taken aback by what I found: personal observations, none too flattering, of an auditor on an auditee, right there, in the middle of the working paper.

Irrelevant storage is money wasted

There are a couple of reasons why this is so important. First, there is the most obvious reason. Whether kept physically or electronically, storage costs money. Irrelevant storage then is money wasted. The more clean and shed of irrelevant documentation your working papers are, the leaner they will be, the less they will cost to store over their intended lifespan.

Now, there is another side to this particular coin. Paraphrasing Einstein: "Keep it as simple as possible, but not simpler." Relevant information, which is information supportive of and essential to arrive at the conclusion of the working paper, needs to remain in the working paper. Only when we are absolutely certain the underlying information cannot be altered and will be retrievable over the intended lifespan of the working papers can we accept it is stored outside of the working papers, for example in an ERP system. Yet, I would err on the side of caution.

Do not waste time of your hierarchical superior

Second, think about your audience when writing too much or putting irrelevant information in your working paper. Your hierarchical superior will need to review and sign off on the working papers. In order to be able to do that, he or she will need to read through what you have written and review what you have gathered in terms of information. If you make them read through irrelevant information, you will waste their time, which costs money, and you will most certainly negatively influence their opinion of your as a professional.

Show respect, always, even if there is no direct liability

Speaking about being responsible, third, think about respect. Any subjective, personal observation, especially when it is irrelevant for the intended purpose of the working paper, shows a lack of respect for both the auditee and your hierarchical superior. Now, I'm making abstraction of potential liabilities that may result if such working papers would ever become public. Fundamentally, it is all about having a correct, respectful attitude towards your auditees. After all, you do expect them to be correct and courteous to you too, right? Well, you need to extend them that same favor, including keeping your subjective, personal ideas about them to yourself. You are participating as a professional member of an audit team in an audit, not as a contestant or a judge in a reality show.

A general rule

Now, there is a general, rather obvious rule I once heard which stuck for me: "Do not ever write anything in a working paper which would negatively reflect on you if that working paper became public."

Some working paper review ideas

A good exercise is to go through your working papers and look for indications of subjective writing. Indicators could be the use of verbs such as "feel", "believe", "think" as they indicate a certain leap of sorts, taken from objective, verifiable information to a position without adequate supportive evidence.

Also, you will want to look at the adjectives you use in your writing. Adjectives qualify, while the only subjective opinion an auditor should express in a working paper should be his conclusion on that specific working paper.

In conclusion

When writing working papers, make sure no irrelevant information or personal opinion creeps in. To avoid that:

  • don't overdocument: it costs money to store, it costs time (hence money) to review and it does not add value. But make sure you retain adequate basis for your conclusion in those working papers;
  • be respectful: your personal opinions on people or situations have no place in working papers. Actually, as a general rule, they don not have any place, period. Don't even share them with your colleagues. Keep it to yourself;
  • be sparse in your writing: do not embellish your working papers with unnecessary words or words that express subjective positions. You are not wring a work of literary fiction. You are creating a basis for an opinion or an as objective as possible report.

And that's why personal opinions and irrelevant information have no place in working papers.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Concluding on working papers

So what?

I sometimes review a working paper and think by myself: "So what?" Not in a derogatory, dismissive manner, rather in a silent sigh about an unfulfilled expectation.

A well written working paper without a good conclusion is like a good short story without a proper ending. It leaves me wanting more but not in a good way, and that's a pity. Worse, it's not very effective as I will need to develop the conclusions myself, immersing me more in the work than is strictly necessary during a review.

Four components to good conclusions

A good conclusion should tell me what I need to know in the most concise manner possible. A good conclusion needs the following four components to it:

  • An adequate basis for conclusion: "Based on ..." followed by a concise description of the basis of the conclusion is what I expect to find here. Essential is adequacy of the basis. The question to be answerd by this part of the conclusion is whether the conclusion is based on adequate evidence, analysis or testing work.
  • A competent person concluding: often forgotten, I need to read who is concluding on this evidence, this analysis or this testing. "We" does not do it. The reason is simple: as I reviewer, I am looking for assurance the person who drew the conclusion has adequate competency to come to the specific conclusion. If it is a conclusion on a highly technical matter, I don't want a staff assistant with a couple of weeks of experience to draw the conclusion. That is not credible.
  • A relevant conclusion: the wording can be highly diverse, but a conclusion itself needs to show clear relevance as to the purpose of the working paper itself. It needs to be clear that the conclusion can be reasonably reached based on the work done, given the basis and the competence of the person concluding.
  • Clear next steps: what needs to be done next needs to be clear as well. Most often, in case of conformity, this would be a phrase such as: "We pass further work." In case on non-conformity, it needs to be clear what will happen next, because that part will likely not be part of the work program.

An example

So, a good conclusion would, for example, be:

Based on the reconciliation testing done on the ERP/SAP ledgers and the sales system data for two months selected at random, the IT auditor concludes there are no material discrepancies between the ERP system information and the sales system information. We pass further work.

As your audience is the senior auditor, the manager and the Chief Audit Executive or the audit partner, you need to ensure each of them at their level can glean the relevant information from your conclusion as quickly and as completely as relevant and possible.

And that's why it's important to properly conclude on working papers.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Time budgeting: more follow-up

A reader made an excellent observation in this reaction on LinkedIn ... Time budget not used today will expire.

I fully agree, which actually cements me in my conviction that the only way I'm going to relevantly and usefully spend my time is by ensure that I have, in advance, a clearly defined use for that time. If I fail to do that consciously and appropriately, I will lose that time, never to see it again.

Let's illustrate that with a very concrete example:

I have a weekend day where I have let's say 12 real available hours. 8 out of 24 hours I sleep, 4 are spent eating, preparing to eat, showering and doing general maintenance work around the house.

Now, I have a couple of areas of focus I want to spend time in during the weekend, for example on Saturday, when I have other stuff to do. These are:

  • Home owner
  • Father
  • Husband
  • Writer/blogger

Each of these have typical activities related to them. Home owner for example has a recurring task which is "mow the lawn". Father has "play with kids" and Husband has "talk about past week with wife" and "go shopping for groceries", next to other tasks. Writer/blogger will have "brainstorm article on working papers" and "brainstorm article on the use of contexts in Omnifocus". I know that mowing the lawn, including set-up and clean-up, will take me about 2 hours (yes, my lawn is too large). I know that shopping for groceries, including putting everything away, will take me about 2 hours as well (what can I say, I'm picky) ... Brainstorming an article takes me anything between 20 minutes and one hour, while playing with the kids gets at least 3 hours, and I adore talking to my wife, hence we take 2 hours for that at least.

Now I have:

  • Home owner - Cut lawn: 2 hours
  • Father - Play with kids: 3 hours
  • Husband - Shopping for groceries: 2 hours
  • Husband - Talk to wife: 2 hours
  • Writer/blogger - brainstorm 2 articles: 2 hours
  • Tool switching and other 'loss' of time: 1 hour

Does this seem OCD? It most certainly does, but it is not. Why not? Let's look at the alternative ...

If I don't explicitly, proactively define what I am going to do with those 12 hours, I am likely to let my subconscious, lazy, procrastinating self dictate what I will be doing. Likely that will involve slacking off in front of the TV for a couple of hours of mindless (as compared to mindfull) procrastination.

Now, imagine my wife calls me to tell me her parents will be visiting us this weekend. They'll be arriving around noon and will likely leave at around 6PM. These are hours we will be spending with them, which means that some of the intended, budgeted time slots will drop. I make the choice to drop the writing and the lawn as well as the "talking to wife" because that gets replaced with "talking to wife and parents".

Completely different from a reactive scenario, this is an active choice of rebudgeting my time usage. It has, as any budget decision has, consequences, as it means I will have to cut the lawn another time, and make some time another day to do the writing if I want to keep up my publishing planning on my blog.

Active versus passive. Proactive versus reactive. Considered versus sprung-upon-you. What do you chose?

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Time budgeting: a follow-up

Using Timeful for a couple of hours

Based on the feedback from some readers with respect to this article, I've been playing around a bit with Timeful, an interesting iOS application developed with the support of Prof. Dr. Dan Ariely. Some of you suggested it may provide some answers to my issues with time budgeting and linking available time to to-do's.

First, I need to say I like the approach the application takes. It shows you all the competing time interests and suggests what can be done when, based on a number of underlying algorithms. This app looks like it takes an available time focused approach.

Still not a 'conscious' budget approach

That said, it does not fully answer the point that I have: it does not ask for a conscious available time assessment, it rather shows you what you have left. And that's where the issue lies, as far as I'm concerned. A budget approach such as YNAB first makes you very aware of what you have available to you, in money, and then asks you to divide that money over budget categories.

What I would like to see is an application, or a method, or a solution that would allow you to first make a clear overview of your available time for a certain context, for a certain area of focus, and then to confront you with your identified categories (call them projects in an area of focus, to stay within GTD parlance) and ask you to make the choices that need to be made.

Conscious choices focus on the "important, not urgent" quadrant first

I cannot stress enough the need to go about it this way: first identify what is available to us and then to give that time that you have committed to a job, every single minute of it. This is not about mechanically or even OCD like attributing time to projects: this is about making very conscious choices to first allocate time to an area of focus and then detailing how to use that time in that area of focus.

This is making very conscious choices for certain projects and activities and not for others. Whenever there is a conflict in your head, like with a spending decision, the fact that you have already made a choice beforehand, usually within a larger picture of reaching certain objectives will make that decision easier. It does not mean you will only focus on longer term goals, but rather than any choice not for a longer term goal means you are confronted with the impact of that decision on your longer term goal then and there.

It should, in my opinion and perception, lead to spending more time in the "important, not that urgent" quadrant rather than in the "Really urgent now, not very important, but yikes, it burns" quadrant.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Clearly written working papers

A quick stroll down memory lane

Let me take you on a quick stroll down my memory lane. I was a young auditor, fresh out of university, working on my second or third audit. I was a high potential, as I had already achieved mastery of those skills essential to a young staff assistant: I knew how to make one mean pot of coffee and I had decyphered the hidden workings of the mainstream copying machines. Real auditing I had not yet done, but I was ready and eager to take that next, defining step in my career.

I was asked to perform a reconciliation on cash balances, one of the most basic of external audit assignments. And I had every intention to audit these balances the way they had never been audited before. I was going to make a mark as the best staff assistant they had ever seen.

Before I go on, you need to know a bit of logistical context: we used to work with big yellow 14-column working papers in those days. I know this dates me a bit. The 14-columns, which folded in three to make a neat "letter" or "A4" sized "booklet" were ideal for documentation purposes. You attached the evidence, usually copies of relevant documents, to the left side of the paper and documented on the two right "sides".

There was some minor issue with the reconciliation, but as a first year staff assistant intent on immediate fame, it did not seem that minor to me. So I documented and documented, I wrote and wrote ... ending up attaching two more 14-columns to that already large initial one. As one side of one single 14-column covered about 3 standard "letter" or "A4" pages, that made for about 8 pages of documentation plus one page with evidence attached.

I very proudly showed up at the desk my senior was sitting at. If I would have been a dog, there would have been tail wagging involved. A lot of it. My senior looked at the working paper, in amazement and disbelied which I, for a second there, mistook for admiration, then uttered something I - to this day - refuse to believe was anything else than: "You have got to be kiddin' me ..." pulled off the evidence and shredded the entire working paper. Needless to say it took a bit of time, because there was a lot of paper. He then sent me away with a simple: "Again, and to the point."

Six considerations for better working papers

I was heart broken. There went all my good work. That evening, he took the time to show me what was wrong with my well-intentioned approach. That one evening has taught me what it really means to write clear and concise working papers. He told me that:

  • my main audience was him, the audit manager and the audit partner when they were reviewing the working papers. Each of them was under significant time and budget pressure and had a lot of other, more important work to do. They needed to be able to glance at the working paper and see immediately whether or not there was an issue and if so, what that issue was.
  • my working paper was not a work of literary art, nor should it be. Write what needs to be written, but nothing more. Be concise. Be clear, use often used words that can only be interpreted in the way they were intended to be. That was also intended for the secondary audience, third parties reviewing the working papers in case of issues.
  • If there was no issue or even a minor issue, I need to state that clearly. I did not have the obligation to recount, in detail, what my testing approach was if that was already documented in the work program. And if it wasn't, I first needed to explain why I adopted an alternative approach than the one well established over years of auditing that specific client. In case of no or minor issues, I need to sign off on the work program indicating the work had been performed and I needed to conclude on the working paper.
  • If there was a material issue, I needed to explain what the issue was, what its potential impact could be, what my sources of information were and how I validated these sources of information in as far as that had not yet been described in the work program.
  • The cut-off on whether or not something was important was the materiality established by the manager and the senior prior to the audit. Materiality was not based on my opinion, it was based on an objective, reproduceable calculation. Nothing more, nothing less. Materiality is a risk acceptance threshold.
  • writing in pencil instead of a pen may feel very junior high, but it allows for comments and calculations on working papers to be erased and rewritten with ease. That's an efficiency point, both for writing and reviewing. Most managers and partners don't like to review working papers with visible and confusing corrections, as these again ask for time to review and understand.

It is essential to be as concise and as clear as possible when writing working paper documentation. The purpose of the documentation is to ensure your analysis can be reviewed and if necessary reperformed based on the available data, leading to the same conclusions you had.

Good documentation is essential, especially using CAAT

Ensuring your working papers are written as clearly and as transparantly as possible becomes even more essential when you are performing computer aided testing. While likely the least exciting part of the analysis, documentation is a must-do considering that this type of testing can quickly take you down the proverbial data rabbit hole, following interesting data threads. If you do not clearly document what you are doing in every step of that process, understanding and reperforming your analysis will become difficult if not impossible, even for yourself. It is therefore important to be as concise and as clear as possible.

If ..., then ...

If you fail to produce clearly written working papers, there are two possibilities:

  • in the best case, your audit senior and manager will give you the benefit of the doubt but will not be able to adequately judge the relevance of your work. This reflects poorly on you, and if you have made a mistake, you will be responsible for the consequences;
  • in the worst case, you will be asked to reperform the work and the documentation, which is a waste of precious time and money for your audit organization.

And that is why audit working papers need to be written clearly.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Productivity budgeting: the missing personal productivity component

Limitatons of personal productivity tools

Modern productivity methods and tools go a long way towards optimizing our focus on areas and things that really matter to us. GTD, for example, provides us with an elaborate basis for identifying what we need to do next, depending on our context but also on our overall priorities, expressed in projects in areas of focus which roll up to an overall vision of what we want to be or do.

But there is a nagging gap in all productivity approaches I've read and used so far ... each of them, if not used with due care, will devolve into a to do list of mythical proportions, creating unreasonable expectations on what can be done by us. Remember, we are mere humans.

Confrontation with an unplanned expense

Whenever I do my weekly review, especially the part where I go through my projects list and look at all the intended tasks I have yet to execute, I am always amazed and honestly a bit terrified at how much there is left for me to do. I often feel like a person who is being confronted with a significant unplanned expense. The feeling is dread. I'm observing myself developing a resistance to my weekly review to avoid being confronted with that feeling every single week.

And it's not just that. The effectiveness of the "incompletion trigger list" leads to a situation where I find my creative mind generating at least two additional actions for every action I have cleared the week before. My sense of accomplishment tends to suffer. For everything I do, more remains to be done.

Balancing what we want and can get done

Some of you may call this life, but in my mind, life should not just be about what remains to be done. Productivity and its cousins effectiveness and efficiency are - to me at least - all about the balance between what can be done and what is being done. What can be done is not just limited by our imagination and our ability to stick it on a to-do-list, it is also, in a major way, limited by our available capacity, by our real availability ... by our available time.

The time budget problem

I can see the broad strokes of what is missing in my understanding of current productivity methods. I fail to approach productivity as the fundamental budget problem it is. Not a money budget problem, but a time budget problem. Let me explain with a parallel to budget approaches:

Wanting things or experiences without having either unlimited funds or a structured approach which maps out how we will use our available funds to accumulate to get to the amounts necessary to acquire these things or experiences will get us exactly nowhere. The approach where we label money we have available for expected future expenditure is called budgeting.

Now, in money matters, there are two important aspects to budgeting, expertly described by YNAB and quickly and incompletely recapped here:

  • You can only budget what you are sure to have available to you. If you budget dollars or euros you don't have available to you, you are creating an illusion. You cannot spend what you don't have available to you. Not understanding that simple rule has led a lot of people into credit card debt.
  • Once you are sure about what you have available to you, you need to give each dollar or euro a job. If you do not, it is sure to get wasted on something irrelevant, and it does not honor the idea that a lot of small savings can really lead up to overall important savings.

The challenges of time budgeting

Now, the same goes with time. I can only really spend the time I am sure to have available to me. Anything that I put on my to-do list is an implicit commitment to my time. Overcommitting is easy when I don't know what I can reasonably commit to. Overcommitment, or not being able to do what I expected to do leads to disappointment with myself and with my approach, over time leading to abandoning an otherwise excellent way of identifying what I need to work on to remain focused.

The flip side of this is that I need to give all my available time a purpose, even if that purpose is relaxing. If I don't, those unassigned hours are likely to be spent in a zombie-like stupor in front of the TV, watching yet another reality series or even a good show, not really being here, being somewhere and somewhen else. That is not participating in life, that is wasting time.

Components of a time budget approach and link to GTD

So, what I am looking for is a budget approach to life. I need to:

  • truly know what I will have available in terms of time ... getting to really know what I can do with available time is likely to be an iterative process, and;
  • assign that time to realistic purposes, for which my GTD-established task list will be a great starting point.

This is one way to make sure that the to-do list does not create undue stress and lead to unfulfilled expectations it intended to alleviate.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The relation between audit reports and working papers

Audit reports tend to be overly long

I've mentioned before I don't like overly long audit reports. The length usually does not add relevant information for the audit committee and only aims to prove to the audience how much time and effort the internal auditor put in that specific audit. While commendable this is not something I should read in an audit report. It's understood that you do your very best. If you sign off in accordance with IIA standards, you say as much. Only a lot shorter.

I know plenty of internal auditors that feel they need to show the work they've done. They reaction is understandable, because the only work the audit committee will ever see is the audit report. The need to be accountable is entirely normal for someone who checks on accountability all the time.

Make sure to adequately document your work

"Make sure you adequately document your work," is something the beginning auditor hears from day one of their career and it tends to stick, as much as the use of most copiers and how to make a good cup of coffee. Often, it sticks too hard, and the need to document is reflected in the audit reports.

Am I saying you should not adequately document? No, not at all, but documentation and evidence should be in your working papers and not in your audit reports. Your main audit report audience is your audit committee member, who has no added value in reading how you performed test X of Y. They hired you for your competence, and it is your professional judgment as to how you execute your testing.

To compare, while it's interesting to find some information on the bridge you're about to drive across with your car, such as how high it is, when it was built and how much it cost, you will not stop to contemplate the redundancy data and the calculations the engineer made when building the bridge. You assume that engineer knew his or her job. It's the same with an audit report.

Auditees can get additional information based on good working papers

But what about that other audience, my auditees? What if they want additional information? Well, that's where working papers come in, and that's where working paper documentation becomes so very important. It is entirely acceptable to allow an auditee access to copies of carefully selected parts of the working papers. Of course you will need to clear it with the audit committee, but in essence there is nothing wrong with it.

Working papers need to be "in order"

Now, this imposes requirements on the working papers as well, an often neglected area of our work. In order to ensure that working papers can adequately be presented to auditees or even third parties, where relevant, they need to be "in order". I'll blog more about working papers later, but let's define "in order" now.

For working papers, I would define "in order" as:

  • Organized
  • Clearly written
  • Documenting interviews and test performed
  • Concluded on
  • Supportive of the conclusions of the audit report, including complete evidence
  • Empty of all documentation that does not directly offer support for a test, a position during the interview or a conclusion
  • Empty of all personal opinions or inappropriate comments or remarks
  • Reconciled to the final version of the audit report
  • Signed off on by the CAE or the responsible for that audit

In the next week, we'll discuss each of these elements more in detail.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Quick tip - learn to use your tools

I've recently taken a close look at the application folder on my Mac. If you sort your applications by "date last opened", you may be in for a surprise. More than 70% of the applications I have installed had not been opened in the past 30 days. Including some applications I consider essential and would not ever want to remove from my computer.

That simple fact led me to consider why I actually acquired the 70% that had not been used in the past month. With very few exceptions, I've downloaded or purchased them to solve a single problem. This is not unlike buying the most extensive Swiss Army knife in order to clip your nails, because it has - of course - a nail clipper. I'm using only a very limited part of the capabilities of the tools I have. And that's a problem on several levels. Let's examine this a bit further:

I don't know what I've got

Because I acquire these tools for a single purpose and I never take the time to learn what else they can do, means that I have really no idea what these tools can do for me other than what I wanted to use them for.

Take Name Mangler, for example. I acquired the tool because I had to rename a bunch of JPEG files with duplicate names, as JPEG files that come from cameras tend to have. Little did I know that this was one of the prime applications for automatic renaming available on the Mac.

If I don't know what I have, I'm likely to go looking for another application to do a job I need doing, but that one of my current applications can handle if I only know about it. If I read the manual, or get to know the tool by using it in different configurations, I will not go looking for a new solution, saving myself significant research time in the process.

I've been wondering whether this is the result of a couple of years of iOS use, where single purpose tools are often the norm more than the exception.

I have multiple tools that serve the same purpose

That leads to situations where I keep similar data in the same type of tool. If the data is accessible and in a format that is shared by multiple tools, this may appear less of a problem. Markdown formatted plain text files, for example, can be read by quite a few applications, some of which I have installed. However, the problem lies elsewhere. The time I invest in getting to know the basic functionality of each of these tools could have been better and likely more productively been invested in getting to know one of these tools a lot better.

Instead of focusing my effort at one tool and really getting to know it, I diffused my effort over several tools. In text editors, I am a jack of all trades, but a master of none. And that is only due to the fact I felt the need to download and use a number of them.

My current text editor set-up has been reduced from a mix of Ulysses, FoldingText, Sublime Text 3, Byword and nvAlt to just Byword and nvAlt. Byword is for writing, nvAlt is for looking up information across my library of text files.

Imagine for just a moment the time spent in getting to know even the basics of these tools.

What do I suggest to resolve this?

Well, I've learned the hard way, so you perhaps shouldn't. There is really only one solution I consider as an adequate answer to this problem: you need to invest in your tools. Get to know them. Be aware what you can do with them. If you have a problem, check whether there is anything in your current toolbox that my solve the issue. It perhaps will not be the most elegant of solutions, but you will have mastered more of your existing tools.

As Kourosh Dini so eloquently states: "Mastery is mastery of the basics."

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The real relevance of internal controls and their development

Mutual exclusivity?

I'm hearing a lot of comments about the relevance and the redundancy of internal controls and especially internal controls development and internal controls training. A number of new management philosophies such as this one - pretty much unknown outside of the French speaking world, but mirrorred in philosophies such as the one of Ricardo Semler - talk about ownership and responsibility of the collaborators. I've written about this most recently here.

What surprises me is that these approaches are seen as mutually exclusive. As if internal controls are something bad, or something redundant or even limiting in a context where collaborators are given individual freedom. First, what any given responsibility comes the ability to respond, but also the obligation to explain what was done and how means (both budgets and people) were used. Well designed internal controls increase the likelihood the use was appropriate, effective and efficient.

More than a response to a single issue

But we should not see internal controls as just a procedure or a procedural aspect. We need to see it as a training for eventualities which will most certainly occur. The real value of using and learning about internal controls is that it teaches people to handle those unexpected occurrences which we will be confronted with, whether we like it or not. The best internal controls teach our collaborators to handle eventualities, even outside of the reach of those controls, because the habits of working with the controls have become so engrained that they become second nature in any type of situation.

Think about budget usage controls which are used at work and find their way into the home, leading to better budgetary control and a better life for a family. Or consider solvability checks required at the start of a contract being executed at regular intervals, ensuring the organisation doing the work remains capable of executing that work well. These are but a few examples.

Developing muscle memory

More than just considering the narrow scope of internal controls, consider the use, the training and the development of internal controls as the exercise leading to muscle memory, to a direct response when faced with a control deficiency stimulus.

And let's remain aware that the untrained will never be able to decently dance the tango of work and life. Even if we encourage them to take their responsibilities, we have an obligation to provide them with tools that allow them to appropriately take these responsibilities. Internal controls are one of these tools.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

So what do you do when you don't do what you're usually doing?

A strange question

Okay, I admit, that may be a rather strange question. But think about it for a second ... do you have other projects than professional ones?

Yes, I know you have your family and friends, but do you have objectives, very specific aims you want to achieve with or for them? And if you are alone, do you have hobbies? Are you very clear on what you want to achieve in those?

Look, this is far from a plea to quantify every single thing you do in your life. Life should most certainly not always be about performance, about results. But perhaps being here and now is partly about clearly understanding why you are here, now instead of somewhere else.

Now only has limited meaning without a clear sense of purpose

Without a clear sense of purpose, now only has limited meaning. Now becomes the moment between what was and what will be. Not to be lived, but to be ensured, to be bridged. Those around you at that moment will experience you bridging that moment, not living it, because you will not be there. At those moments you are either living in the past, going over what has happened, or you live in the future, preparing for what will be.

You are only this moment

The point is, you are not here, now. While you are just and only here and now. You are not different from this moment ... and this one ... and this one. It's important that as many of these small moments make sense and are lived to the fullest. As Annie Dillard said: "How we spend our days is, of course, how we spend our lives."

Because it is so easy to drop into bridging behavior, it makes sense to formulate a clear purpose and sense of objectives in each area of responsibility in your life. Your significant other, your kids, your friends deserve to be part of one of your projects. They have the right to figure in your life, more so than any job related person or entity has that right.

If you fail to identify the relevant areas of responsibility in your life, you will not give yourself and those around you the authorisation to experience you and your presence in all areas of your life. And whomever you are, that would be a loss, not just for those around you, but for yourself most of all.

So, what do you do when you don't do what you're usually doing?

Here are four steps that will at least get you on the way

Step 1 - Get out of limbo

That waiting area that some of us spend quite a lot of our lives in has a name. It's called limbo. It's that place where you are in between other things. We all spend too much of our lives in limbo.

The best way to get out of limbo is by identifying our areas of focus, as David Allen refers to it in his GTD book. This Simple Dollar post describes more in detail what areas of focus are.

Ideally, you identify all the areas of focus you cover when consciously awake. Not just those areas you deem important, but also those areas you may not be really aware of. Using a time and activity tracker, such as RescueTime for example, is a good first step to understand what - on your computer at least - you are up to. I believe you may actually be surprised. After a couple of days, you will at least be aware of what you are actually spending time on.

One of my key areas of focus which does not get enough attention is 'being a father to my children'. Note this is not being an adult around smaller people. No, this is about being a dad.

Step 2 - Define objectives for each area of focus

Take your time and define at least one objective, something you want to realize in each of the areas of focus you identified in the previous step. This objective can be a simple answer to the question: what do I want to do for the people which I interact with in this area of focus.

In my area of focus 'being a father to my children', I have the objective to "make my children laugh".

Step 3 - Identify projects that allow you to achieve those objectives

Once it is clear to you what you are trying to achieve in the chosen area of focus, it becomes a lot easier to define a project that will lead to the achievement of those objectives. It proves the point that asking the right question is often the most difficult part in approaches such as GTD.

I had a couple of days off last week, and one of my projects was to visit entertaining statues in Brussels, such as this one and this one. I concede Belgium can be a confusing places. My kids did laugh once the initial surprise and shock wore off.

Step 4 - Make a conscious choice to commit and then be there, then

You are but this moment. Each moment, you have the choice to be here, or not to be here. We often forget we have that choice. But remember, as David Foster Wallace said, "this is water". If you chose to be here, now, you will be here in a mindful manner.

I'm sure there were a myriad of more productive ways I could have spent my day off. None of them would have been as good fun as that day in Brussels turned out to be. I choose to be there, not somewhere else. I was in the middle of the water.

GTD as an approach provides you with the essential tools to be mindfully present in the moment. We just have to use them the right way in all the areas of our lives.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Brett's courage

Much respect to Brett Terpstra for opening up about his past in this extremely personal post. I've never struggled with substance abuse myself, but I was a very, very heavy smoker from 1988 until late 2007. I'm defining heavy smoker as ranging from one pack to two packs of Camels per day. I had gone through numerous attempts to kick the habit before finally being able to quit in October 2007, thanks to good advice from a couple of colleagues.

I find it simply amazing that a strong and focused person can turn around his life in such an inspiring way. Each and every day something Brett made touches my life when I work on my computer. Whenever I work on texts, Marked 2 is one service call away. I use Searchlink for each blog post I write. I arrived at my editor of choice, Byword, after consulting Brett's crowd sourced list of text editors for Mac.

So Brett, thanks for sticking around and making a difference for a lot of us, Mac users. And happy belated birthday!

And for those not yet supporting Brett, he has an open support model running which allows you to support his work. You may consider doing that.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Risk management maturity - moving beyond risk registers?

An interesting article on risk register obsolescence

I recently read this article by Michael Werneburg which was subsequently updated here. The article deals with the evolution of risk management in organisations beyond the use of risk registers into a risk mature organisation. It restates and reiterates a number of points that have been made by Matthew Leitch in the past on his blog Working in Uncertainty. The basic gist of the argument put forward is that risk mature organisations no longer need risk registers or any kind of specific risk management procedure because they have embedded the risk (management) dimension into their daily management practices.

Well, I can tell you that I am torn by that position. On the one hand, I do believe that the authors have a point as far as risk mature organisations are concerned. A well established risk management practice will lead to risk thinking becoming embedded in management's mind and integrating in management's agenda.

Risk maturity requires an evolution

However, I do not agree at all with the assumption that is being put forward which states that because this is the case, we can take the training wheels of any organisation, abandoning a formal, procedural approach to risk management and evolve straight into risk maturity without passing through a risk learning process. I think that position is fundamentally wrong. Werneburg describes in his update how risk maturity came about, and while details are limited, it appears the organisation underwent a significant evolution to come to a risk mature structure.

Organisations do not self-mature. People don't either (not really)

Now, why do I react so vehemently to this type of thinking? I am very much aware that this thinking fits into the self-maturing organisation thinking some management philosophies currently embrace. They imply that if you leave your collaborators alone, they will make mistakes but will learn from them and evolve based on that learning to a mature state.

First, this is an assumption that is based on scant evidence at best. For every maverick like Ricardo Semler that succeeds in implementing such a change in an organisation, there are tens of organisations that fail to appropriately implement this kind of self-rule. If this would work, the banking crisis would have been avoided all together. However, individuals are often selfish rather than selfless operators.

Gambling with tax payers' money

Second, especially in a public sector context, this type of laissez-faire attitude is a gamble with tax payers' money. As public sector transparancy is already much under scrutiny, consciously risking budgets for a 'learning experience in risk' while very hard budget choices need to be made with very real effects on very real people, can hardly be considered as mature behavior.

Public sector organisations need their risk training wheels

As far as managing risk exposure is concerned, a lot of public sector organisations still need their risk training wheels. They also need a strong, directive management, especially in light of the significant personnel cuts which are not always in line with the real needs in the different departments.

Establishing a common language by means of a risk model, ensuring that appropriate risk identification is timely and consistently performed and using the risk model as an aggregating structure to bring together solutions that actually work in specific situations is an approach that organisations that have not yet reached risk maturity need.

Falling on their proverbial faces

Any management team that fails to put in place these essential systems and practices cannot expect to escape the confrontation with reality unscathed. They will fall on their proverbial faces. Much to my regret, experience and common sense cannot be transferred through osmosis. It's not by standing next to greatness or experience that you will become more experienced. Unless someone clearly explains the dynamic or organisations and their management teams auto-magically becoming risk mature without doing the work and the learning, my cynical internal auditor's heart will have to assume it is not happening.

Trust, but verify

Let us not forget the Russian proverb "doveryai no proveryai", which translates to English as "trust, but verify", which became Ronald Reagan's signature phrase in the US-Soviet Union relations of the mid and late 1980's. A risk model based risk management system for a young or maturing organisation as contained in a written and applied risk management process, combined with a well functioning internal audit department provides a decent basis for this verification component. You may trust, but internal audit will make sure it gets verified.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Slow writing: more beautiful words

Reading The Cramped

Lately, there's been a movement towards more tactile writing experiences, especially those writing experiences involving pen and paper. Excellent sites like The Cramped show people who are perhaps not aware of the beauty and the advantages of writing with a (fountain) pen on paper just what it's all about. I can only recommend the site, not only because of its content, but because it has some wonderful writers as well.

Fundamentally different writing experiences

In my personal experience, there is a marked difference between writing on a computer and using your hand - better even, your whole body - to form the words with some kind of writing instrument instead of tapping with just your fingers. Even your choice of writing instrument will influence the speed and care with which you write, altering the entire writing experience. Take a pencil, for example. Then a gel pen. Then a fountain pen. You'll see.

Speed of writing

The slower and more careful your instrument obliges you to write, the more aware you become of writing and of your writing, and the more considerate your writing will be. Your words are being formed more beautifully on paper, and that extra moment of consideration makes the words used more beautiful, more relevant as well.

Let me illustrate: I most often take meeting notes with a gel pen. It's a quick writing instrument, ideal for capturing words which are not my own. That writing is not beautiful writing. It is entirely functional, aimed at providing capture of and some quick reflection on what was said during the meeting.

On the other hand, I think with a fountain pen. A fountain pen requires a more considerate, slower approach. Legibility, such as the avoidance of smearing ink all over the place, is entirely down to my presence when writing. If I do not take the time to form the words, thinking about them as I write them down, I end up with a lot of colored smudges on paper, bearly legible and disjounted, and not much else.

Mindfulness

These fundamental differences make writing on paper with a fountain pen one of the most deliberate and present, aware experiences I know. It is one of the most mindful experiences I know.

I do invite you to try it. You'll see.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Tone & content audit report = f(audience)

Writing an audit report is serious business. But for auditors, it usually is one of the last things to do before closing the audit job and going to the next one. Not all auditors writing the audit report are necessarily familiar with the audience of their report. And that results in a failure to hit the right tone and language for the report. In my opinion,

the audience should determine both content and tone of the audit report

But why is that, and why is writing a good quality audit report so difficult?

On the one hand, your target audience is not necessarily as literate in organisational language and procedures as the internal auditors or the auditees are. After all, the members of the audit committee are selected on the competences and experience they can add to the organisation to strengthen its governance structures. They bring often very specific expertise, be it financial or subject matter. The in-depth understanding of the inner workings of the organisation are not necessarily present in an audit committee.

On the other hand, an internal audit report is often a technical assessment of an issue or a set of issues in an organisational process or a set of processes. Nuance can make all the difference between adapting the procedural framework to enhance existing controls or surpressing the activity all together because the exposure is deemed too important to patch.

A high quality audit report brings both clarity for the audit committee member and nuance for the auditee.

The internal audit report needs to be concise. It needs to be read and understood by each member of the audit committee in as little time as possible. It should also provide an adequate base for nuanced recommendations. Combining these challenges into one approach is not an easy task, but one a good auditor should master. I use a couple of guidelines which work for me.

Guideline 1 - Say what you have to say upfront

I've read quite a few audit reports which lose themselves and their readers in pages and pages of scope exceptions before coming to the point. While it is okay and even advisable to write a short introduction which describes the context and limitations of the audit, the formal scope limitations can be pushed towards the back of the report, even to the appendices.

Rather, as an auditor you need to get to the point as quickly as possible without losing your audience. By preference, state your conclusion in the very first page of the summary, then go about explaining how you got to that conclusion.

Guideline 2 - Speak clearly, concisely and understandably

If the subject matter is technical, auditors tend to adopt the organisational language. This may make us feel safe because we adopt the language of the auditee, but it is confusing to the audit committee members. They will get confused and before long abandon reading the report all together.

At best, you'll get a lot of very critical questions from the highly irritated audit committee, at worst you'll get nothing at all.

If you fail to convince your audit committee of the relevance of your audit and your findings, you will not only have invalidated the work on that specific report. You will have jeopardised your own continued relevance as internal auditor as well.

Guideline 3 - Conclude sensibly

Findings are one thing, but at the end of the day it's not the finding that will make the difference. Your conclusion and the subsequent recommendations are what will assist the organisation in improving its internal controls, risk management and governance. Your recommendations need to be understandable, as per guideline 2, but they also need to be sensible.

A sensible recommendation is the best possible, realistic, implementable recommendation. But in order to develop those, you need to ...

Guideline 4 - Involve your auditees in validation and recommendation

You need to involve your auditees, not only in developing the recommendations, but in the validation of the findings and conclusions as well. There is nothing more unnerving to an audit committee member than being faced with a technical disagreement between auditee and auditor during the presentation of a report to the audit committee. That simply shows the auditor did not adequately perform his work.

Confronted with that situation, audit committee members will drop out of the conversation, get confused and eventually become highly insecure as to the relevance of the findings, the conclusions and the audit report as a whole. They should and will send you back.

To avoid that, you need to make sure that most if not all potential points of friction have been adequately cleared before going into the audit committee meeting.

Guideline 5 - Drop information irrelevant to the audit committee

This one will hurt. I know that fear of lack of audit report volume is a known abberation of internal auditors. We fear the long days, nights, weeks and sometimes even months slaving on audit tests will never be properly represented by a mere 20 pages of audit report. But we fail to understand that fat reports indicate an inability to appropriately synthesize, a major deficiency for an internal auditor.

If technical information is essential, put it in an appendix, or even better, put it in a separate report for the auditee, provided it has been appropriately reconciled with the report to the audit committee. This will ensure completeness of both reports.

To recap

If you ...

  • say what you have to say,
  • speak (or write) clearly, concisely and understandably,
  • conclude sensibly,
  • involve your auditees in validation and recommendation, and
  • drop information irrelevant to the audit committee.

You may find your audit reports to be a lit shorter, lighter and significantly more appreciated by your audit committee members. And remember, all the details are in your working papers ... or at least, that's where they should be. Not in your audit report.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

5 simple steps to remaining on target

It's been too long since I've posted a blog entry. Between work and adapting the curriculum of a venerable training program in my new role as academic director, there were not too many words left in my head or fingers.

The juggling of multiple projects and responsibilities has made me more aware of the challenges of remaining on-target. When managing multiple activity streams which are competing for my attention all the time, I noticed I did not stand a chance of achieving any kind of productive result unless I took the time to consider their relevance now and how to practically move forward on each of them. It turned out to be very easy to be very active yet not make any progress on my priorities. That had to end, and this is how I did it. This is not rocket science. It works for me, and it may work for you:

Step 1 - categorizing my projects

The first thing I did was (re)categorizing my projects. This is a pretty simple application of the Getting Things Done methodology where the higher altitudes of planning correspond with your areas of responsibility.

Actually, I have adapted these areas of responsibility a little bit. I translated them into objectives which closely align with my areas of responsibility, but which are ordered in order of importance for myself. For example:

The first objective on my list is "Ensure a healthy family life". This corresponds closely with my areas of responsibility "husband", "father" and "son/brother-in-law". Now, while I can imagine projects I can do to ensure a healthy family life, it's a bit harder to imagine projects I can "do" to be a husband, a father or a son/brother-in-law.

And another example:

A bit lower on my list is the objective "Make your clients happy" Now, I have quite a few clients, which align with my areas of responsibility of "Chief audit executive at BTC", "Executive Professor at the Antwerp Management School", "Faculty at the Solvay Brussels School" and "Partner at CasMo". Now, while my clients in each of these areas of responsibility are very different, such as the board at BTC or my participants at both Universities, the key objective is to ensure they are happy. Relevant projects are only those projects that will ultimately lead to the clients being happier than before.

The interesting thing about this approach is that it shows you where you tend to overcommit and where you undercommit to your priorities. There is a reason I put family life soo high on my agenda. If in the daily hubhub of work life I tend to undercommit to my wife or children, I see it immediately. If I put that responsibility further down, I may forget it or ignore it too long. And that would not be honoring my own priorities.

Step 2 - Developing a purpose statement and a description of project success

This one was born out of project management training. I go through my list of projects and for each of them, I try to write why I'm doing that particular project and what success of that project would look like. for example:

I have this project which is titled "Put all your photos online". I'm doing this to preserve my photos and make them accessible to my family members and close friends. That's a purpose statement. Success would be if all my good photographs are saved online one month after having been taken, with access given to family members and close friends depending on the content. Birthday pictures get a wider distribution than vacation pictures, for example. That's a definition of project success.

This exercise takes some time, but it serves a dual purpose. First, it clearly defines why I do what I do and what success looks like. However, if you do this exercise, you may find out that formulating a why on some projects is not that easy. And even if you can define a why, what success looks like is not always that simple either. Think about this: if I cannot define why I am doing a project, perhaps I should not be doing it, because it does not contribute to my larger objectives. If I cannot define what success of a project looks like, that means I will not know when I have achieved that success. I won't know when it's done, when I can stop. That usually means I have not adequately considered the project, and it needs to be refined. For example:

Recently, I found a project on my task list which was titled "Assist in developing strategic plan for entity Y" in the context of my work for BTC. When I was considering the purpose statement, I realized that it's not up to internal audit to actively assist in developing a strategic plan. I actually started a project where I was just supporting the management team by identifying a number of people that could support them. This did not warrant a project, nor the time I would spend considering a next action on this. This was just a to do in a miscellaneous task list. I quickly killed that project.

Either way, I will put this project on hold and I will consider it further during a review. I need to reconsider it before going forward on it, before spending precious time on it.

Step 3 - Defining project outputs

For each project that remains alive after that culling, I define a maximum of three tangible project outputs. I list what I believe to be essential deliverables of the project. These may be intermediate deliverables, but they are things a project should realize in order to be successful. Quite often, a good purpose statement and success statement will hold keys to these project outputs. For example:

Going back to my "Put all your photo's online" project, I defined my outputs as "A procedure to timely (one month) review all your photo's, remove the bad ones and put the good ones online", "Access to the photo's for all relevant family members and close friends" and "Proper segregation of access depending on status". These are tangible outputs in the sense that they either exist or they don't. If they exist, the project can be considered a success. If they are not in place, the project has not (yet) achieved success.

The tangible outputs need to lead to success. They are the larger steps in the project, but by themselves they do not consist of specific actions. They are too large for that. I actually work with outputs instead of activities because it is easier to get lost in activities. If you do not define your activities well, you are likely to lose time in determining what to do in order to "do" the activity. An output is easier, in the sense that actions either lead to the output or they don't. Outputs tend to make it easier to define actions, which is the next step.

Step 4 - Define the actions that lead to the outputs

Once we know what outputs we need to achieve success, we need to start work on making sure those outputs are produced. That is the development of the actions. It will not always be easy to define what all the consecutive actions are you need to take to develop the output. However, the next action is usually very easy to identify. Once that is done, the next action becomes easy to define, and so on. In GTD parlance, this is runway level stuff, but only after we have done the higher altitude work, not the inverse. If there is too much stuff on the runway, it becomes very easy to get distracted. And stuff on the runway that should not be there will lead to crashes. So you need to ensure that your runway is cleared for take-off, which you do by defining your deliverables, your outputs in a very clear manner. For example:

In my "Put all your photo's online" project, I defined "Proper segregation of access depending on status" as an output. The next action there is: make a list of people that need access to my photos. The next action after that is: make categories for your photos depending on their nature. The next action after that is: determine who on my list of people gets access to which category ...

After having defined the output, the next action becomes easy to define. You are not very likely to get from where you are to your output on all of your projects, but your project actions will become a lot clearer.

Step 5 - Daily top three priority projects

Each day, I go through my list of active projects in all my areas of responsibility and I pick three projects on which I want to make progress that specific day. Only three, and each day is a different day. Take a weekend:

On weekends, for example, my focus will be less on making my clients happy and more on ensuring a healthy family life. I will only look at one keeping clients happy project and put most of my focus on a healthy family life, by working on my photos project and on another project which actively involves the kids. Or I may forego client projects all together and work on some maintenance projects.

Or, for contrast, a weekday:

On weekdays, my focus is solidly on making my clients happy. If this is a traditional working day, I will select two BTC projects and one maintenance activity with a direct impact on my BTC work, such as "Maintain audit working papers".

I aim to spend 80% of my time that day on those three projects, and I try to clear at least one next action for each of those projects. Quite often, I clear more, because I am very focused on what I am doing.

Today, for example, I was working on my "Make and maintain professional connections" category, which has a running project called "Blog on Exploring the Black Box". It had a next action which was titled "Write blog post on remaining on target" which relates to the output "Write one blog article per month on personal productivity".

Conclusion

Procrastination is everywhere, and it hides in the small details. We may work hard but end up unfulfilled because we failed to do meaningful work. Meaningful work becomes easier to define if we know what brings meaning in our lives. This very practical process is one way that helps me ensure I do just that: meaningful work.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

The (in)flexibility of corporate governance

Thinking about corporate governance

When we think about corporate governance, most if us think about a large and quite often unwieldy set of organisational structures and processes which keep the organisation aligned and on course towards its explicit objectives. And that is what governance has been portrayed as ... An immovable aspect of an organisation, set in concrete, and difficult if not impossible to change.

Wikipedia defines corporate governance as

"[...] the system of structures, rights, duties, and obligations by which corporations are directed and controlled. The governance structure specifies the distribution of rights and responsibilities among different participants in the corporation (such as the board of directors, managers, shareholders, creditors, auditors, regulators, and other stakeholders) and specifies the rules and procedures for making decisions in corporate affairs. Governance provides the structure through which corporations set and pursue their objectives, while reflecting the context of the social, regulatory and market environment. Governance is a mechanism for monitoring the actions, policies and decisions of corporations. Governance involves the alignment of interests among the stakeholders." (emphasis added by me)

Failing to understand the needs of corporate governance structures

While governance is indeed one of the more stable aspects of current day business performance, with codes having been published throughout most of the world dictating what at a minimum a good governance structure should look like, I have a feeling a lot of people fail to understand that a good governance in an organisation is nothing more nor less than an essential scaffolding for goal oriented performance of that organisation, within a set of normative boundaries.

We can dive deep into governance, and I want to and will later on this year, when I'm preparing my course material for the classes I will be teaching on that subject matter at the Antwerp Management School, but now I want to make a very specific point on most of those codes and frameworks that have been established ... because I believe internal audit's current interpretation of its role with respect to these frameworks fails to address a key aspect.

Corporate governance is a blueprint ... only a blueprint

I've referred to governance as a scaffolding, but let's consider it more like a blueprint of a vessel that will take the organisation towards its goals. A blueprint, or even a set of DNA-coded rules that will provide an organisation, if properly applied, with a stable structural basis to develop from.

There is, however, a problem ... we often fail to consider our evolving needs when we build our first house. DNA instructions only kick in under specific circumstances, and not under others. The same goes with organisations. The structures considered relevant at a certain point of maturity of the organisation are often no longer that relevant once an organisation evolves and matures. Just like a small dingy will do well to sail on a calm lake, it cannot withstand an ocean in gale-force winds. The context has changed, and so the governance needs to change. And herein lies the problem, a problem internal audit is excellently positioned to address if it lets go of its traditional approach to its roles and responsibilities and embraces its strategic role in the organisation.

Resistance to change

Governance structures are often inherently resistant to change. They are built that way. By definition, they are there to avoid organisation becoming severely dented from multiple impacts of risk events. They have been developed to endure and thus they endure ... beyond their relevance. They are, so to speak, the plastic containers of the soft drink. Long after the soft drink is gone, long after we are gone, the plastic container endures. Much like that container, we often find relics of original governance structures deeply embedded in organisations, sometimes even at the core, where their irrelevance to the new reality in which the organisation plays actually impedes that organisation from developing at the required pace to keep up with the competition.

A core task of the internal auditor

The interesting thing is that it is one of internal audit's core tasks to provide the organisation and its board with timely indications on the continued relevance of its governance processes. It is right there in the definition of internal auditing:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." (emphasis added by me)

A quick trip down memory lane

How did we get there? Internal audit started out as the guardian of the internal control systems. If the internal controls were well, all was well. Well, not so much, it turned out. The 1980's clearly showed that that line of thinking was an error. Even with no failures in internal controls, those controls may well have been built in the wrong places given the evolving risk profile of an organisation. Internal controls were clearly not the ultimate solution to organisational issues.

The scope of internal audit activities was extended to cover risk management systems as well. We were no longer just looking at internal controls, but also at the circumstances that required us to build those internal controls in the first place, the risks impacting an organisation on its way from its current position to its intended objectives. Sadly, that still did not prove to be adequate to avoid major problems. Enron and Worldcom showed that even with some measure of risk management systems present in an organisation and internal audit actively monitoring those systems, a structural lack of governance - window dressing, as it were - can lead to significant issues which could not be mitigated by an active second and third line of defense.

Enron and Worldcom were addressed in the US by the passing of the Sarbanes-Oxley act. Much has been written about that, and we are not going to revisit those discussion. I believe that while intended well, Sarbanes-Oxley may have gone about solving this issue in the wrong way. Internal audit should have gone on to play an even more explicit and important role in signaling governance issues. What happened was the contrary. Internal auditors became process mapping experts and started to tick the boxes on the adequacy of internal control structures. So instead of a step forward, internal audit took a step backward.

Exiting the dark ages of internal auditing

We're slowly leaving those dark ages (okay, years) of internal auditing. The banking crisis of 2008 emphasized the need for an independent oversight of existing governance structures. Essentially, the questions to be answered are the questions that are invoked in the definition of internal auditing:

  • Do these governance structures exist?
  • Are the governance structures being used and respected as they should be?
  • Are the governance structures still relevant?

However, it is no longer just the governance structures that need to be reviewed and where needed renewed. We will have to train an entirely new generation of internal auditors as well. Internal auditors with the capabilities to not gravitate towards ticking the boxes but with a capability to review and provide assurance and advice on the adequacy of governance structures.

This will prove to be a key challenge, a challenge we will go about addressing in our master classes at the Antwerp Management School. In 2014-2015, they still will be given in Dutch, as of 2015-2016 we're planning to establish a master class internal auditing in English as well. I will be developing some of these ideas on these pages. I hope you will take the time to share your ideas as well on the platforms I will be posting these ideas on.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Audit interviews: exploratory versus digging questions

Failing to bring home the goods

I believe most of us have been in a situation such as the following: we send out a young staff member on an interview, most often one of their first, only to have them come back with less than the information we expected them to. Then we hit ourselves over the head for not having briefed them at length. This wastes both their time, our time and our auditee's time. And all of that time costs money.

Understanding the questions

It's a rather common occurrence that young auditors often either don't dig deep enough when interviewing, or fail to identify the entirety of the information an interviewee can provide them with. The reason? They often lack a basic understanding of different types and uses of interview questions, how to approach an interview, how to properly prepare for it and how to spread the questions to extract the maximum available information. Interviewing is an essential skill for any internal auditor. As we all know, there are many different aspects to a good interview. In the context of the issue above, I want to focus on a very narrow but important aspect of an interview: the nature of the questions you ask.

An interview as a key audit tool

An interview is an important audit tool. When you are conducting an interview, you essentially try to get a better understanding of the subject matter you interview a subject about. Interviews are a great way to get some essential information quickly, if you conduct them the right way.

There are, however, as with any tool, a few caveats. Keep in mind that interviews will - on the whole - provide you with less objective information than a document review will. Situations, occurrences, issues, problems are communicated to you after having been interpreted by the person you are interviewing. You see the information they provide you like it passed through their perception filter. Add to that your own perceptual filters, and you have quite subjective information.

It is therefore quite important to get a feel for an interviewee's position towards specific issues in order to be able to interpret their comments correctly.

On the other hand, you may be confronted with reams and reams of information you have no chance getting through before your audit ends. You may be sure that you have the essential information, the smoking gun so to speak, available in the truckload of data that has been provided to you, but you need to find it first. A well conducted interview may help you with just that.

On an aside, I have the impression that the easier it is to transfer data, with the enormous load of data that is available, the more difficult it gets for the internal auditor to find the issues in all that information. Which explains to popularity of data analysis tools such as ACL and IDEA.

In order to be able to manage an interview well, you need to know there are many types of questions you can ask your interviewee. I usually distinguish between exploratory questions and digging questions. Each of these questions has their specific uses.

Exploratory questions

Exploratory questions are questions which allow you to explore the field of knowledge or information your interviewee has information about. They don't necessarily tell you what the interviewee knows but they will tell you what they know about. The lines of questioning therefore do not dive deep into the information, but more or less scan the available information which we can gain access to through the interviewee. These questions are essential, as they allow the auditor to determine what the interviewee can provide in the context of the audit. You could compare it to reading the tables of contents of quite a few books and asking some questions about those. Exploratory questions allow you to determine what information is available, and whether or not that information has any relevance for your audit.

An exploratory question could for example be when you ask the foreman of a plant who is responsible for the maintenance of certain key infrastructure. He may answer "Pete" which then leads you to conclude that he does not necessarily know about the state of maintenance and that you need to talk to Pete. If he answers "me", you know that he can provide you with information on the state of maintenance. This is likely important, but not enough information. After all, you need to understand what his subjective position towards infrastructural maintenance is. Is he against what he may consider an overly careful maintenance schedule, because it reduces output and thus bonus potential. Or does he find that the people get pushed too hard, with not enough maintenance work being done and working conditions being dangerous. Remember we talked about a subjective interpretation? Well, that information can provide you with insights in how the issues he has information on may be perceived.

Digging questions

Once you have a good view of the lay of the land, of the information your interviewee can provide you with, you need to identify what the information is you want to dig out. The digging is done by means of very specific questions that provide you with access to the information the auditee knows about. By using digging questions, the auditor focuses on a specific subject. You want your interviewee to provide you with everything he or she knows about that specific subject matter.

Digging questions are usually a combination of an open-ended question to start off with, clarification questions to clarify understanding of certain issues and then closed questions to confirm your understanding. For example:

Imagine the foreman has confirmed that he knows about maintenance of the infrastructure. You could then dig in with "Can you tell me about the maintenance of these machines in the past 2 years?" After having heard him, he may be indicating, but not yet entirely volunteering some issues with one of the machines. You could then ask "I seem to hear you say that machine A's maintenance schedule was not respected. Can you tell me more about that?" After having heard the full explanation, you can confirm your understanding: "I understand that you feel that the production pressure leads to a reduction of the maintenance schedule of machine A, with in turn leads to safety issues for the team, am I correct?"

In conclusion

It's important to be quick on your feet and to ensure that you do the digging in the right spot. It's a bit like a treasure hunt, but there are no maps with X-es on them. Rather, an auditor needs to find the map, interpret the map, mark the spot, then go and digg and bring back the goods.

A well structured interview approach in which the interviewer is very conscious of what he is doing is an essential tool in the toolbelt of any auditor.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Efficiency overkill

Working on efficiency

We've been working a lot on efficiency aspects lately, so I got to thinking about the boundaries of efficiency quite a lot in recent days and weeks. Efficiency is very important, especially in a public sector environment. We are using taxpayers' money, so it is essential that we make the best possible use of that money. Best possible use means producing quality output. And quality, in turn, can be defined as an result reached effectively and efficiently. Quality output means we are doing the right things the right way. And as with a lot of processes in public and private environments, there is a lot of room for improvement.

Going too far

But can we go too far? Can a relentless push for efficiency lead us to a place where we have lost the essence of what we were trying to achieve? I think this is a real possibility, probably one that was experienced by many private sector organisations in that first wave of reengineering in the 1980's and beginning of the 1990's. A too relentless push for efficiency can destroy the identity of the team and the organisation.

So what now? Is there a certain threshold where we need to let go of trying to achieve efficiency in our approaches? And where would that threshold be? Is it not a quite individual appreciation? Or are there other means? Other ways of looking at this problem.

The meta-nature of the Japanese tea ceremony

I like to look at the Japanese tea ceremony as a wonderful example. Deeply rooted in Zen Buddhism, the tea ceremony is a practice that has a set of clear objectives and follows a strict set of practices. It is both effective and efficient as a process in its own right. But it forces the participants to focus on the moment, to be really there, deeply attentive and immersed in the experience. It is a practice that obeys the rules of the game (i.e. it needs to reflect quality) but, by its nature, it forces the participants to consider not just the process but also the entire circumstances of the process. It brings the participants back to the essential aspects of what they are doing, in this case, making and consuming tea.

Retaining our identity

Why that example? Because in our relentless search for efficiency, we need to keep in mind why we are doing that and whom we are doing it with. We need to ensure that identity is maintained throughout the exercise. We need to respect certain traditions that makes us reflect on who we are and why we are doing what we are doing.

Any initiative aimed at improving efficiency and effectiveness needs to reserve a spot, be it a place in time or a physical location, where we can reflect on why we are doing what we are doing, and how it relates to the wider whole of the organisational objectives. If we fail to do that, the ultimate efficient and effective process or organisation we will build will be but a husk, a mere reflection in troubled waters of what we were ultimately trying to achieve: build a process that understood humans are humans.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Quick thoughts on development aid

Development aid is not about punishing people. Not our own people, not our beneficiaries. It should never be about guilt, or about a debt owed. It should be about using our intelligence, our creativity, to make the world more inclusive.

It should never be about the typical Catholic rap of: "you should feel bad because you have it so good." We need to look at all possible ways of bootstrapping our beneficiaries, pull them up to where we are, and continue together, beyond where we are now. Fundamentally, it's about leaving this place a better place because we've been in it.

We should also dare to be open for the non-traditional solution, which may not perhaps be on or right next to the trodden path. As Robert Frost so eloquently wrote:

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.

You know, I've never really known whether this was a positive or a negative poem. But perhaps life is like that.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx

Some ideas on democratic administrations (updated)

There is a old "new" management wave roaring through the organisational straights again, and it is lapping up on the shores of public administrations. I'm talking about the workplace democracy model that was made famous by the success of Brazil based Semco in the 1990's. The general idea is that reducing management in favor of direct decision making by the collaborators themselves will significantly increase performance without sacrificing efficiency, effectiveness and compliance. The Semco experiment has shown this model can work in a for profit environment, where the participants stand to gain from maximizing their own input as it translates directly in monetary values. The question is whether this model would also function in a public sector environment.

A more fundamental analysis of the uses and issues with such a model in a public sector environment is probably an excellent subject for a doctoral thesis. I have no data to support or reject the use of this model, other than some narratives which are, as evidence goes, rather limited. But there are a number of factors which we need to consider when implementing this type of model in a public sector environment. Let's consider a few ...

It's not your money

Problems with workplace democracy in a for profit environment directly impacts the collaborators themselves, as it hits their personal bottom line. They have a direct, tangible incentive to correct problems because they stand to gain less if the issues are not resolved in a timely manner.
In a public sector environment, the money is not theirs, or not theirs directly. The tragedy of the commons problem will tend to occur, where key maintenance activities - I consider internal controls as maintenance activities - are neglected to get the most use out of the available means without considering longer term impacts.

Corruption and fraud

When a person actively abuses means from a for profit organisation, he harms the shareholders. These shareholders are those colleagues around him. These people have - under certain assumptions - a vested interest to ensure that the abuse does not take place. If the direct (financial and other) benefit of participation is significant, participants will automatically tend to curb free rider behavior of one or more players. You will have some misuse, but it should not, in principle, dominate.
However, the same Nash equilibrium will not necessarily be reached because the circumstances are fundamentally different. The pay-off for each of the participants in a public sector context is quite different from that in a for profit context. The risk of abuse of public means may be significantly higher.

Need for strategic audit

Some of the proponents of the workplace democracy idea would like to do away with control and audit, because self-regulating organisms regulate themselves. There would no longer be a need for such control and oversight systems. That may be taking that particular turn at too high a speed, however.
Self-regulating organisms either regulate themselves, or die. If they die, they die because their particular solution is not adequately adapted to the circumstances on which it was brought to bear. Hence, we need to ensure that the circumstances for workplace democracy in public sector are adapted. To me, and subject to significant further research, this would mean having adequate internal control systems as well as clear governance in place, including internal audit structures, to ensure that the taxpayer's money is used in the most effective and efficient manner for the intended purposes.

Update - responsible autonomy

A good friend and reader mentioned the following article on wikipedia on responsible autonomy. What I really like about the article is that it does mention the need for "clearly defined boundaries at which external direction stops".

If we consider this, the need for an independent and objective group of people, such as auditors, to assess both the relevance and the continued compliance with those boundaries becomes very obvious indeed.

Internal audit can assess whether circumstances validate for example an extension of the boundaries or, on the contrary, require a contraction of those boundaries. Factors need not only be internal control issues, but may also be related to external factors changing. These factors could be identified through risk analysis, for example.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. by Ben Broeckx