The impact of learned helplessness on audit recommendations

/ CasMo HQ/

Learned helplessness in organisations has become an agent of the resistance

Ron Ashkenas wrote a very interesting article on the HBR blog a while back: in "Learned helplessness in organisations" he addresses the "external" excuses that process owners manage to come up with in order not to change their process. To quote him:

"This phenomenon — which one of my clients has dubbed "learned helplessness" — has the power to permeate the culture of an organization. Like a spreading infection, managers pass on learned helplessness from group to group and level to level. Eventually the standard response to any initiative is some variation of, "We'd love to do that, but we really can't.""

Auditors are frequently confronted with change resistance

It’s a statement very familiar to internal auditors, especially during the recommendation phase. Proposed solutions are rejected or never implemented because the process owners use this phrase as a defense (less frequent) or are genuinely convinced (more frequent) they are not able to change and optimize a process because of external constraints.

It gets worse: lack of or inconsistent understanding by supervisory bodies which are tasked to check compliance with certain rules and regulations, either internal or external, often leads to requirements being imposed on process owners which are (at best) not conforming to the intention of the rules and regulations or (at worst) diametrically opposed to the rules. Let me share a real life situation I once encountered:

During a process reengineering project we were interviewing clients of the organisation we were reengineering. As it was a government organisation with a significant role in checking compliance of actors active in their regulatory space, we wanted to determine the relevance of their compliance requirements. The client of the organisation told us that they had adapted their procedures to comply to the requirements as imposed by one inspector, only to find that these requirements were overturned by the next inspector that visited them. Both inspectors came from the same organisation.

How to approach change resistance

Well, it takes persistence. Ron Ashkenas recalls:

”Undaunted by their response, my colleague asked the managers to simply list all of their reports, approval procedures, reviews, audits, metrics, decision forums, standing meetings, and other management processes. He then had them identify which ones the government required, and which had been created internally. Much to the managers' amazement, the vast majority of these management processes were self-generated — which meant that they could streamline much more than they had thought.”

So the key challenge to the internal auditor is whether you accept the statements of your auditees as to their capability to change certain processes, or whether you are critical enough to challenge aspects that may actually lie beyond the scope of your audit or indeed even beyond your technical capabilities. Another story:

We were once auditing an organisation which did some of its technical testing using certain crystals in a destructive testing procedure. These crystals were either worth a lot or nothing at all, depending on the quality of the crystal. According to the engineers, there was no way to value the crystals other than destructive testing. The value of an individual crystal was material to the financial statements of the organisation. We consulted with an expert, a university professor, who was nice enough to give us his opinion for free, and he pointed us to some recent research which allowed for non-destructive testing and hence better valuation of the crystals. The engineers at the organisation had not been aware of recent developments, and had assumed the only way to test was destructive.

As far as I am concerned, the value of your audit is of course the reasonable assurance that can be derived from the auditing work itself, but also, and often ignored, the added value of relevant recommendations. These recommendations need to be as relevant as possible, and where required need to break through certain assumptions that have been underlying the current procedures, often for years, that are no longer valid.

Developing good audit recommendations

/

In short

Recommendations should never be developed in an ivory tower. Rather, bringing in the auditees during the recommendations phase and challenging them to develop SMART recommendations will enhance the quality of your recommendations. Proper process should counter any issues with objectivity that may arise.

Relevant recommendations are hard

This is a no-brainer for most auditors. Concisely describing your findings in a manner that all relevant readers can understand is an often underestimated task. Developing SMART recommendations related to these findings can be even more challenging, especially in a subject area which is technical.

Nevertheless, auditors often insist on their independence and objectivity as an argument to only involve the auditees in the report finalization phase. The auditees are confronted with a set of well-intended recommendations with proposed deadlines, and often only have a limited time to react. And that's a problem.

Recommendations are not after-thoughts

Rather, they are core to the relevance of internal audit as a profession. Hence, ensuring relevance and feasibility of recommendations should never be the last item to check off the checklist before issuing the report. Rather, it should be core to a separate audit phase, the recommendation phase, where auditees and auditors come together to analyze how to best approach the findings.

But what about independence and objectivity?

We can't involve the auditees in the recommendation development phase because involving them will impede our independence. Will it really? I'm not too sure about that.

Independence is a means to objectivity. Objectivity allows to judge adequate due diligence and report on that. That's at the level of findings.

However, adapting processes, systems or behaviour to improve due diligence in an organization is, at the end, a management decision. As auditors we have the right to independently point out the direction we believe to be most optimal to address the issues raised. We cannot take the place of management and force them in a certain direction.

Hence, rather than believing that involving auditees in the recommendation process will impede our objectivity, I am convinced that not involving them in the recommendation development and only allowing their input as an after-thought will empede our future independence. Why? Well, imagine they will chose a route different from the one we as auditors proposed. Imagine that we invested a lot in developing this recommendation. Pride is a human characteristic. I sincerely believe the risk of not being able to objectively assess auditees' response is a bigger issue than involving them in the process to begin with.

Mind first, words later

There's another element to take in account. Most of the obvious solutions we as auditors with a limited working knowledge of practical, technical situations can come up with have been tried, tested and often dismissed as not feasible or ineffective in the past by those auditees.

"Most complex problems have simple solutions, which are most often wrong."

I don't remember the source of the above quote, and I'm not quoting it verbatim either, but there is quite a lot of thruth in it. To not only patch but really solve certain issues, we need to look at creative solutions for them. The best possible way for me is to combine the critical attitude of the auditor with the in-depth knowledge of the auditee to examine new, creative ways of issue resolution.

But what if you don't agree?

Auditors are independent. Imagine an auditee supports a certain solution which you are convinced will never really address the issue. The audit report should clearly state this and describe both the proposed solution by the auditee and the solution or ideas of the auditor, as well as the motivation why the auditee response is inadequate. This way, the audit committee and the board have all relevant information to decide on a recommended course of action.