Dual using Pocket and Instapaper in one workflow

/

I’m an absolute Instapaper fan

So much of what I’m about to write feels a bit like betrayal. Betrayal to Instapaper, betrayal to Marco Arment, whose 5by5 podcast I try to listen to weekly.

Still, I’ve recently integrated Pocket into my workflow, where it replaced a function I intended Instapaper for, but I never figured out how to make it work. So Mr. Arment, it is not your fault. It’s mine.

Instapaper usage

I’ve not abandoned Instapaper. On the contrary, the way in which I use it now makes it, in my view, more what is has always excelled at. A calm place for long reads. Instapaper has always been a learning tool for me, as bizarre as it may seem. And much like University books, I cannot delete stuff from my Instapaper queue. The content of what ends up in Instapaper feels too sacred. And the fact that I cannot delete it means that I get frustrated by the fact that I have so much unfinished reading to do. Some of those articles are really no longer relevant.

Enter Pocket

Which is why I like Pocket. I don’t feel bad at all about eliminating stuff from Pocket. The interface is good, but it doesn’t make me feel like I’m committing a sacrilege by not reading all the articles that I find. don’t get me wrong, Pocket is a great tool which allows me to quickly scan through selected articles and review whether or not I want to read them. But although the interface looks wonderful does not invite me as much as Instapaper does.

The workflow

So what’s my workflow? First I identify articles in Reeder or when searching the web. I use Pocket to put them in a single place where I can revisit later. If an article is relevant to actually read it more in detail I will send it to Instapaper where it will be waiting in the queue for me to read it later.

The bottom line? I actually use Instapaper to “read it later”. And Read It Later, now Pocket, as a capture device for new information which I need to review or process.

Not at the table, but perched on the radiator

/

Headline

A number of recent publications have extoled the virtues of internal audit having a seat at the management table. I don’t agree. I think that a seat at the table for the Chief Audit Executive would probably be the worst place to be. We need to be in the room, but probably sitting on top of the radiator, listening to the conversation, and on a regular basis raising a finger and saying the sacred words, “Yes, but …”

The curse of the “trusted business advisor”

Becoming the trusted business advisor has been a fad for a lot of consulting and advisory organizations for the past 20 years. I know, I’ve had to hear the mantra many times in my years at the other side of the table. I’ve been a consultant. The problem is that it’s a mantra. When asked as to the why, the answer always turns out to be: “to sell more work.”
Anyone speaking about trust without being invited to do so automatically deserves my distrust. I may be cynical, but I’m an internal auditor. I was bred that way.

Our role

Let’s revisit the definition of internal auditing:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

I can’t help but notice that the fifth word of that definition is “independent”. Independence, of course, serves a purpose. I’ve written about that in the past. Independence aims to ensure the highest possible objectivity. And in order to be able to be objective, you need to develop at least some distance to activities of the management team.

I also note the word evaluate which again implies the ability to look at something from a certain distance, without being to distant not to be able to observe it at all (see my rants about where internal audit should be positioned in the Belgian federal government, for example).

Our role, extended

There is another role we have as internal audit, which I have yet to see formalized in the definition. But perhaps I’m reading it wrong. For me, an essential role of internal audit is the following:
As an evaluator of risk management, control and governance processes, we need to be the moral compass of the organization and its management team in a world where competitive and other pressures push relentlessly on the individuals making up such a team.

Where we need to be

I believe we do not need a seat at the table, no matter how enticing it may be for some of us. Getting a seat at the table means sharing the warmth of companionship of your peers which you work with every day. But you’re the auditor, they’re the management. It also means that you may be to close to be able to evaluate objectively. This is called parallax, and it’s an issue in measurement.
However, we do need to be in the room. Perhaps we should be, as I said before, not at the table, but off to the side, sitting on top of the radiator, listening to the conversation, respectfully pointing out where true North is if it tends to get lost.

Weaponizing internal audit - part II

/

I missed an important element when writing the short post in weaponizing internal audit. This post was inspired by a sentence written by Mike Monteiro in his new book, “Design is a Job”.

When we talk about using internal audit as a defensive asset whose presence should ensure higher compliance, it also requires internal audit to be credible. This is an often overlooked core feature of internal audit. Credibility is related to a relevant and thorough understanding the subject matter one is auditing. Lack of adequate credibility is a comment often heard about external auditors, even though they often only work within a narrowly defined field within external audit boundaries. These boundaries are backwards looking and financial.

Proximity to the subject matter makes an internal auditor credible

A key element which makes an internal auditor credible is his or her deep understanding of the subject matter. This is why outsourcing of internal audit to large providers often is not a good idea. This is also why I really don’t support the large internal audit model which is now being pushed at the level of the Belgian federal government.

Putting the cart in front of the horse, euhm, kid

/

I had an interesting conversation this morning in the train to work.

Discussing the lack of guidance about future avenues school choices taken now imply, I had a flashback. I remember one of my first days at University. We walked into an economics lesson, and the professor started to tell us why economics was so relevant.

I can’t help but think it must have been a shock to those who suddenly realized they made an error, that they really did not care for the whole economics thing that much … But were stuck for the remainder of that year.

Perhaps we need to rethink guidance counseling in Belgium.

Weaponizing internal audit

/

"Your lawyer is a defensive asset and not to be weaponized unless absolutely necessary.".

Courtesy of Mike Monteiro. Internal auditors are much the same. In essence, we are defensive assets. Our presence should prevent issues. But in order to be a relevant defensive asset, you need to be credible as a relevant threat ... Internal audit needs to be effective in numbers, scope and independence.

In other words, the more likely we are to find an issue because of understanding, knowledge, tools, insight and training, the less likely people will be willing to run the risk of getting caught.

This benefits not only internal audit, but the entire organization.

"You are responsible for what you put into the world"

/

"But as a designer, hell, as any type of craftsperson, you are responsible for what you put into the world." - Mike Monteiro in his just published book "Design is a job"

think about it. It's your responsibility. And don't forget, it's as much about what you do as it is about what you accept, or rather will not tolerate that others do. Ethics, after all, is about taking a stand.

Let's talk about risk

/

The importance of consultation and communication in risk management

ISO 31000 refers to consultation and communication with stakeholders as a key activity in a well implemented risk management methodology. Let’s examine why these elements are important.

The elements

ISO talks about consultation and communication with stakeholders. So we need to explain why:

  • consultation
  • communication
  • stakeholders

are important. We’ll start with the whom, then discuss the two interactions.

Stakeholders

“A stakeholder is a person with an interest or a concern in something, especially a business.”

A stakeholder is therefore influenced by the objectives of an organization and whether or not it achieves these objectives. Note I’m not saying that every stakeholder is necessarily aiming for the organization to reach (all of its) objectives. On the contrary, a stakeholder may be defined as a stakeholder because his or her interest runs counter to the objectives of the organization.
Not recaptured in the definition is that stakeholders have many means at their disposal to influence whether or not and how or at what price an organization can reach its objectives. A voter, for example, may have interests aligned with a political party. If that party does not achieve its stated objectives, it’s entirely possible the voter will take his or her vote elsewhere, and impede the party from realizing all its objectives.
A political party and its voters are relevant as an example of the diversity of stakeholder interests in another sense as well. A political party has a programme, often a concensus of the diverse needs of its intended voters and its political objectives. Not every voter is as interested in the party achieving the entirety of its programme. On the contrary, quite often there may well be conflicting interests within a party programme. It all depends on the weight of the stakeholders in the decision making process.
Lastly, note that not all stakeholders are external to an organization. Your employees are stakeholders as well. And believe me that you should not automatically assume that they are aligned with each and every aspect of your strategic intent. Because they are not.
Let’s be clear, stakeholders are a force to be reconned with. I’ll come back to that later.

Consultation

“the action or process of formally consulting or discussing”

When we’re defining consulation, we need to define the verb “to consult”.

“have discussions or confer with (someone), typically before undertaking a course of action”

Consultation is all about exchanging information and ideas with someone, preferrably an expert or a party involved and with a particular view on an aspect of what you’re dealing with, prior to an action.
Lots of issues or problems or elements on the road to achieving objectives benefit from being examined from different angles. I’m not suggesting to adopt an overly committee like approach where decisions are postponed and killed in committee. However, quite often problems are only looked at from an extremely narrow point of view. This ivory tower mentality has led to significant mistakes in decision making because certain aspects of a problem where never recognized as such.
In programming, there is a dictum that states “Given enough eyeballs, all bugs are shallow” (Eric Raymond). The same goes for issue management. If enough people involved in the problem look at it from their particular point of view, bringing together all these elements will result in a best possible view on the issue.
However, there is a difficulty with this approach: sometimes the time between potential risk detection and that risk becoming a reality is too short to allow for a full consultation. It pays to have a consultation group of stakeholders with different points of view at the ready to allow for quick consultation.

At BTC, we established a consultation committee on integrity. Representatives from all divisions of the organisation gather on a regular basis to discuss integrity related issues and advice my team on how to approach certain integrity related issues. As stakeholders, they have an expertise which my team members, acting as the integrity bureau, does not necessarily have. This committee can be called together on short notice to discuss concrete issues.

Through consultation, you bring to bear all competence within the stakeholder group on a specific problem you are being faced with. You recognize the value these stakeholders have to you, and by doing that, you recognize their value.
However, and that is essential, by no means to you transfer responsibility or accountability for the decisions taken to deal with issues, problems or risks. That remains the sole responsibility of the organization.

Communication

“the imparting or exchanging of information or news”

Consultation is not enough. In consultation, you gather additional perceptions and information to make better decisions. Once those decisions are taken you need to communicate to all stakeholders. In essence, you want to communicate:

  • What: you decribe what the outcome of the consultations and the integration of the information learned into the decision making process;
  • Why: you describe, wherever possible and not counter to any commercial objectives, why you’ve decided to do what you do;
  • How: to those impacted, you explain how the what will be realized. What can they expect to happen to them or around them in what timeframe;
  • Outcome and corrections: once a decision is implemented, it leads (hopefully) to results. These results need to be communicated as well. Based on the outcomes, certain corrections may be chosen. These and their impact and the what, why and how need to be communicated as well.

Bringing it together

One well placed, misinformed stakeholder can bring an entire strategy down.
When dealing with any time of activity of an organization, enhanced stakeholder involvement is important to gain perspective but also to develop acceptance of actions that need to be taken. Inviting your stakeholders to the dance is an important means of gathering the necessary support for implementation or of timely identifying key blocking factors.
When dealing with risks and risk management, this need is amplified. After all, you are investing time and means in avoiding the occurrence of certain situations. But just as with Y2K, a risk avoided is something that did not happen. Clearly involving your stakeholders to get a realistic view on the issues and gathering ideas to deal with the issues in the most effective way possible is a sound business tactic. Moreover, it shows diligence where diligence is due.
By making communication and consultation with stakeholders one of the first elements of risk management, ISO has clearly stated that no risk management approach can be successful without the proper support of the relevant stakeholders.

My audit reporting workflow on a Mac

/

This is a post about my current audit reporting workflow. It's based on working with an Apple computer. Why Apple? Simple, the software becomes ubiquitous. In the many years I used Windows, I never felt the software was not there. With Apple, I have this all the time. It saves me hours each week because the tool switches, if required, are easier and less intrusive, just because the tools are so ubiquitous.

Context

I'm the head of internal audit for the Belgian development agency. We operate in 18 countries, most of these in Africa. We're a small audit team, it a very motivated one. We have a significant audit universe, which we share with the external auditors. These are both CPA equivalents as well as the court of auditors.
Given the size of the audit universe, we need to be very risk focused. Even then, we search for efficiency in auditing all the time. This is why the efficiency and the effectiveness of my workflow is so important. Let me take you through it.

During the audit: nvALT

We try to keep out work papers as tool independent as possible. For any type of text this means for me using txt files. And the most effective tool for that for me is nvALT, the fork of Notational Velocity developed by Brett Terpstra.
nvALT seems a simple txt editor, but it has a lot of functionality. I use only the bare essentials of the application. Each finding and each observation are described in a structured format, which I have developed in Textexpander. I tag the notes. nvALT uses openmeta format tagging. This allows me to easily find my notes for a specific audit back again. Using nvALT really reduces the friction. Either I write during the interviews or detailed testing itself, or I document as soon as possible afterwards.

Structuring the report with Mindnode Pro

I got introduced to the concept of mind mapping a couple of years ago and it has stayed with me every since. I'm not a mind mapping ninja, but I use it whenever I feel that I need more than the traditional hierarchical structures to develop my ideas. Audit reporting is like that. It's important to be able to communicate clearly and condensed to the reader, be that the audit committee or the auditee.
Mind mapping allows me to test a storyline which make retention and recollection for an audit committee bombarded with much information as easy as possible. The better the report is structured, the better the acceptance of the findings and the support for the recommendations will be.
In order to be able to easily restructure during the development of the reporting structure for that specific audit, I mind map and move elements around until the make sense to everyone.

Consolidating the structure with Omni Outliner

Once I'm happy with the reporting structure as developed in my mind mapping software, I lock this structure in in Omni Outliner. All tools of the Omni group are well thought out, and Omni Outliner is no exception. Again, I'm likely using about 10% of its potential, but for my purposes, it's excellent. Moving from the mind mapping software to the outliner happens through an OPML export. This specifically structured txt file allows for easy transfers of document structures.
The outliner is then used to add several layers of structure to the different chapters. Some of these are standard, as each finding is structured in a standard manner. Some of these are specific, or may indicate additional information to get from sources to really lock in the finding.

Final reporting in Byword with nvALT

Once the structure is finalized, it export the OPML to a txt file and start writing in Byword. Byword is a distraction free writing environment with good markdown support, which I use for formatting.
I actually integrate the small text files I wrote in nvALT by copy-pasting them into Byword. I'm sure there is a more efficient way, and I'm thinking of looking into using Scrivener for this, but this is my current approach. I copy-paste the text snippets which I have open on the left side of my monitor into the Byword document open on the right side. And I redact the text as I go. Some parts are written by my collaborator and these find their way in the report as well.
Once the report is in a relatively final phase, I export through Byword to Word. I have to in a non Apple environment. This is where final editing is being done. I dream of a CSS that has the entire report format of BTC ready, and I'll eventually get to that, but not this year.

Concluding

This workflow allows me to focus on the content of the report, not on the aspects of making sure the report gets written. The tools don't get in théâtre. They actually make it enjoyable to write.

How Valve gets the new economy: treat your employees as the adults they can be

/

In a blog post about how Valve operations are significantly different from other environments he had worked for, Michael Abrash made some very astute observations about how our current creative economy is significantly different from anything that went before. He states:

"almost all the value was in performing a valuable creative act for the first time."

He continues to observe that this essential change results in rendering most of the existing command and control structures irrelevant. I quote him again:

"If most of the value is now in the initial creative act, there’s little benefit to traditional hierarchical organization that’s designed to deliver the same thing over and over, making only incremental changes over time. What matters is being first and bootstrapping your product into a positive feedback spiral with a constant stream of creative innovation.".

Hence, traditional command and control no longer works if you want to be successful in the current economic reality. Or if it still works, you're in reality one disruption away from irrelevance.

But traditional organizations, built on command and control, have a hard time doing what they should be doing: giving their responsible employees the trust that they will act as grown-ups and focus on what their most relevant contribution can be. Now, this is not easy for organizations, but it's a significant challenge for the employees as well. Mr. Abrash again, when speaking about that maturity and the responsibility it entails:

"That it is their responsibility, and theirs alone, to allocate the most valuable resource in the company – their time – by figuring out what it is that they can do that is most valuable for the company, and then to go do it."

However, and this is key, allowing your employees adulthood is also allowing them to make their own mistakes and allowing for the group to help them in correcting them. He states:

"Sometimes people or teams wander down paths that are clearly not working, and then it’s up to their peers to point that out and get them back on track.".

The challenge is therefore to allow your collaborators the freedom and give them the trust to fail, but also to succeed. Get out of their way and make them create.

I would like to extend this. The success of our future organizations will depend not on the level of command and control we build, but on the level of trust and allowances for useful failure we are willing to give our collaborators. This is the new economy, where the significantly reduced layers of management, if any, only exist to allow the collaborators to play for epic wins. For the rest, they need to get out of the way.

I encourage you to read the entire article here.

Thank you, Mr. Abrash, for some great insights.

The challenges of establishing a centralized internal audit service in the Belgian federal administrations

/

Please note this is an opinion piece. There are some strongly held convictions which I voice here.

My involvement in trying to establish internal audit in the Belgian federal government

Recently, rumors have been building up again about a centralized internal audit service for the Belgian federal government. I think it would be a very bad mistake to make. Truth be told, I’ve been involved in the fight to establish audit services in the Belgian federal government since the early 2000’s.

My current role & responsibility is a direct result of my deep appreciation for working in activities related to government. At BTC, I’m both living a dream as head of internal audit and feeling I can make a contribution. BTC, after all, is the agency, wholly owned by government, charged with development aid.

Note that the early 2000’s were the time of the Copernicus reforms, where giving an increased autonomy to federal government services was high on the agenda. The envisioned reduction of direct political influence on the administrations was an important stated goal. However, increases in autonomy had to be counterbalanced and internal audit was an important aspect of that counter-balance.

The current state of internal audit in the Belgian federal government

Please note that to date, no formal internal audit activities have been started up in the Belgian federal government. To be clear, this does not mean there is no internal audit activity. On the contrary, several federal government services, understanding the need to have an independent or semi-independent entity responsible for oversight on internal controls, governance and (in the relevant cases) risk management, went ahead and started up their own internal audit departments. Some of these have more than 10 years behind them. Yet, sadly, they were dissavowed by the appointed audit committee of the federal government. Put in place by the last caretaker government Belgium had, this audit committee is not necessarily that experienced in matters of internal audit.

Other control and inspection structures

This of course does not mean there are no independent entities providing supervision of federal government activities. On the contrary, we have the court of auditors and we have the finance inspection. The first reports to the parliament, the second to the minister of the budget. Both structures are most effective, in my opinion, when they have embedded their collaborators deep in the federal government services they are charged with checking.

Internal audit recognition issues at other government levels

There is an active example of a centralized internal audit service in Belgium: the internal audit to the Flemish Administration, or IAVA. Despite being managed by a good manager, and with competent auditors on board, this audit team has had an uphill struggle in becoming accepted as “one of us” among Flemish public servants. In more than once instance, their authority was challenged, and they have invested a significant amount of time and resources establishing themselves as trusted business advisors to the public servants they are charged with auditing. For example, IAVA was instrumental in developing the guide to internal control development. They manage a leading practices database. All great initiatives, but not traditionally what you would expect from an internal auditor.

What’s my beef?

It’s this: developing a centralized internal audit structure within the Belgian federal government will, for at least the next ten years, amount to little more than window dressing. The new internal auditors will need to earn the trust of public servants operating outside of the “circle of trust” of the organization.
I know the president of the federal audit committee will be up in arms and cry foul, stating independence issues. The point is that that is not, in itself, an issue of independence. Independence is not an objective by itself, but a means to an objective audit opinion or an objective audit report. There are a lot of ways to ensure this objectivity, including building safeguards to independence in the way audit is embedded in the federal government service structures.

If anyone needs an example on how this can succesfully be done in an organization linked to federal government, come take a look at how BTC has done this in the past years. I believe we are very independent, yet we work deeply embedded in the organizational structures we audit.

The current structure, as proposed by the federal audit committee would in effect be a “finance inspection plus”, in essence adding to the role of the finance inspection. In that case, let’s call a duck a duck, and integrate this function with the finance inspection. This would mean a redefinition of the role of finance inspector, but that is feasible. The way in which the inspection currently works as it relates to their oversight role is also embedded in the organizations they audit.
However, if the intent to develop truly functional audit departments is a true intent, and not window dressing, I would suggest to stay away from the model currently being proposed. It will not work. I know it, the people who propose it, know it (deep in their harts).
Last, but not least, the argument of reducing the cost of internal audit from a budget perspective is a relevant one, but a centralized structure will end up costing you more, not less … if you calculate cost as a function of audit efficiency. Because your internal audit will not be effective, nor will it be efficient, for years to come. It may add value, but it will not be auditing.

accountability to the customer

/

"With money, comes accountability to the customer."

Mr Eddie Smith speaks true when he says this in his to the point analysis of Google relations with us, their users, not their customer. You can find the article here.

One problem ... I get this feeling with a lot of services I purchase as well. The add-on sale appears all that matters.

Are folders gates to procrastination?

/

Following Sven’s advice

I just did what I should have done a long time ago: I followed Sven Fechner’s advise. His “Simplicity is Bliss” blog is a wonderful resource for common sense productivity tips and other great Mac inspired ideas.

But, back to my point. Mr. Fechner suggested that a simple folder structure in mailbox structures, using just an archive folder and working with very targetted tags is a good approach. Thinking this through, I agreed, and started to eliminate my folders on both my professional Lotus Notes mailbox and my home gmail account … and I started to notice something smelly.

Lift rock, see dirt and vermin

Eliminating the folders, and actually checking their content before I transferred everything to an archive mailbox, I felt how you feel when you lift a rock in your garden that has been there for ages, and I see the pale white insects crawling from under it. There was a lot of dirt and semi-dead insects under my folders.

What folders do

Folders remove information from your immediate field of view. If you don’t have any good tracking systems which take less time to use than it would take to just keep everything in an indeterminate pile of “stuff” (David Allen interpretation here), putting things in folders amounts to putting stuff on top of stuff and hoping you’ll somehow, magically, be reminded of what you needed to do.

At best, you will be touching that stuff multiple times before you decide what your next action is. At worst, there are a couple of ticking time bombs out there that can explode at any second. I can just imagine a muffled thump coming out of my computer, and some dust. That’s what it should be, I feel.

By removing “things” from your point of view, I feel I am encouraged to procrastinate. I do not need to deal with that now. And if I forget, I do not need to deal with that later either. Unless I have to because it has become too important to deal with.

Why did I ever use folders to begin with?

It gave me a sense of “control”. Reference filing became an excuse for putting things away in piles with flags on top of it. However, “stuff” remains stuff, even if you plant a flag on it and call it something. GTD again makes sense. Don’t try to touch it twice, identify and define next action, delegate, file for reference, file for later or destroy/shred. The moment you stop doing this or postpone it until later, you will get in trouble.

The dreaded to-file folder

My mouth literally dropped open when I found, hidden in the recesses of my personal gmail folder structure, a folder “to file” with more than 50 emails in it. This was quite confrontational, as I was sure I had all my GTD ducks in a row. Yet apparently, in a bout of desperation, I must have parked a number of actionable emails here for later treatment and had promptly forgotten about them. Suddenly, it made sense why certain friends had “forgotten” to get back to me. They had, it was me who had not gotten back to them. The shame!

What’s next

I ended up with a significant pile of email to deal with. The professional email was under control, lucky for me. I’m rather picky about correct GTD application in that part of my life. However, I went through the personal email literally one at a time, just as David Allen prescribes. I rebooted my personal GTD approach, and I had to.

I marked all those emails as unread and then only opened one email at a time, not looking at the list of remaining emails. I decided on concrete next actions or used MailTags as triggers for a tickler file entry. And I did this email, per email, per email …

Simplicity

Simplicity, and peace of mind, is also being able to look around you and not see boxes or closets in which a skeleton may hide. No more folders unless it’s reference filing, no more putting away stuff and never seeing it again. No more stuff.

Working on a (creative) task versus working in a context (UPDATED)

/

For those not familiar with GTD, David Allen’s highly successful personal productivity approach, get this book (please note this is my affiliate link, you can of course log onto Amazon yourself), and read the first three chapters. It’s worth it, if only for the different way you’ll be looking at your work and your life.
GTD refers to contexts, areas or situations in which you execute certain work. Context are one of three elements that help determine what you can best do next. The methodology suggests to try and remain in a context as long as possible to work optimally.

Why contexts matter

The idea of contexts is based on money concept of our modern production oriented society: working in a production line, executing a comparable task over and over again. The reason for this is simple, and still applies today: changes in tooling, sets of tools used in the execution of a task, cost time. This is non-productive time since you are not actually producing during the time allotted for the tool change. To optimize the production time, you minimize the need for tooling changes as well as the time required to change the tool. To put it simply, if you’re at your desk behind the computer in your word processor, stay there as long as possible.

The production belt or production chain is the ultimate tooling change optimization: you never change the tools, but the product, solution or whatever you’re working on in its different stages of completion moves through a set of tools.

Tool changes and sequential execution

Often contexts are related to tools or their modern day equivalents. Certain activities can only be executed in a certain environment, or requiring a certain tool, system, software or person only available at a certain place.

Imagine I’m working on a project. I have a task list with a certain sequence and dependencies. I first need to write this paper, then have it read by that person, then present it to that meeting, then have it signed of by that person … If I sequentially run through those activities, I will likely execute a good project. But, I will have a lot of non-productive time and idle time as well. After all, there’s a lot of tool set changes involved and a lot of waiting as well. I have to give the reviewer the time to review, I need to prepare the presentation, I need to see someone for his or her signature. Not really very productive at all.

In all of this, I’ve lost a lot of time. If I have more than one project, it pays to remain in a context to execute as many as possible the tasks I need to perform in that context prior to jumping to the next context. For example, it seems wise to first write all the papers you need to write prior to starting the development of your presentations. The tool switch cost from writing app to presentation app is minimized.

why contexts don’t always make sense

But this doesn’t always make sense. Certainly not in creative work.

Think about the following situation and its associated cost. I’m working on a project which requires me to write both a report and a supporting presentation. I’m also working on another, unrelated project with another presentation due. Which of the following would cost me most?

The tool switch or the mind switch? A mind switch requires me to abandon a train of thought in favor of another, while a tool switch requires me to abandon a set of tools in favor of another. I’m convinced that in certain cases the productivity impact of the mind switch is more significant than the productivity impact of the tool switch.

An illustration of the difference between mind and tool

Let me clarify: imagine you are asked to write a number of proposals. Part of this may be retrieving proposal templates or prior written proposals from a repository. The context here may be for example “online - proposal database” and for this activity a tool change is not appropriate. You get out of the proposal database what you need for the different proposals.

Once you have the templates, you start developing and writing. An important “meta-context” for me is mind mapping, but this is a meta context in that it often requires me to go through multiple tool switches during the activity. I do the mind mapping in Mindnode Pro, but I will frequently be switching back and forth between my browser, my notes (which I keep in text files in Dropbox) and the mindmapping software. For me, the frequent tool switches I make are actually part of the creative work. I can do this because the tools all together form the creative analysis and development context for me.

In essence, my context is no longer a unique context of one tool, one activity or one environment, but rather a set of complementary tools which together allow me to work towards a certain result.

UPDATE - A number of better GTD experts than me pointed out that there is no explicit mention of remaining in a context for as long as you can. I stand corrected, they are right. However, switching context too frequently often carries too high a tool switching cost, unless you have all your tools arranged in order to optimize efficient and effective use. Therefore, while it may not be explicitly mentioned, I do feel remaining in context is an important aspect to the entire productivity concept.

Risk analysis in long term audit planning and audit preparation - part II

/

You can find part I of this article here.

Phase 2 - Analysis at the level of the area of responsibility (auditable area)

Internal audit’s responsibility for the proper application of risk based analysis in the preparation of its audit activities does not end with the multi-year audit planning or its actualisation. Each area of responsibility which has been selected for audit needs to go through a risk based analysis at the operational level as part of the specific audit planning phase.
This second phase assumes there is no structural risk management application present which outputs could be used as input for audit preparation purposes.

Executing the operational risk analysis

We survey all collaborators (“responsibles, accountable and consulted” in the context of the RACI matrix) within the selected auditable area. We use the 80 statements developed in the Risk Identification Model. Note this is not simply executing the initial entity wide risk analysis again. The scope of the assessment is both more narrow and deeper, as it only covers the auditable area but covers it in-depth. In addition, not all collaborators were (necessarily) involved in the execution of the entity wide risk analysis which was used for purposes of multi-year internal audit planning. Remember, the decision to involve them was at the discretion of the person accountable for the auditable area.

These collaborators are asked to judge each of the statements as to relevance and current risk exposure. Remember that risk exposure is a function of their assessment of impact, likelihood of occurrence and current level of risk management and leads to the development of a risk control matrix.

Risk analysis results

The risk analysis results, correctly represented in a risk control matrix, are but one input in the preparation of the audit approach. Of course internal audit remains independent in its assessment and can call on other information to complement the risk analysis. However, note that this, both from the point of view of the IIA’s standards and the effort of the organisation should be considered as a major specific audit planning input. What’s also interesting is that these results allow internal audit to make a comparison with the initial assessment of middle management.

The results also provide us with more information as to which aspects of the auditable area are considered to be important by the collaborators intimately involved with the process. In essence, it’s an appreciation of sorts of their understanding and knowledge of the problems they can be confronted with.

Perhaps counterintuitively, our priority audit areas are not those areas of high risk and low control. We want to ensure that these are subject to a risk mitigation or monitoring plan which is in the process of being implemented. These risks are actually the responsibility of the risk management function, if it exists. When auditee and auditor agree on the existence of a problem and the auditor has gathered enough audit evidence to confirm the existence and the scope of the problem, his audit activities need to end. He can then write this up in his audit report.

Internal audit’s responsibility is to provide assurance. Hence, we look at those areas which are considered to be high risk but under control. We assure the board, the audit committee and management that, based on our assessment, these risks are in effect under control.

Building the audit workprogram

Those areas which are considered to be those high risk high control areas constitute, together with the appreciation of the auditor based on prior experience, the basis for the development of the core of the audit workprogram. Note that the build of the audit workprogram consists of a significant change in the approach from risk to process.

During the risk analysis the auditor focuses on risks. Risks and their appreciation by collaborators in the process are central to the approach. However, once the auditor starts the development of the audit workprogram, all risks with an influence in an auditable area are gathered and covered in the audit workprogram. The process becomes the central aspect and the entire audit workprogram is structured according to the processes covered in the auditable area.

This has a very logical but sometimes difficult to accept consequence for auditors. If a certain process within an auditable area is not linked to one or more risks, if no indication other than the analysis exists that there are risks related to that process, it should no longer necessarily be covered by an audit activity.

Executing the audit

After the audit workprogram has been developed and validated by the CAE, the actual audit can start. The auditors execute all activities planned and described in the audit workprogram. Note that multiple risks can be evaluated at the same time, depending on the results from the audit activities which are executed. In case for example accuracy and completeness of a transaction are to be evaluated, running a test-batch of information through the process can be a test functional for both objectives.

Results

In addition to the standard audit dispositions which need to be reached at the end of an audit activity in the audit workprogram this approach allows us to assess the understanding of risks and relevance of the current risk management measures. Especially those situations where there is a significant discrepancy between the assessment of the accountable people and the assessment of the responsible people. This may be an indication of deeper underlying issues.

Derek Sivers - No more yes

/

Derek Sivers is onto something with his post on decision taking in our current society which tends to overwhelm us. Read his entire post here.

I really liked

“When you say no to most things, you leave room in your life to really throw yourself completely into that rare thing that makes you say “HELL YEAH!””

Risk analysis in long term audit planning and audit preparation - Part I

/

The IIA standards require us to develop a risk based internal audit planning. There is however little material available on how organisations actually perform this. Organisations with good risk management systems can provide information from these approaches or systems to internal audit. However, if there are no risk management systems available, you will need to do a lot of the work yourself. And even when these systems are present, that does not necessarily mean that you will be able to easily repurpose the output for internal audit planning.

We’ve developed a two phase approach. In the first phase we execute the analysis at the level of the entire organisation. In the second phase we prepare the specific audit at the level of the auditable entity or activity (process, subprocess).

Today, I will cover phase 1, the organisation-wide analysis. A next post will cover the analysis at the level of the auditable entity. Let’s kick off phase 1.

Phase 1 - Organisation-wide analysis

Analysis coverage

Any activity within the audit universe needs to be subject to the risk analysis. If your organisation includes decentralized entities, these need to be included as well. We query all people accountable for an activity. You need to read accountable as it’s meant in the RACI matrix. For us, this is middle management, including all local representatives of our organisation. However, each accountable can ask as many collaborators as they want to identify the questionnaire. At the least the middle manager needs to answer, at the most everyone involved in the activity can answer. Our systems provide us with enough flexibility to treat that volume.

Analysis frequency

The analysis is to be executed at least once during the duration of the management agreement which covers our activities. It should take place at the start of the agreement. If the agreement runs for a longer period that five years, a new risk analysis needs to be executed which remains valid until the signing of the new agreement or for a period of five years, whichever comes first.

Additional analyses need to be executed on part of the audit universe if there are significant changes in that part of the audit universe. For example, were we to take on new responsibilities which are not explicitly covered in our current responsibilities but were foreseen in the management agreement, we need to execute an additional risk exercise on this responsibility. In the case of significant adaptations or alterations to activities or processes, a new risk exercise needs to be executed on that activity and all downstream activities depending on that specific activity or process. Finally, in case an adaptation in the management agreement would lead to a significant adaptation in roles or responsibilities, our function or our structure, we need to execute a new risk exercise on the activities impacted.

Analysis execution

The analysis is executed by means of an online survey. Participants are asked to judge about 80 statements on risks to their current responsibilities. In case someone is accountable for more areas of responsibility as defined in the audit universe, they need to pronounce themselves on each of these areas of responsibility through a separate survey.

Participants are asked to judge the relevance of the statement for their areas of responsibility. In addition, they are asked to judge their risk exposure over a period of five years, both in terms of impact of the risk, likelihood of occurrence and current level of risk management.

The people accountable for a process or a function are asked to execute this analysis within three months after signature of the new management agreement.

Translating the results of the risk analysis into a long term audit planning

The information gathered in the survey is translated into a risk control matrix, which is proposed for validation to the management committee. The purpose of the risk control matrix is not to develop a detailed and nuanced view on the relative proportions of the risks. Rather, we want to create a clustering of risk exposure levels to develop a prioritisation in the auditable activities (hence, the audit universe).

However, internal audit retains its independence with respect to the results of the risk analysis, which is a subjective perception on risk exposures by the people accountable for the processes. We combine the information gathered in the risk analysis with other information, such as total budgetary spend over a period (historical and forward looking) and prior audit experiences. In order to remain fully transparant, proposed changes to the priorities as derived from the risk analysis need to be motivated by internal audit.

A theoretical example: Let’s imagine for a moment that risks related to types of cash transactions are considered to be high exposure. This is based on the experience of the accountable people. However, internal audit knows and has confirmed that the number of cash transactions is significantly being reduced in the organization because of initiatives taken to cover this risk. At that moment internal audit may motivate and reduce the risk exposure level.

As risks have already been linked to auditable areas (the audit universe) since the accountable collaborators need to fill out the survey for each of these areas of accountability, we can easily prioritise based on the risk control matrix. For each area of accountability, be it an activity, a process or a subprocess, we can now calculate an overall risk exposure level. This prioritisation along the areas of responsibility (the audit universe) allows us to determine the frequency within the audit cycle of five years an audit of this area needs to be executed.

Audit coverage

Areas of responsibility with a high risk exposure level will be covered twice each audit cycle. This in effect may be two full audits, an audit and an elaborate follow-up audit, or even an audit by internal audit followed by a coverage by the court of auditors. Areas of responsibility with an average risk exposure level are covered once every audit cycle, while areas with a low risk exposure level are covered if adequate resources are available.

Audit coverage includes audits executed by our external auditors or the Court of Auditors. In order to ensure an adequate level of execution we will, at least once over the duration of the management agreement execute an audit on audit, an audit peer review of the work of the external auditors and the Court of Auditors. This peer review will allow us to assess whether the quality level of the work executed by these external parties is adequate to provide us with a reasonable assurance on the adequacy of governance, controls and risk management in the activities covered by their audits. We will use the IIA’s peer review approach. These audits will not influence the independence of the external auditors or the Court of Auditors.

Planning frequency

The long term internal audit planning is based on the risk analysis executed once over the duration of the management agreement or each five years, whichever duration is the shortest. The continued relevance of the risk analysis is questioned each year by re-introducing the assessment for validation to the management team. In case of adaptations to the risk analysis by the management team, the internal audit planning is reassessed and if necessary re-introduced to the audit committee for validation.

Other adaptations to the audit planning are only possible in case of changes within our organisation or in its operating environment which require a full or partial re-execution of the risk analysis.

You can find part II of this article here.

Working overtime again?

/

Let’s just keep in mind that working overtime is often just an excuse for not being very productive during the day. And given you are - often - being paid a fixed amount for your work, you actually literally devalue yourself.

Think about that for a minute.

By the way, do check the reference link in this article, just click on reference below.