The opposite of a bad system - an internal auditor's perspective

/

The opposite of a bad system

I recently read this statement, and I can't remember where I read it. It goes "The opposite of a bad system isn't chaos. It's a good system." The statement got me thinking about the fallacy inherent in the current thinking about the crisis and lessons learned from the internal audit profession which may be applicable to the problem at hand.

Whenever I am talking to people about the current economic crisis, I get the feeling there is an acceptance of the inevitability of the chaos we're descending into. People are so battered and bruised by the 2008 crisis that a certain lethargy appears to have taken hold in the minds. This is what it is, and this is what we will need to face and confront. Two issues I have with that:

  1. I'm not sure either a descent into chaos or patching the current bad system are the only two options. They appear as the only two viable options because we keep starting from the same position in our assessment of possible solutions;
  2. I'm not sure that a mere confrontation of the current chaos is the way out. Yes, conventional wisdom states "the only way out is through". This, by the way, is a Robert Frost quote, and is not the verbatim one either. He actually puts the words "The best way out is always through", in the mouth of one of his characters in A servant to servants. The other character agrees, but conditionally.

My issue with chaos

As the statement I started with reads, chaos is not the only alternative to a bad system. However, arguing chaos is the alternative allows for the incumbents to not have to confront the fundamental issues with the current, bad system. Putting the current, bad system in opposition to chaos is asking for a temporary solution at best. "Assist us with all your assets, then let us be, we'll fix it. Trust us." It's a traditional defensive move of an incumbent who wants to stay in power.

In "So long, and thanks for all the fish", Douglas Adams tells the story of a civilization of humans with a ruling political class of lizards. The humans only vote for lizards, not for humans, because of they would vote for a human they are afraid the wrong lizard may get in office. The book was written in 1984 and although it's light entertainment there are some very interesting ideas and positions in it. Among which is the one about the lizards.

The erroneous assumption

The assumption now, as the assumption by the civilization which Douglas Adams refers to, is that there is no alternative to the bad system but chaos. This argument was pushed to the limit and apparently abused in 2008. The banking system as an example of the 'bad system' needed to be rescued by massive money infusions as a hemorrhage would lead to chaos. So we patched the system. We all did. We effectively all paid for it. Once the bleeding had stopped on the outside of the patient, further intervention was not needed. Was actually refused by the patient. No real structural changes were implemented.

Think about the comparison to a patient: he comes into the ER bleeding profusely from multiple wounds. The doctors have clear indications there is massive internal bleeding going on as well. The patient, barely conscious, submits to some tests and emergency treatment. However, after a couple of days in treatment and feeling a bit better, the patient decides to leave the hospital, right before a more in-depth assessment is made. And leaves to continue on his traditional path, without really, fundamentally changing anything essential about his behavior.

Changing the diet

The point being that a fundamental life change often do increase the chances of survival of the patient. It will require a significant adaptation in lifestyle. It will require a change of diet, at least. It may not really be that enjoyable, especially when compared to a prior life of debauchery. But it will, in the end, lead to a better quality of life and longevity of both the patient and those around him invested in him. And that's what really matters.

So, think about it. The opposite of a bad system is not necessarily chaos. It can also be a good system.

Conditional treatment

Up to today, I have yet to see real conditional clauses being linked to treatment of a bank or a business in trouble because of lack of due diligence. That should change: we will save you, subject to certain behavioral changes on your part. Perhaps our banks, business and institutions need these clauses. Public means have been too readily available to bail out those who did not exercise due diligence. Let's be honest, due diligence has become a very empty concept. Future treatment should be subject to clauses which are measurably leading to a good system.

The internal auditor's approach

I'm an internal auditor. As an internal auditor, I usually see issues before they become common knowledge. I also know, from an experience point of view, how difficult it is to make people, departments and entire organizations change their behavior.

As internal auditors, our challenge is to ensure recommendations are implementable. They should not be too high level, because that makes them not implementable from a practical point of view. They should not be too distant from the daily reality either, even when concrete, because that would make them not implementable because they are not in line with current practices, which would make the change trajectory too complicated. And they should not be too determined by the incumbent responsible for the issue, as that would not create enough change to make a real difference and solve the problem.

The necessary steps - an internal auditors' perspective

I think the move from a bad system to a good system, avoiding chaos, will require the following aspects which are an integral part of the mindset of the internal auditor:

  • We need to create awareness that a change is needed. For this, a thorough diagnosis of the entirety of the issues is needed, not based on opinion, but on facts and figures. What is going on, and how will it impact our future?
  • We need to identify the deficiencies in the current system at the right level of detail. The right level is the level at which a change in the processes and procedures will result in a reduction of the exposure to the failures of the bad system.
  • We need to co-develop solutions with the incumbents, without being influenced by their logical need to maintain the status quo. The systems needs to be improved, and in some cases it will result in a significant redefinition of the current process.
  • We need to plan the improvement actions in an overall approach to fixing the systems. These improvement actions and the overall plan needs to be transparent and communicated to all stakeholders.
  • We need to closely monitor the execution of the improvement actions.

In conclusion, there is an alternative to chaos. It will however be bad tasting medicine for the incumbent bank and business owners. They will not like the taste. However, their responsibility is social as we all partake in saving them. They therefore need to be held to very clear objectives which will structurally improve their functioning. Even if it means significantly changing their business models.

Must read: "The dumbest idea in the world"

/

I don't usually link to articles where the author or referrer has done a great job explaining why the article or the post is relevant. This one comes by way of John Gruber at Daring Fireball and is a reference to a Forbes article on Roger Martin's new book, "Fixing the Game".

It contains an excellent and accessible explanation on what is going on in the markets. A key consideration in all of this which I did not pick up in the article is that the current pension plans of pretty much anyone are tied to the expectation market. Disengagement will take some time and will have significant effects. I think we need to prepare for a period of a number of years where social support for the people around us will be very important indeed, because the means of financing this in the traditional manner may no longer be there.

Something to think about.

Reducing the effort of risk based internal audit planning

/

Risk based internal audit planning

The IIA's standards require us to prepare a risk based internal audit planning. However, if risk assessment and management is not (yet) embedded in your organization, it requires a concerted effort from the auditees to provide you with the relevant information. Given this is not necessarily a priority to them, are there more efficient ways to gather more relevant information you need for risk based planning without overburdening your auditees?

Defining the auditable space

In the end, our assurance role as internal auditor is to provide assurances to the audit committee, the board and management. We developed the risk control matrix to properly segregate the responsibilities of management and the responsibilities of internal audit:

  • internal audit is responsible to provide assurance in the high risk areas where management considers the risk management measures to be adequate;
  • internal audit is responsible to assess the relevance, appropriateness and effectiveness in the low risk areas where management may have provided too many risk management measures;
  • management is responsible for developing actions plans for high risk areas where risk management measures are considered inadequate;
  • management is responsible for monitoring issues in low risk areas where risk management measures are low, to ensure timely identification and management of emerging risks;

The risk control matrix is a good concept, but how do we ensure completeness of identification of all elements that need to be included in the matrix? In talking with the both the actual and the ad-interim head of internal audit at the Belgian federal government service Mobility & Transportation, we came up with the following ideas.

Identifying risks related to action plans

Action plans are developed when management deems specific risk management measures inadequate. Action plans are prioritized, ideally as a function of the risks they aim to cover. Hence, the identification of risks in quadrant I comes down to the identification of which risks the current action plans aim to cover. A good approach would therefore be to either ask management which risks they aim to cover with a specific action plan. An alternative would be to read the action plan and identify the risk which should at least be referred to in that action plan.

I am aware completeness of identification is not assured if the budgets are not adequate to fund all required action plans. I would at least expect management to have developed a list of future actions to be taken, which can be traced back to the risk we need to identify.

The assurance function of internal audit in this risk control matrix quadrant is limited. We can assess the relevance and adequacy of action plans, however, given it is the discretion of management to manage the business, and given they know there are issues, our assurance contribution would be limited. We can act in an advisory capacity, as long as this does not influence our independence and objectivity now and in the future.

Risk Control matrix

Identifying risk related to measures deemed adequate by management

Quadrant II and III of the risk control matrix is where the core assurance function of internal audit is situated. Again the question occurs how we can best (as complete as possible with minimal disruption of day-to-day activities) identify the relevant risks? A suggested solution to bring the questioning our of the theoretical realm of risk to the level of day-to-day operations is to ask management to provide us with a list of risk management measures they deem adequate. The measures need to be linked to processes (elements of the audit universe) in order to allow for development of risk based, process related audit programs. We would identify risk by asking management to explain why they have taken these measures. The why is often the relevant response to which risk a control aims at covering.

Our assurance function then needs to focus on both assessing the adequacy of the risk management measure as it relates to the risk as well as the completeness of risk coverage. But how are we sure that all relevant risks under responsibility of the different members of management have been appropriately identified, assessed and covered?

Closing the risk gap

Based on the above, we now know which risks management covers with its action plans. These are reactions to risks the consider inadequately covered. We also know which risks they consider relevant and adequately covered as they offer these to us for auditing. But what about the risks not identified.

Here, we need to revert to the risk identification model, but not as a full-blown identification tool, but rather as a trigger list. A trigger list is a list which a manager reviews on a regular basis to assist him in jogging his memory on exposures known but not formally identified. If by going through the risk trigger list a manager would discover a risk not formally identified in the prior assessment, there are a couple of possible outcomes:

  1. The risk is known, managed, but not formally identified. This is an issue linked to formalization which does not necessarily leads to a specific exposure.
  2. The risk is known, not formally identified and not managed. This could indicate an exposure to be managed. Risk severity will impact the urgency.

Conclusion

Rather than having management and their collaborators go through a theoretical exercise each year, we can use information generated by them in the course of their day-to-day activities as a good basis for risk identification and prioritization. This would allow us to reduce the effort required from management in risk identification as well as reducing the effort we need to put in risk assessment for audit purposes.

This approach does not alllow for identification of the so-called Black Swans. I am a taker for any good solution that would not influence the efficiency of my audit planning process.

Audit "assessments" are like analyst's ratings

/

The popularity of audit assessments

An audit assessment is like an audit, but not really. It takes less time, costs less and is executed by people referring to themselves as experts in a subject matter. These assessments are becoming rather popular. And that evolution is worrying to a “traditional” internal auditor … not as a threat to our own business model, but because it reminds me too much of ratings by analysts. If this is the future of audits and audit findings, we need to be very careful about what comes out of the audits. Because that will be opinion, and not positions based on validated facts and figures. Let me explain why by comparing these assessments to analyst’s ratings.

Analyst’s ratings

How does an analyst develop his ratings? It’s not necessarily a well known or well understood, but hardly a secretive process. You could compare it to a journalist with a track record in a certain sector and based on that track record, assessing an organization active in that sector. Rating agencies bring in an industry or a content expert, ask him or her to do interviews with key people within the organization and analyze available information to form an opinion about the expected future evolution of the organization. Now, are we so naive as to not expect the interviewees to be carefully vetted by top management to provide the analyst with the right information for the message they want to bring tot the market? In addition to the interviews, analysts are provided with information about the company, sometimes strategic visioning about the future of the organization in its sector or sectors adjacent to it. Again, this information is being provided by the organization they are assessing. They compare this, ideally, to market information, and based on their expertise, they come to a conclusion. And this conclusion is rather determining for the financial future of the company they are analyzing.

Am I the only one to see the flaw here? Probably not.

Audit assessments

Let’s compare this to the new trend of audit assessments? How is an audit assessment executed? An organization or its internal audit calls in an expert in a certain subject area who - on the basis of interviews and assessment of a selection of available information - will take position with respect to the area under audit in which he is an expert. He uses his available expertise to come to a conclusion … and the conclusion will be rather determining for the future of the department under assessment …

Comparing this approach to the analyst’s assessment, I don’t see too much difference. As an auditor I mainly see the flaws in this process.

What is wrong with audit assessments?

Audit in general and internal audit in particular is about fact finding and corroborating these facts with other facts and figures to come to a substantiated opinion based on repeatable assessment on all available data, not ignoring any information. It’s about not forming an opinion before all the facts and figures are in. It’s about keeping an open mind. It’s asking to see the thing that quacks like a duck, swims like a duck and smells like a duck to make sure it looks like a duck. It’s being the four wise Indian men who touched different parts of the elephant and NOT coming to a conclusion.

Assessments on the contrary are rather often about ensuring consistency in interpretation by not taking in account facts that don’t fit the preconception and replacing facts and figures by interpretation and expert opinion. And like wolves in the woods, if one of them starts howling, pretty soon you have a concert … not necessarily pretty, not necessarily relevant, but certainly loud.

This is bad … what is worse is that a lot of the expert interpretation is under the assumption that the market, the sector, the process is not subject to disruptive influences. Current reality dictates otherwise. So I very much doubt the relevance of the expertise being brought in to assess as long as that expertise is not open to look for other interpretations and making sure all the facts fit.

Solutions

Let’s be clear, internal audit is not bad journalism. There is to me only one way to ensure consistency and relevance of audits, and that is to make each and every audit about our prime responsibility. We need to be open to the facts and figures. We need to reserve opinion until every cost-effective avenue of analysis has been exhausted. But mainly, we need to design our audit tests for those key aspects we test: existence or occurrence, completeness, accuracy, timeliness … and we need to be open about our approach, and willing to exchange ideas and learn from others. Only then will we be able to do what both analysts and audit assessment experts regularly fail to do: to provide our users with a relevant opinion based on an objective interpretation of facts and figures.

Why single audit will not work ... Yet

/

the conference

I just spent most of the day in a conference on public sector internal audit. At the end of the conference, a well considered panel touched on several aspects, including the aspect of single audit. And as usual, the discussion touched on the feasibility and the need for single audit. And again, everyone confirmed the intent to have single audit.

A quick prediction: it ain't going to happen anytime soon.

the issue

The issue not covered is that even when the intent of the audit executives is good, the content they aim for in their reports (or what they need to position themselves on), the audit report recipients (the entities giving the auditors the mandate to audit) and the reference frameworks within which they audit are fundamentally different. If not at least aligned, this will fundamentally undermine the single audit concept in terms of practical implementation.

The idea will stay just an intellectual exercise which may have amused a couple of academics.

Let's look at the different 'auditors' in play in the public sector.

The external auditors

Granted, they are not always present or required Appointed by the board, reporting to the audit committee of the board, with a focus on compliance with private sector reporting requirements, they conform to the standards as imposed by their governing body, in Belgium the IBR/IRE.

The Court of Auditors

Created by a law, they report to the members of Parliament, and conform to the Standards of INTOSAI, an international body. Their mission is clearly defined by law.

The Inspection of Finance

Also created by law, they report to both the Minister of the budget and their functional minister. They have an internal set of stringent guidelines to adhere to, and their mission is clearly defined by law.

Internal audit

Either established by law or by a decision of the board, often in the context of a governance requirement, internal audit reports to the audit committee and is governed by the international standards of the governing body of its profession, the Institute for Internal Auditors.

The challenge

For single audit to become a reality, the reporting requirements (and thus ultimately the needs of the audit report recipients) need to become aligned.

What I am not saying is there needs to be a single purpose. What I am saying is that is single audit is an objective - and it should be in current budget conditions - we need to make sure to be clear first on the purpose and mission of each of the auditing entities. What steps will take us there?

  • In order to do that, we need to execute a needs analysis at each of the audit report readers first. So, recipients, what type of information do you need (from an audit perspective) in order to be able to do your job?
  • Then, let's assess which audit entity is best placed from a professional perspective, to execute the required audit actions to provide audit assurance on that information. Let's devide the work based on that.
  • Finally, let's redraw the audit execution responsibilities according to these competencies, not according to reporting lines.

This, according to me, is an effective and transparent route to single audit.

What is keeping us?

Honestly, perhaps the fear of having to face a disruption of traditional operating models?

Welcome to the future!

My blogging workflow (or, do I need another writing app?)

/

Workflows are about optimizing your personal process

Developing workflows have the advantage of allowing you to optimize your work process. This will allow you to become more efficient in the future. The disadvantage then is that you need to invest the time now. And workflows take some time to develop. While personal workflows are inherently personal, there are lessons to be learned from other people’s workflows. That’s why I like podcasts like Mac Power Users which take the time to take you through workflows of uber-nerds.

The origins of my writing workflow

I write quite a lot. Professionally, I write quite a lot of reports and audit work papers. I wrote a lot of proposals as well, in the past when I was working as a consultant. My professional writing has to be concise and to the point. It needs to be as efficient as possible in conveying a message as my target audience, the audit committee, has a limited time to listen to me and read our work. Personally, I’m a blogger. As a blogger, I want to be as efficient and effective in communicating the messages I want to bring as well, out of respect for my audience.

Why do I describe my workflow?

It took a while to finetune my writing workflow. I’ve been testing a lot of applications on different devices and I’ve managed to find a couple of solutions to the challenges of writing as focused as possible. Additionally, it forces me to formally close the testing phase which saw me making a lot of tool changes and spend a lot of time and money getting and testing apps. By describing my current set-up I aim to answer the question “Do I need another tool or have a reached a maturity in my set-up.” The answer actually surprised me.

Steps in my workflow

My workflow consists of five discrete steps which each have a reason and a set of tools to support the execution. I don’t always follow these steps, but I noted that the quality of my writing and the level of synthesis without losing content is more optimal if I apply each of the steps.

Stap 1 - Idea capture I often get glimpses of ideas. When creativity strikes, I try to capture it. I always carry around a small notebook and a pen. I just write down what I think about and add as much or as little detail as I think I need. It allows me to put ideas out of my head, where they are likely to get lost.

Step 2 - Mindmapping the article When I have the time to write, on the train, during the weekend, at night, I set down with one of my tools, select an idea and start brainstorming the content of the article the idea for which I captured in my notebook. I don’t always do this, but I find that article writing takes more time if I don’t, because mindmapping my content generation around an idea gives me the freedom to go really broad in my ideas, without the linear requirements imposed by word processors or outlining tools. I export the mindmap in OPML where possible, which allows me to transfer the structure to my outlining tool.

Step 3 - Outlining the article Once I’ve developed the ideas and the basic structure in the mindmap, I export through OPML to my outlining tool. The outlining tool brings the unstructured idea generation to a structured environment and allows me to assess the narrative in the structure. Am I making all the points I want to make … and does the story make sense? Using an outlining tool to review these aspects really makes sense for me. Knowing this tool and this process is available also allows me to go all out in the mindmapping. I don’t need to hold back as I know I will be outlining anyway. Outlining is pruning of the content. And I find myself often noting down items I came up with during the mindmapping as possible future ideas for articles. However, if they don’t make sense during the outlining phase, they get pruned, relentlessly. At the end, I export the outline as a txt file to my writing tool of choice.

Step 4 - Writing the article Given the preparatory work that I’ve already done, this step should be easy. But it isn’t. Even with the bones of the article skeleton in place and optimized, and all the ideas as cute little ducks in a row, this is still a lot of hard work. When narrative structure is in place, you still need to tell the story. Hans and Grethel would be a very short story if only the outline mattered. Fleshing out the bones is a lot of hard work, and still the most work of all the steps. Once the text is done, I go back and format it using Markdown. It’s not a complex language and it allows me to edit on multiple platforms.

Step 5 - Article quality control After having written and formatted the article, I go back one more time before I post it on the blog. However, I usually wait a while, ideally a day, but often more likely an hour or two, before I go back and reread it for essential issues, such as spelling and use of the correct words and turns of phrases. I read it from two perspectives. First, I need to know the article makes sense. Second, I look for optimization and correct links.

Step 6 - Posting the article to the blog For this, I use the tools SquareSpace gives me. I post in Markdown which is then by Squarespace transferred to clean html for the blog. Basically, I just copy-paste the markdown in the squarespace editor, although on occasion I will use SquareSpace’s tools available on iPad and iPhone.

Tools, apps and file formats

For each of the steps described above, I use a specific set of tools which depend on the device I’m on. I intermittently use a Mac (home and portable), and iPad or an iPhone (IOS device, also when travelling) or Windows PC (work). The available tools allow me to do most of my work on each of these platforms, with limited to no hand-off issues if I switch devices. Pulling it all together are two folders on my dropbox, one containing my mindmaps, the other containing Markdown saved as txt.

My blogging devices, apps and file formats

Answering the question

I honestly dare not go back into my app store archive and check which I have or haven’t purchased. What I know is that when I ‘discover’ yet another app which I want to look at, more often than not it’s the “INSTALL” dialog box that appears instead of the price button. A good indication I purchased a predecessor of the current incarnation of that tool somewhere in the past.

The thing is, I probably don’t need them. Most of the most relevant tools I have and use are nvAlt (free, but pay Brett Terpstra some money, because this is a txt editing powerhouse) and Plaintext (free, but you can pay €1.59 to have the banners removed). Notesy is an alternative, and you need iThoughts as a mindmapping tool on your IOS device, but I really don’t need another writing tool.

"Single preparation", a partial alternative to single audit?

/

Minding the buzz-word

"Single audit" has been the word of the year in the audit professions for a while. Especially in public sector, auditees have been complaining about the enormous charge of work which brings no immediate added value to the table. In some cases, up to four separate audit, control or inspection entities are charged with auditing or reviewing the same subject matter, be it processes or projects. This leads to complaints from auditees they are being reviewed too often and have no time left for the operations they were asked to execute.

What is blocking "single audit"?

The problem is that while the concept of a "single audit", with auditors and evaluators sharing working papers, adapting their planning and making sure no auditable areas are covered multiple times makes sense from the auditees point of view, it doesn't always bid well with those auditors or evaluators. There are a couple of reasons that come up when discussing this with them:

  • independence: by using other auditors' assessments, we weaken the audits or the assessments. Given we have no influence over their working methods or level of professionalism, and given in some cases they do not need to comply with the same rules and regulations 'our' profession has, we are not independent. Therefore, we cannot move to "single audit"
  • fees: for external parties, be it external auditors or out- or co-sourced internal auditors, the more you share, the less work remains for you, the less fees you can get from this organization
  • scope: sometimes the scope is slightly different and work executed by other auditors or evaluators does not match up with the requirements of our working program
  • confidentiality: we cannot share our information due to confidentiality of our working papers and reports

I'm not pronouncing myself on the merits of these points. I just conclude they are there. And that because of these and other objections a "single audit" will likely not become a reality anytime soon. But is there an alternative that may at least aleviate some of the pain felt by the auditees without significantly impacting the independence nor quality of work of the auditors and evaluators?

The concept of "single preparation"

The problem is that the auditee is overburdened by audits, mainly by the audit preparation activities. These involve making information available to the auditors, preparing certain documents, and making sure the relevant discrepancies are adequately documented and explained. They need to do this again and again for every audit, each time preparing pretty much the same information in a comparable format.

A possible way to reduce some of the charge would be the "single preparation". "Single preparation" would involve a yearly meeting of all auditors and evaluators in which they agree on the basic information requirements for their audits. What needs to be prepared in what format. Bringing these people together would aim at establishing one format for each type of information, with the formal requirement to use the available systems of the auditee as much as possible.

Measuring "single preparation"

Single preparation measurement would involve each audited entity to detail the time spent in preparing each of the elements of information. In addition to giving a good idea on the charge of the work for auditees and improvements year over year in reducing this charge, the information would point to significant time sinks, preparations which take a lot of time of the auditees. This could in turn lead to two solutions:

  • the information requirement is redefined by the auditors, resulting in a reduction in the time spent by the auditee, or;
  • the auditee and its supporting organization structures, such as ICT, look at more efficient ways of gathering the data and making it available.

A partial solution

"Single preparation" is a partial solution, which does not address the problem of auditors and evaluators not keeping the end in mind of the organization they are auditing. But requiring them to at least do the effort to streamline their information requirements may reduce the burden on the auditees by a bit.

The auditor as a storyteller

/

What audit is about

Most of us familiar with the (internal) audit profession know what it is about. I’m not rehashing the excellent definition of the Institute for Internal Auditors. As auditors we need to use our independence to objectively gather, analyse and test facts and figures on the organization’s governance, processes, risk management and controls through the methods and tools at our disposal. Based on the understanding gained in this process we can then assess the performance of the organization and make recommendations to improve its functioning.

These are the cold, hard facts of the profession of internal auditing. We may differ in slight ways in defining what we do, but this is about it.

However, is it?

Where’s the end of the line?

Audits too often end there, by stating facts, but often lacking context. This can lead to significant misunderstandings by those who are confronted with that information, such as the members of the audit committee or the auditees.

The objectively gathered, analyzed and tested facts need context. And to position facts correctly in context, you need narrative. Thus, the end of the line is not establishing the facts and figures alone. At least the Chief Audit Executive needs to be able to convey in an accessible way not only the facts, but also the context in which these facts need to be seen.

Let me illustrate (and I’m heavily borrowing from Stephen Covey for this example) Read the following phrases one by one and try to “feel” a reaction to them:

  1. “The man did not seem to notice his loud cousins on the subway.”

  2. “After having lost his brother and their father, the man did not seem to notice his loud cousins on the subway.”

You have noticed the second part of the second sentence is identical to the first sentence. But because of the added context, it creates an entirely different sentiment about what is written. But the words written are exactly the same.

The strength of the auditor

The strength of the auditor is not only determined by the quality of the analysis, but by the ability to convey facts in context to his audience of audit committee members and auditees. Weaving context and facts together with narrative is what storytelling is all about. And storytelling is not only about fairytales.

The true bard

Only the true bard will have the ear of the king. The true bard should be the internal auditor, bringing the king, the audit committee and the board key information and insight, unburdened by hierarchy, like the joker did in the Middle Ages. But to get the king’s ear, you needed a good story. Or you needed to be funny. But any stand-up comedian will tell you it’s impossible to be funny without a great story.

Think about it

Consider your audit planning phase. Does your proposed audit planning sequence make sense, even to those not necessarily familiar with all the technical aspects of audit planning? You should not only focus on what you will be doing and how. You need to explain the audit committee members who will approve your planning why you are proposing the audits you are proposing.

Consider the audit execution. The how is often quite easy, once you have determined what you want to audit. But do your audit collaborators understand why you ask them to execute the work program steps you task them with? In essence, are they just putting one brick atop another one, or are they building a cathedral?

What narrative brings

Well developed narrative in a story lends credibility, recollection and relevance to your audit findings and recommendations. They will be remembered more easily, and will in turn lead to better communication to and with the audit committee and the board. They will be able to send a clearer message to the management team, which ultimately may enhance adoption rate of recommendations and even implementation speed.

Increasing internal auditor's relevance

/

It’s not (just) about independence

The IIA recently released a paper on this IPPF on independence and objectivity. Independence is sometimes used by internal auditors or organizations executing the internal audit function as an argument to motivate a distance from the organization they’re auditing. And while independence is an important factor to ensure the objectivity the internal auditor needs to maintain in his or her work, it is a means to an end. And the means can result in the end not being met, especially if the internal auditor is too separated from the organizations he’s auditing.

Learn the specifics

Internal audit occurs in a sector. Its findings will be significantly influenced by which sector it operates in. Practices are not similar everywhere. And to be relevant as internal auditor, you really need to understand the specifics of the sector you are working in. An external internal auditor, an outsourced internal auditor or an internal auditor too separate from the operational reality has a significantly higher threshold to cross to gain that level of understanding.

Gain the trust of your auditees

In addition, it’s about trust from the people you are auditing. While it may seem bizarre because of the role of the auditor, the more trust an auditee can put in the contextual competence of his auditor, the more relevant the findings and recommendations will be.

Be close to your auditees and their issues

Now, to become trustworthy to an auditee, as an internal auditor you really need to care about the organization you are working for and the sector they’re operating in. One way to prove your relevance is by making recommendations that matter. But how do you make sure your recommendations will be relevant? In order to be able to do that, you need to learn, and listen, and be interested. Be present, in proximity. That’s not counter to independence. That’s necessity.

On encountering the resistance

/

Encountering the resistance

There’s in inherent fear in most, if not all of us. I used to define it as laziness, but I understand now that’s not what it is. It’s fear. Sometimes hidden, sometimes very barely concealed, freezing fear. Sometimes it beacons you to walk away from an endeavor. Sometimes it will make you run, as fast as you can.

What fear usually isn’t

Read some of the excellent work from Stephen Pressfield or Seth Godin: they speak about the “Lizard Brain” or about the “Resistance” … They correctly describe it as the place you dread to go. It’s pretty much build into us. A couple of thousand years ago, the place unknown, the place we dreaded to go usually had a couple of meat eaters in it. They ate us. So we stayed away. We became programmed to be aware. It’s only natural selection, in the most direct of manners … the curious ones died. Hence, even while we remained curious, we also remained apprehensive of unknown situations. But fear is not always a relevant indicator of a bad situation. Quite often it’s an indicator of us entering an unknown terrain. A new challenge.

We’re most afraid of going where we can make the most difference

You need to think about that. In essence, as Benjamin Zander said, you need not ask the question whether you will be recognized, or appreciated … you need to ask how you can make a contribution.

Your contribution is pushing through the resistance. Pushing through is doing what you are most afraid of for 10 minutes more. Just 10 minutes. That’s it. That’s where the true difference lies.

10 minutes more

You may find yourself reading technical books with deep wisdom. They may enhance your understanding. They will not make it easier to go out on the plains and face the tiger in your head. You will not find the answer in lofty techniques or the newest tools or whatever. The only way to beat the resistance, every day again, and again, and again lies in giving just those 10 minutes more.

Because usually, after those first 10 minutes, you understand it’s really not that bad out there. Guess what, you may even have fun.

This is something I fundamentally believe in. I also believe that those who beat the resistance (every day again, because it does show up for work, just as you do) are the ones who in the end make the difference and master their own productivity challenges