Commitment to focus

/

Predator hunting

Have you ever seen a predator hunting? It’s truly a sight to see. You may want to check Discovery Channel, just to get a glimpse of the experience.

A predator chasing a herd does not, in effect, chase the herd. Rather, after a period of quiet but concentrated observation, it will pounch, going after one specific animal. It almost seems as if the predator has a method to execute the attack run, with a default target and and one or more backup targets in case the default target is not an option. The execution is pure animal muscle memory, executed picture perfect, like a dancer. Of course in reality, the animal goes solely on instinct and reflexes. However, that’s not the point.

UPDATE: I learned about 30 minutes ago there is an podcast with Merlin Mann that follows pretty much the same argument, but expands on it even more. I just listened to (part of) it. You want to listen to this.

The point here is that - even instinctive - preparatory work and a focused execution, with backup plan, even if the animal is not consciously aware of it, results in food on the table. Anything less is likely to result in failure. And failure if it happens time after time results in death for a predator, who needs food to stay strong and hunt another day.

Our failures to deliver

Compare this to us, unfocused and often scared people. We often underperform or fail to deliver the results due to lack of preparatory work and lack of care and focus during execution. We will often put in significant effort with little to no results to show for.

Bottom line? Significant waste of effort.

Longer term consequences? Motivational death and even worse results.

Why we fail

There are a couple of reasons why we can fail. The most obvious one is procrastination. A lot has been written about that specific issue by authors like Steven Pressfield and Merlin Mann. I won’t repeat their words, but it’s more than worth to take the time and read what they have to say.

However, while the root may well be procrastination and the lizard brain, a significant part of the problem is a lack of focus in preparation, execution and wrap-up.

A consistent lack of focus

Paraphrasing David Allen, preparation for proper execution takes more time than you think, but less than you are afraid it will. Proper preparation however takes different time. It’s not “intensive” activity time as such, but intent attention to how exactly you will approach the challenge. Let’s look at what is required.

Some thoughts on achieving focus

  • Your mind needs to go there before your body does: I picture the predator stalking his prey, taking his animal mind through the moves which will put the meat between his teeth. You need to really think through what you want to do. What helps is:
  • Defining clear and achievable outcomes: If you know what to achieve, what the actual target is, you’re less likely to be distracted by other potential targets. Getting distracted is a surefire way to lose focus and lose the prey, the end result to be achieved.
  • You need to show up: Even if you are afraid, even if the adrenaline is pulsing through your body, you need to actually be present to be able to execute. It’s not only about being there, aware and active, although that’s very important, of course. No, it’s also about putting in the effort, executing the first 10 minutes to beat that fear of failure.
  • Be flexible: When executing, you need to be flexible enough to be able to switch targets, to go after a fall-back scenario when the initial scenario does not appear to be achievable. The worst is to block or panic when the primary goal no longer is within your reach. Having clearly defined fallback positions is not giving up, its having good sense.
  • Don’t overthink: There are occasions we paralyze ourselves with our incessant thinking. We doubt, we backtrack, we hesitate, we fail. We don’t trust muscle memory. Quite probably because we did not put in the preparatory effort. But sometimes you just need to let go and let the process take over. But only after having done a proper preparation.
  • Execute a post mortem: This is almost always forgotten, but essential to learning. And it’s what separates us from the predator. After having eaten the prey, after having celebrated the success, dare to critically look back on what went well but also on what could have gone better. These lessons learned need to be incorporated in your approach, they need in turn to become part of your muscle memory.
  • And finally, make sure you do what you love: After all, by making the right choices, by chosing from the heart, you’re less likely to give up or get distracted.

It all comes down to …

making choices and truly committing to them. Are you ready to do that?

Future proofing your electronic audit files using plaintext

/

In short

Evolving software file types sometimes make it impossible to access files or workpapers which were created in file types that are currently no longer readily available. In order to ensure forward compatibility, I'm considering adopting the .txt plaintext format as the go-to format for both verbose file documentation and tabular data in our audit department. Markup languages such as Markdown provide adequate and easily adopted formatting codes to ensure adequate lay-out for reproduction on paper, pdf of html. Comma-separated values formats such as .csv function as tabular formats and are easily exportable to many applications while remaining readable.

Retrieving old files

In a recent conversation with a colleague I made reference to a report I wrote in the mid 1990's. It contained an appendix, buried in the latter half of the report, which had contributed to the dismissal of two CFO's of the organization audited. I wanted to show him the paragraph, not out of foolish pride, but to illustrate that my communication at that time was not really very good at all. The point which should have been point one of the management summary ended up in an appendix on page 56 of the report.

The problem was however not that specific point, but rather the fact that I still had the file, but no easy way of accessing it. It was written in a now redundant software format, with the file type no longer readable by any current software packages. For all intents and purposes, it was gone. No longer available. Okay, there are still likely to be paper copies, but both the organization (still in existence) and myself moved more than once. Additionally, this is a file past the legal 10 year period of document retention usually applicable in Belgium. So even if there had been a paper copy available, it likely would either have been misplaced or possibly even destroyed as there were no legal reasons to keep the document. Even with storage space being relatively cheap, there is no reason to keep all your stuff (as I keep telling my kids).

The bottom line for me here is that with significant effort I'm quite certain I can retrieve the information one way or another. However, it should not take me significant effort. Because significant effort may not be an investment worth making, rendering the files in effect unusable.

Are you sure your current electronic documents will be as available to you as they are now? What about in 5 years? In 10? 20?

.txt as a viable file type alternative

As a former frequent lifehacker reader (when Gina Trapani was still in charge at lifehacker) I remember reading an article she wrote on using .txt as a go-to format. She uses it as a todo system. The reason: long term viability of the format and access through multiple software venues.

As my short illustration above aims to show, audit reports and workpapers may fall victim to comparable issues with outdated file types no longer supported by current applications. Using basic file formats which have been around for a long time, are being used by different applications, can easily be accessed and read by humans we can ensure that the information captured during audits remains accessible for a long time to come without significant investment.

Apparent limitations of the solution

There may appear to be a couple of limitations to the solution. Let's examine them:

  • What about tabular data? .txt does not necessarily work for everything. However, applying a comma-separated values (.csv) format to present tabular data in a plaintext format while remaining readable is a perfectly fine solution.
  • What about formatting? This is where Markdown which was written by Daring Fireball's author John Gruber comes in. Markdown is an easily to learn basic markup 'language' which allows for easy translation of the markdown codes into good html. In essence, what this means is that with an appropriate CSS (cascading style sheets) file you can translate your simple .txt formatting in the most wonderful lay-out you have ever seen. Compliance with company visual standards can become very easy indeed.

Our next steps

For workpapers, I asked ACL in a previous blog post to allow markdown formatting in their application. We'll be actively testing uploading .txt files (which of course will be formatted in markdown) in the workpapers.com application which we're currently using.

I'll keep you informed.

Developing good audit recommendations

/

In short

Recommendations should never be developed in an ivory tower. Rather, bringing in the auditees during the recommendations phase and challenging them to develop SMART recommendations will enhance the quality of your recommendations. Proper process should counter any issues with objectivity that may arise.

Relevant recommendations are hard

This is a no-brainer for most auditors. Concisely describing your findings in a manner that all relevant readers can understand is an often underestimated task. Developing SMART recommendations related to these findings can be even more challenging, especially in a subject area which is technical.

Nevertheless, auditors often insist on their independence and objectivity as an argument to only involve the auditees in the report finalization phase. The auditees are confronted with a set of well-intended recommendations with proposed deadlines, and often only have a limited time to react. And that's a problem.

Recommendations are not after-thoughts

Rather, they are core to the relevance of internal audit as a profession. Hence, ensuring relevance and feasibility of recommendations should never be the last item to check off the checklist before issuing the report. Rather, it should be core to a separate audit phase, the recommendation phase, where auditees and auditors come together to analyze how to best approach the findings.

But what about independence and objectivity?

We can't involve the auditees in the recommendation development phase because involving them will impede our independence. Will it really? I'm not too sure about that.

Independence is a means to objectivity. Objectivity allows to judge adequate due diligence and report on that. That's at the level of findings.

However, adapting processes, systems or behaviour to improve due diligence in an organization is, at the end, a management decision. As auditors we have the right to independently point out the direction we believe to be most optimal to address the issues raised. We cannot take the place of management and force them in a certain direction.

Hence, rather than believing that involving auditees in the recommendation process will impede our objectivity, I am convinced that not involving them in the recommendation development and only allowing their input as an after-thought will empede our future independence. Why? Well, imagine they will chose a route different from the one we as auditors proposed. Imagine that we invested a lot in developing this recommendation. Pride is a human characteristic. I sincerely believe the risk of not being able to objectively assess auditees' response is a bigger issue than involving them in the process to begin with.

Mind first, words later

There's another element to take in account. Most of the obvious solutions we as auditors with a limited working knowledge of practical, technical situations can come up with have been tried, tested and often dismissed as not feasible or ineffective in the past by those auditees.

"Most complex problems have simple solutions, which are most often wrong."

I don't remember the source of the above quote, and I'm not quoting it verbatim either, but there is quite a lot of thruth in it. To not only patch but really solve certain issues, we need to look at creative solutions for them. The best possible way for me is to combine the critical attitude of the auditor with the in-depth knowledge of the auditee to examine new, creative ways of issue resolution.

But what if you don't agree?

Auditors are independent. Imagine an auditee supports a certain solution which you are convinced will never really address the issue. The audit report should clearly state this and describe both the proposed solution by the auditee and the solution or ideas of the auditor, as well as the motivation why the auditee response is inadequate. This way, the audit committee and the board have all relevant information to decide on a recommended course of action.

Why work programs work

/

The short of it

Audit work programs work because they require you to think about what you are going to do before you do it. They take away the stress of worrying how you should approach a certain audit issue for 90% of the time, because you have thought about it before your audit team was on the ground, facing the problem.

The practice of writing good audit workprograms is disappearing

I scout the internet for new audit workprograms quite often. My first traditional port of call is Auditnet. They provide a good selection and I understand their premium program is very good. Still, with constrained budgets there are other acquisitions which get priority, so I look around.

I don’t necessarily look for work programs I need right now, I like to have the feeling that somewhere in my dropbox library is an audit work program for most of my standard audit needs.

The problem is that even though the internet is growing, I feel I am getting less and less relevant audit work programs in my google search results. Perhaps the art of writing good audit work programs is disappearing?

Defining an audit work program

An audit work program to me has always been a detailed description of the audit procedures to be executed to adequately cover a certain aspect to be audited. It is a step-by-step overview of instructions which allow for even a person with limited training to execute specific steps in an audit.

Audit work programs are not written for stupid people, although the first time you see one, you may think they are. Rather, they embody some of David Allen’s key GTD principles … by getting your tasks out of your head and on paper (or whatever medium) you reduce part of the stress. In order to get to that point, you need to make the investment of developing audit work programs. But what’s the real added value?

The relevance of the audit work program

Internal auditors can encounter significant stress. There is a limited timeframe to execute the audit. Requested documents are not always ready on time. Unexpected findings come up and need to be dealt with. Auditees are stressed and react negatively to the auditor. And now I’m only describing daily audit situations. At times like that, it’s good to know that a lot of what you need to be doing is well explained in a structured and executable set of instructions. If you don’t need to think about how you need to do what you do, you can spend more time understanding what is going on based on the information you gather.

Beating procrastination

There’s another advantage. Auditors are (like) people. Like everyone else, we can succumb to procrastination, to postponing what needs to be done and chasing the interesting finding. On occasion, we can even chase our own tails. But then the work is not getting done.

The point of the audit work program is to describe the work to be executed in such manageable chunks that the threshold to execution diminishes to the point where the resistance to doing the work is low enough to push us forward. Again, we are protecting ourselves from our own procrastination. And we ensure we do our job: providing the audit committee and the board with information on due diligent behavior of our auditees.

Happiness through workprograms

It may seem a bit bizarre, but in my professional life there are few situations I’ve been consistently more happy than when developing and executing a good work program. It holds you with your nose to the ground and close to the work. It requires some deep thinking on how you can most effectively and efficiently execute an audit step. It helps you focus on the facts and the figures, not the narrative surrounding them. It helps you to see clearly.

Of course I had my epic project proposal wins when I worked as a consultant. Of course being involved in a green field brainstorming and suddenly seeing the way to a solution is a kick. And taking a group of people through a discovery process really gets the blood flowing.

But for professional satisfaction … nothing beats a good, well developed audit work program. When I’m in the middle of development or execution, it always brings a smile to my face. Because I know that whatever comes out of the audit, our work does not go where our minds have not gone before.

Workpapers.com quadruple review, part I - The one week review

/

The short of it

At BTC, we recently selected workpapers.com as our web-based electronic workpaper solution. I will be writing about our experiences with this tool in four separate blog posts, over a period of about a year. This is the first one, about our the first week using workpaper.com. The solution is a promising one, but I already do have a couple of remarks.

Introduction

There are only a limited number of true webbased internal audit workpaper solutions out there. We chose to use workpapers.com for the support of our five planned assurance missions in 2012. If the tool lives up to our - rather high - expectations, we'll continue using it.

This review is only the first of four reviews on using workpapers.com. It's being written after approximately one week of usage and will be an introduction to the review 'series' of this solution that was recently acquired by ACL. It will feed you our first impressions and how well the tools answers the specific requirements we at the Belgian Development Agency have for electronic work papers.

I'll write the second review after one month of usage. By that time, the annual audit plan for 2012 will be uploaded and we'll be entering the stages of audit work program finalization. In essence, by mid February all specific audit activities we'll be engaging in during 2012 should be planned in detail and reviewed. During this review I'll be focusing on the tools available to ensure completeness of our audit approach.

The third review will be written after using the tool on one audit in the field. The field in question will be Benin, where we'll be conducting project audits in both the South and the North. We'll be fieldtesting in dire conditions, with sometimes limited to no internet connectivity. It will allow us to test in a very tough offline environment and see how well the exports of working programs and working paper documentation are usable and re-importable. It will also allow us to assess the tool as it supports reporting and issue follow-up.

The final review will be executed after one year of usage, both for missions at headquarters in Brussels as during missions in the field in Africa. It will allow us to assess the use of the tool in supporting a full year audit planning and based on that assessment we will decide whether or not to continue using the tool.

But why did we chose to move to electronic work papers in the first place?

I arrived a couple of months ago as CAE in an internal audit department that had been well organized by both my predecessor Dorota and her collaborator Vincent, who is now working with me. An academic party recently assessed the functioning at level three of the IIA internal audit maturity continuum. The credit for that is all theirs.

I decided to move the internal audit department from the existing paper based workflow to an electronic documentation and workflow application for the following reasons:

  • Ease of (standardized) documentation: electronic work paper systems enable easy documentation in a standardized structure
  • Consistency: the standard templates and structures and a certain rigidity of documentation requirements should result in a consistent quality of documentation. Ideally, but not solely dependent on the solution, this should lead to consistency in report quality.
  • Completeness: electronic work papers force you to go through the basics of audit planning. This, when properly executed, forces you to consider the completeness of your audit approach.

In short, we aim to take the performance of the audit department up one notch, but this would not have been possible without the excellent work of the past years.

First experiences with workpapers.com

In summary, I'm pleased with the performance of the tool, but there are a number of important areas of improvement which I hope the team, now they have become part of ACL, will work on.

The positive elements

Usability in different browsers - At home, I like to work in my native Mac environment, on the Safari browser. At work, I am working in a Chrome environment. Both browsers perform without any issues.

Password protection - Obvious and essential, but the login is quick, painless but adequately secured.

User configuration - Setting up new auditors and giving them specific privileges was very straightforward. Each user account is linked to an email and workpapers.com allows the user to enable or disable email notifications. These notifications are triggered when new to do's assigned to them are created.

Creating new audits - One click away from the start-up screen for the account administrator, a new audit requires a name, an optional description, an audit type, the target deadline and optionally the budgetted hours. The audit types available are four types of internal control audits (Sarbox, Internal control audit, SAS 70 audit and business process reviews) and four types of workplan audits (internal audit, workplan based, royalty/licensing audits, compliance audits and other audits). While this provides a good basis, having an even more generic activity would allow for creating "audits" for advisory projects as well. We've now opted to define these as "Other audit" and we'll see where this takes us.

Audit approach structure - After creating an audit (type "workplan based internal audit") the systems asks for the creation of audit objectives. These are then linked to a plan, which can be reviewed. The system guides you through the creation of a workplan for each of the objectives. You start by defining the risks, which you need to assess (high, medium, low) on both impact and likelihood of occurrence. You also need to create specific audit procedures which describe how the auditors need to execute the audit (audit workprogram). By linking audit procedures to identified risks - assuming you do this diligently - you can check whether all risks are covered by audit procedures. Alternatively you can check whether you don't plan to perform too much work if audit procedures are not attributable to risks. The audit plan needs to be signed off on by the preparer, the detail reviewer and the general reviewer. The administrator can define additional reviewers who need to sign of on this.

PBC integration - The system allows for an online creation of the PBC or prepared by client list. Each item to be requested in preparation of the audit needs to be identified separately, and can be separately tracked. Sending out the emails through the system is optional.

I'm sure I'm missing a lot of the finer points the solution has to offer, but this is a review after just one week of usage.

What I really liked about the solution is that the system forces you to consider your risks and thus really provides a completeness and relevance check on audit procedures.

Some ideas for improvement

There are a couple of remarks I have on the software. I'm sure some of them are already on the agenda of the developer, but they do annoy me. These points are based on testing in the "internal audit (workplan)" audit type definition, they may be different in other audit types.

Multiple risk entries - Whenever you're defining risks for a new objective, you need to enter all of them all over again. No reuse of earlier risk definitions across objectives. We use a pretty standardized set of risk definitions. Having the option to define a risk register and reuse "generic" risk definitions in the different objectives would be a real time saver.

Multiple audit procedures - Identical point as above really for audit procedures. Some audit activities are pretty generic and comparable. I don't want to invest that much time in rewriting or even copy-pasting for example a generic process assessment description which I then need to adapt. The possibility to define this once and then easily access to copy and adapt would be great.

Risk assessment requirement - I noted that I was required to enter values for impact and likelihood for each new risk I created. While a good fail-safe for complete risk evaluation, I often develop risks and workprograms before starting the audit. Risks can be added and removed, but I want to be able to enter risks without the direct obligation to assess them. A warning on the dashboard would be more than enough.

Generic activity type - We perform some supporting advisory work as well as internal audit work, and I don't want two systems to keep my working papers. Hence, the need for a generic activity type which I can use for advisory projects. As stated above, we'll be using the "other audits" and see how far that will take us.

Formatting - I'm a huge fan of Markdown … it is an easy to use html formatting language. Given the workpapers are in html, why not provide at least the option of using markdown instead of providing us with a very limited interface for basic rich text lay-out in the audit procedures field? +1 for the introduction of Markdown in this tool.

Header lay-out - This far, I appear to not have a color or logo choice. Workpapers.com is basically an audit flavored document and project management tool. The reference tool (non audit) is 37Signals' Basecamp which we considered but found slightly wanting in internal audit specifics. What Basecamp allows is customization with colors and logo's. I would like to define a template for our working papers that show our templates conform to the guidelines our external communication department created. The colors now are blue and green … not the most pleasing for the eyes.

Working paper re-import - I have not yet figured out whether I can take an Excel workpaper export offline, fill it out and easily re-import it. If this is not possible, we'll have to provide for some time to copy-paste our offline findings which is inefficient at best. We are on occasion offline for longer periods of time, certainly in Africa, and being able to import this easily would be a great solution.

To date and next steps

In the past 48 hours I've defined all audits planned for 2012 in the system. I've introduced an existing workprogram for field audits in one of the audits and developed a new workprogram for another.

In the coming days we'll develop the work program for the other planned audits and start keeping time in the system. I'll post a new blog entry on workpapers.com in about one month.

The external specialization fallacy

/

You can't oursource your core tasks

There are a couple of essential tasks you cannot outsource:

  • If you're about the execute a coup d'etat, you can't bring in mercenaries in key roles or positions and assume you will remain in control;
  • If you want to rule a market, you cannot have key product development and innovation done solely by third parties;
  • If you want to fundamentally change the way your organization functions, you cannot have a full successful reengineering done by an outside consultant;
  • If you want assurances your business is run with due diligence, you cannot outsource your internal audit function

Why? Because the people you outsource this function to don't care as much or are not as informed as people on the inside. After all, they are but guns for hire. When the job is done, their work is done, and they move to another role or responsibility. Even worse, who do you believe defines when the job is done? You, the client? Don't bet on it. The job usually is done just about when the money runs out.

Providing assurance on due diligent behaviour is a core task

Your organization is likely to be about a very specific set of services, products or solutions. That's what makes your organization special. That's what clients come to experience or purchase. Some organizations are more specific than others, but the way they function internally is usually very specific and requires both a deep knowledge of the processes themselves as well as a thorough understanding on how these processes came to be what they are.

Now, in order to provide assurance on due diligent behaviour by all people involved, you need people who understand what is going on in the organization and why it is going on. Your assurance providers need to be specialized, not only in your business, but in your organization. In order to provide your organization with the most relevant value for money findings and recommendations, the internal auditor needs to be able to take the time and develop a deep understanding of your functioning.

The specialization fallacy

Most internal audit service providers will try to convince you of their uniqueness (let's be real here, they really aren't that special) and the skill set of their advisors. A couple of issues:

  • The leverage model dictates a 1 to 3 (123) hierarchical structure to make a project profitable. Remember the mercenaries above who leave when the money runs out? A typical service provider aims at providing you with three juniors for every senior, with three seniors for every manager, with three managers for every director or partner. Given that deep expertise on average requires 10.000 hours of hard work, and that real chargeability will run at around 60% for seniors or above, which is where the real learning happens, you can make the calculation yourself. The more experienced the advisors are, the less likely you are to find one of those on the team being proposed to you;
  • Service providers often claim sectoral experience. At the same time, they claim fire walls between their teams. This to me just doesn't add up. In a competitive environment you either have sectoral knowledge gained at a competitor. In that case, you should not be on the team. Or you have no knowledge of the sector that is relevant to me.
  • If not sectoral experience, they can bring technical experience. I agree that under certain, very strict conditions, it makes sense to outsource a very technical aspect of a job because you don't have adequate knowledge of the area. However, the number of cases in which this is applicable are limited to mainly specific ICT areas. And even then ...

Bottom line, the specialization you need access to the most should not be available due to firewalls in place between teams in a sector. And it's unlikely someone will have invested significantly in your organization ... because the return usually isn't there, except for really large organizations. And if this is the case, if a consultant has invested so much in your organization, where is his independence? How independent can you remain if your goal is to be paid by this organization?

But what about experts? Experts working for a service provider are most often no longer actively involved in the practice. They have an expiration date.

Even the best technical auditors cannot make up for a lack of knowledge about the specifics of the business and the organization.

What works

In order for internal audit to be relevant, to be able to provide adequate assurance on due diligent behaviour by the collaborators of an organization, requires deep expertise in the business or the possibility to develop this expertise. An external party often does not have the means nor the intention to invest adequately in building this expertise.

Deep expertise needs to lead to good risk assessments and the development of efficient, effective and economic audit activities focused on relevant audit objectives and audit areas.

When using external support at all, this external support can at the earliest be asked to assist in developing audit work programs. Their aim should be to optimize the audit approach, not the objectives nor areas.

The actual audit execution should, where possible, remain with the internal auditors, supported where required by ad hoc expertise which can then be acquired at the best market value.

Final reporting should always remain with the internal audit responsibles.

Providing assurance on due diligent behaviour

is a core responsibility of internal audit. The audit committee needs to have adequate assurances that the work done is not determined by the available budget for outsourcing, but rather by a deep understanding of the need of the organization to function at the best possible level, an understanding most efficiently developed from the inside.