Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​On the Frontlines: Jedi ERM

Comments Views

​Internal auditors are, in essence, the Jedi of their organizations. Auditors, like Jedi, are dispatched throughout the galaxy of organizations with our audit plan to guide us in solving complex problems. The Jedi approach their missions in the same way auditors execute projects. Take the three phases of an audit:

  • Planning. A Jedi has to learn about an issue to identify problems and determine their root causes.
  • Fieldwork. A Jedi must execute on what he or she has learned and gather evidence on reportable observations.
  • Reporting. A Jedi must recommend solutions for high-risk issues, which if implemented may help the organization achieve objectives. (Hopefully, it doesn't come to aggressive negotiations.)

If we are doing well in all of these phases, we earn the moniker of trusted advisor, aka Jedi master. Audit teams, like the Jedi, are independent business partners with a unique reporting structure. Internal audit is typically the only department to report directly to a committee of the board. (Tell me Jedi Council meetings do bear a striking similarity to audit committee meetings.)

One of the other vital services internal audit provides is relevant and valuable advice based on their risk assessments. And just like the Jedi using the force, auditors must constantly be aware of the ever-changing business and social landscapes to identify and evaluate current and future risks.

It is kind of ironic then that the Jedi were not more like internal auditors as they were awful at assessing risk. Had the Jedi allocated some resources to enterprise risk management or internal audit, maybe even included some books from The IIA bookstore in their vast library, they'd have detected and prevented the ultimate fraudster from becoming Emperor of the Galaxy.

Sith Lords turned out not to be the Jedi's specialty as Obi-Wan Kenobi once stated while standing a few feet away from the very Sith Lord, Palpatine, who not too long after directly caused the end of the Jedi Order as it was constituted. The Jedi completely ignored the risks posed by events transpiring throughout the three prequel movies, which led to inadequately addressing the issue of a Sith Lord being the leader of their governing body until it was far too late.

The Jedi's response was to ignore most red flags leading up to Sith Lord Palpatine's big reveal, despite having many, many years after first learning of the threat from Darth Maul's shenanigans. Imagine inadequately assessing your most significant risk for a decade. The Jedi were like the modern-day Blockbuster, which ignored the risk of emerging technologies of streaming services and then reacting far too late to survive in a meaningful way. Now, like the Jedi, there is the last Blockbuster out there.

"For over a thousand generations, the Jedi Knights were the guardians of peace and justice in the Old Republic. Before the dark times. Before the Empire." ― Obi-Wan Kenobi

Even organizations with the best of intentions must remain focused on identifying and adequately evaluating risks. Perhaps some additional due diligence would've been merited on the clone army that suddenly sprung up at a very convenient time for some needed mergers and acquisitions. The Jedi then went on and exceeded their objective as peacekeepers and became combat generals to an army of clones. Ethically questionable actions at best, and definitely outside any approved audit charter.

"Who's the more foolish? The fool or the fool who follows him?" — Obi-Wan Kenobi when asked for comment on the importance of proactive risk assessment.

There was no way Yoda was fostering a healthy corporate culture. He is the epitome of a micromanager. One day into training, he was already riding on Luke Skywalker's back and barking instructions at him. There's no way that method of teaching equates to a Jedi Academy having a winning formula for company culture. These are not the actions of an agency that takes risk management seriously.

Internal audit should be mindful of maintaining their independence while still seizing opportunities to provide objective and relevant insights to our business partners and stakeholders. And most importantly, it should be a champion for good culture and good governance while being mindful of staying within the scope of its audit charter. These are definitely lessons that even Jedi masters could learn from auditors.

Jason Stepnoski, CPA, CISA, CFE, is internal audit manager at VSP Global in Sacremento, Calif.

Want to be a part of Your Voices? Click here to learn how to contribute a blog post.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • CIA-June-2021-Blog-1
  • CIA-LS-June-2021-Blog-2
  • Agents-of-Change-June-2021-Blog-3