Over the last couple of days, I've been providing a list of words I believe internal audit should no longer use. The first two were pretty obvious. However, the middle three may have been a bit more surprising. Well, it's time to really take a swing at some sacred cows (which is definitely a mixed metaphor and brings to mind a very strange encounter in the streets of India, but there it is.) We'll start with a couple more words we use without really thinking, and wrap up with some buzzwords internal audit has really falling in love with.
Effective/Ineffective: (These two words are so related, we'll consider them as a single "kick it out." Two for the price of one.)
What is the greatest achievement any department can attain at the end of a review? (See me trying to avoid the word "audit"? I was paying attention to that first post. But, man, this is hard!) The single highest accolade internal audit can bestow upon a department is that operations are "effective."
Wow! Hats and horns! Call the neighbors and wake the kids! Let's blow the roof off this joint! We were effective! Huzzah!!
Imagine it is the end of the year and you are about to receive your annual review. Your boss smiles and congratulates you on being … effective. Don't know about you, but if that happened to me I would feel that what I had achieved was the epitome of mediocrity. And my expectations related to upcoming raises would be greatly diminished. (Then again, there were years when such an evaluation might have exceeded my expectations, but we won't go into that right now. I'm saving that one for the next meeting with my therapist.)
Maybe your department uses some other word or phrase — fully complies, in compliance, did good, really spiffy, didn't do as bad as we expected, comme ci comme ca. But my guess is that, whatever word or phrase you use, it does not inspire a sense of real accomplishment for those under review. Whoopee! We did it! They didn't dig up anything that was a significant issue! Let's close down and celebrate!
And as if that wasn't bad enough …
How about a report that says the department is ineffective … at anything? Again, you've probably got your own word for the lowest of the low, but no matter what term is being used, the mere fact that that word is in the report probably adds a week (maybe closer to a month) trying to get agreement on the review and the associated issues. And this is largely because of the overwhelming negative connotations carried within the word rather than the actual issues being reported. No one wants to be associated with what that word implies. (Particularly when the best you can hope for is effective.)
No, I haven't got an answer. Yes, reporting things they have done correctly is part of the solution. And we don't want to sugarcoat when things are not going well. But there have to be alternatives.
I have heard of some audit departments using maturity models to provide a reporting basis. Rather than saying effective, ineffective, and the various gradations in between, these departments report on how far along the maturity model the department is as it relates to controls and risk mitigation. (Dang, two words I said to throw out. Oh well, I contain multitudes. Do as I say; not as I do.) I don't have a lot of details, but it is an innovative and interesting approach and may be an answer.
Find an alternative, maybe find out more on how to use maturity models. But, for effective and ineffective …
Kick 'em out!
Trusted Advisors: And now we will take a flying deep dive into the buzzword factory that internal audit joins as readily as any other business group. I admit, this phrase is a personal pet peeve of mine, and your mileage may differ. But I think the phrase "trusted advisor," comes off very condescending … to us.
Yes, we want to have a seat at the table (another buzzword that should probably be avoided), but I think the phrase "trusted advisor" smacks of someone sitting beside the king, hoping for approval, waiting to be called a good and faithful servant, living for the moment when the king looks down and says, "What do you think?" and, after having given an answer, whispering to himself, "They like me; they really like me," as the king moves forward having kept the trusted advisor happy by making him think he has been a part of the process.
Did I mention that I have a problem with this phrase?
Trusted advisor smacks of second-class. Not there for the decisions, not there when the real conversations are going on, not there as a part of the team. Instead, someone who is called in at some point to either support the decisions or be ignored if such support cannot be found.
Yes, I know we cannot make the decisions. Yes I know we have to be independent and objective. But that doesn't mean we can't be knee-deep in the decision-making process. And trusted advisor smells too much of coming in once the battle has already been fought. (And when that happens, there are all those bayonets and there are all those wounded and there is such an opportunity to fall far backward into the way auditing used to be perceived.)
It is not a bad idea, but it is a concept that does not tell the full story.
Kick it out!
Value Add: And there it is. An attack on the latest holiest of holies. (Hey, at least I'm not saying get rid of independence and objectivity.)
You can hardly swing a comatose participant without hearing this used at least once in every conference, seminar, and presentation. We all prolifically spout it with great vim and vigor and vehemence and preacher-like fire and brimstoning. And for good reason. There is an important point within the idea of value add. So, how can I advocate eliminating one of the most important concepts internal audit has espoused?
Because … well, let me tell you a story.
I spoke with an internal audit shop that was embracing the concept of value add for internal audit. To support this, they required every audit report to not only include the opinion and findings, but also a value add statement — something internal audit found or did that provided value. The epitome of how absurd this exercise became is when a report contained a value add statement describing how audit had suggested adding a section to an online form — a form that was going to be eliminated within the next couple of months. This was then dutifully reported to the audit committee.
I will allow you a couple of moments to let that sink in and then laugh, cry, sputter, or react in the way you find most appropriate.
If we spend our time bludgeoning our customers with the idea that internal audit is going to add value, any customer acting with even part of their brain in the vicinity of that discussion will surely ask, "So, you are now adding value. What were you doing before?"
The point is we have always added value (every department in every organization better be adding value or they should be eliminated; there's an audit finding for you.) What we are doing is adding new, different, unexpected, better value.
But usually, when talking with our customers, we use the phrase and concept of value add in such a way that the full story is not told
Internally, this is a perfectly fine phrase. In fact, I would say we should keep having as many discussions about it as we can. But we cannot use this phrase with our customers. Instead, we have to describe what we are doing that they do not expect, how we are being more than the internal auditors we used to be, how we are moving beyond tick and tie and compliance, and how we want to work together (notice I didn't use the buzzword "partner") to help the organization achieve its objectives.
Internally, use value add (judiciously). Externally …
Kick it out!
Okay, I've gone long again. But I did want to wrap this up by the end of the week. Next week, I will provide a synopsis, as well as a phrase I think we don't use enough.
Until then, again, provide your thoughts on what should be kicked out. And we'll see you next week.