In my prior blog post, I discussed an article from the
Forbes website titled
"4 Steps to Building a Compelling Value Proposition" written by Michael Skok. In that article, the author stated that the first step in developing a compelling value proposition should be defining the problem you intend to solve and determine if it's a problem worth solving. I then talked about how internal audit shops may not have really figured out the problem they were trying to solve.
The article goes on to talk about how to define that value by answering a set of questions the author calls "the 4 U's." Yes, these questions can be used to better formulate a value proposition (and I would argue it is part of the exploration every audit department should go through). But there is another issue internal audit faces where these questions might come in handy.
It seems that, while most internal auditors do a pretty good job of coming up with workable, viable, value-adding corrective actions, these can be met with resistance from the client. They do not agree there is a problem, they agree there is a problem but feel it is not worth fixing, or, even if they feel it is worth fixing, they don't want to do it right now.
Much of the solution to this issue comes under the category of "negotiation," and that is something I'll be talking about in more depth in the next blog post or two. (I'm still not sure how this whole discussion is going to shake out.)
But I believe part of the problem is much like the issues discussed in the previous blog post. We have not done a good job of defining the problem the corrective action is really going to fix. Not just the breakdown, not just the missing control, not just the obvious-to-the-auditor erroneousness of what is going on — but the actual problem that exists.
The five C's for any issue are condition, criteria, cause, consequence, and corrective action. (Yes, I know you already know that, but I just want to make sure we're all on the same page.) And one of the great struggles in report writing is getting those five C's correct. Most audit shops get there, but it can be a bit of a battle.
In trying to get to the final answer, internal audit shops seem to spend a lot of time on cause. Yes, cause is important. But if you haven't nailed consequence — impact, effect, how big a boy are you, why the bleep should I care, the reason anyone should pay attention — then, even if the client agrees with what you have to say, it will be begrudgingly. And the odds of actually getting real, agreed-upon corrective action, as well as the client taking any real action on that action, are about the same as
Internal Auditor magazine putting out a "Sexiest Auditors of 2019" issue.
And that is where the Skok's "4 U's" can come in to play, helping the auditor understand the problem that is involved and why anyone should care.
Is the propblem
unworkable? Does your solution fix a broken business process where there are real, measurable consequences to inaction?
If the issue is not addressed, will there be significant losses? Will there be real impact on reputation, customers, or stakeholders? Will someone get fired or sent to jail? (That last one was for Diane Watkins-Slaughter.) Then you have a reportable issue that needs to be addressed. If you are adept at determining "consequences," then this concept should be obvious. But we often ignore determining what the real impact will be, assuming everyone understands we are talking about something that is vitally important.
Is fixing the problem
unavoidable? Is it driven by a mandate with implications associated with governance or regulatory control?
In other words, are the implications such that something must — absolutely must — be done? Now, if it is regulatory or compliance-related, then that is generally an easy sell. (Although, the ease of that sale will depend on the mindset of the organization. Farmers Insurance had a zero-tolerance policy when it came to even a single transaction violating regulatory requirements. But I have also seen organizations that figured close enough was good enough, not sweating the small stuff and, eventually, no longer existing.) But the more important sell (and the one that can be tougher) relates to governance implications. It is an area where internal audit doesn't always shine, but an area where we need to focus more of our attention. Governance drives everything the organization does, and should drive everything internal audit focuses on
Is the problem
urgent? Is it one of the top few priorities for a company?
Once audit reveals the existence of the issue, will it be one of the top priorities for the company, for the business unit, for the department? Does it really need to be done right now? At Farmers Insurance, we had a CEO who proclaimed that every issue reported by internal audit would have to be corrected within one month. While we talked him down from insisting that always be true, he revealed the importance he placed on what we had to say, and it made us reevaluate everything we were reporting.
Is the problem
underserved? Is there a conspicuous absence of valid solutions to the problem you're looking to solve?
Yes, this question sounds the most consultanty. Nonetheless, it is still valid. As Skok notes "focus on that whitespace." I had a boss who was very fond of asking "What are the mitigating controls?" It didn't take me long (okay, probably longer than it should have, but not too long) to realize he was not going to buy into my findings — at least not buy into them immediately — if there was some other way the client was watching the store. Again, auditors love their controls. And if we think one is missing, we love to jump into building new ones. But they are not always necessary. And the times when there is a significant finding — an issue worth reporting — are those where no valid solution is in place or has even been thought about.
Unworkable, unavoidable, urgent, underserved — the four U's that internal audit should address every time it thinks it has something that it really needs to report.
Now, it could be that less consequential findings will still need to be reported — everyone has different reasons, requirements, protocols for what should be reported. But it should help you look at those issues with a new lens — one that is focusing on why anyone should care.
At least, care enough to actually do something about it.
There is more to come on this whole subject. I've got a couple of parallel thoughts rambling around and, to be honest, I'm not sure which one is going to come out next. All I can say is that, in the next posts, some further thoughts on the subject of identifying the real problem and negotiating with clients to determine how those problems might be solved.
I guess we'll all be surprised with what comes next.