We internal auditors are really good at telling other people what to do. (Sorry, that should be "suggesting" what they should do – we would never tell them what they had to do.) We explain to them about risk and we explain to them about controls and we explain to them how they can help ensure they meet their objectives. And after each project we look back and feel we have provided a valuable service to the executives, the board, and the organization.
Now, don't worry, I'm not here to try and convince you this is wrong.
No, what I am here to tell you is that it wouldn't be a bad idea for us to listen closely and heed our own advice. Two recent events reminded me how important this idea is.
The first event was the laptop problems I experienced a couple of weeks ago. You can read all about it in my prior post. Suffice to say that, if I had listened to even one of the thousands of auditors who have advised an auditee that he or she should be backing up their hard drives, my intake of Rolaids would have reduced significantly.
But the second and more impactful event was my coming across the following Facebook post from writer Adam-Troy Castro:
"This just happened on Thursday night's episode of GRACEPOINT.
A newspaper editor chasing a hot story begs a favor from the editor of another paper. Speaking to her colleague over the phone, she says, "I wouldn't have to ask you to search your archives for me if you would just put all your old issues online! GET WITH THE TWENTY-FIRST CENTURY, ALREADY!"
She hangs up, and turns her attention to a reporter who has entered the room immediately afterward. She instructs him to canvas the locals for another vital piece of information.
And hands him a rolodex."
I'll give you a beat or two to make sure that one sinks in.
Now I could rant and rave about sloppy writing and bad television and poor editing and any litany of sins that are perpetrated upon us by the television powers that be – but that's not why we are here tonight.
Rather, I would suggest all internal auditors ask themselves this question: How often have you ranted to the auditee to "Get with the twenty-first century, already!" and then walked off to use your figurative rolodexes?
"Not me?" you say? "We're cutting edge, we know what's happening, we're with it, we're groovy, man."
You think so? Then follow along with me on this. We tell our auditees that they need to first understand the objectives, then understand the risks to those objectives, and then understand the associated controls.
This should sound familiar. It's all there in COSO's internal control framework. And it is probably at the heart of any risk/control matrix you use in developing your audit programs.
But here's where the test work meets the test sheet. Can you tell me the objectives of your audit department? Can you tell me the risks to those objectives? And can you tell me what controls you have established to appropriately mitigate those risks? Or, are you like so many auditees we chastise – did you put in a bunch of controls without really understanding the underlying risks? And have you established those controls without even understanding your own risk appetite? (A sub-question: Why, exactly, are you doing all those workpaper reviews?)
I can't speak for you. But I can speak about the many people I've worked with over the last couple of years. And I can tell you that, while they have put together excellent procedures and they have passed their quality assessments and they are more than happy to share the wonderful achievements they have achieved, I still get an "auditee in crosshairs" look whenever I ask them to go through the simple exercise of tracing their department's objectives to their risks and then tracing those risks to their controls.
(And how 'bout we skip the number of times I've asked them to quote their mission statements. In at least two instances I was providing training to groups of internal auditors who had, just the week before, been trained on how their internal audit department worked – including the mission statement – and yet not a single one of them could tell me what it was.)
If it really is such a good idea – if the COSO framework has any validity, if our risk/control matrices have any validity, if our audit work has any validity – then wouldn't it also be a good idea to try it out on ourselves?
The example cited from Gracepoint may be sloppy, lazy writing – someone who was too busy using clichés to think about what was being said. Similarly, if we do not apply the principles we are preaching, then we are no less sloppy or lazy – too busy spouting the truth to apply it.
It is not so much a case of "physician heal thyself" as it is "auditor audit thyself."