My series of posts last month focused on the need for internal auditing to embrace creativity and innovation in order to maintain relevance in the future. I have gotten some interesting responses to that message. Some came in the form of comments, and others were follow-up conversations I had with friends and colleagues. To be honest, it is going to take a little while to get to all the points I see being raised, and so I plan on revisiting this subject throughout the rest of this month.
But in very broad terms, the comments and discussions have run the gamut from "Amen, Brother" to "Get thee behind me Satan." Actually, no one compared me to Satan. But in the passive-aggressive approach that seems to be so favored by internal auditors, it was evident that there were individuals who believed I was leading us to something nowhere near akin to the Promised Land. While they wanted to be nice and indicated that what I had to say was interesting, they threw in enough caveats to make buyers not only beware, but run to a different city's marketplace.
Most of the naysayers (or rather, the "yes-you-are-right-but..."-sayers) tended to fall back on the standards, on our traditional roles, on our core skills, and on the reminder that we should not take our eyes off our primary responsibilities.
Let me be clear. I have never advocated an anarchist revolution with the objective of building something new on the smoking ruins of all we've accomplished. I am not abolishing the standards or our traditional roles or our core skills or our primary responsibilities. However, what I do advocate is an approach that looks at what internal audit does tabula rasa — imagining nothing has come before, imagining all possibilities without restrictions. Such an approach is instrumental in breaking the shackles of our preconceived notions.
However, such an approach includes risk, and there's the rub. The backward looking approach — the need to "not keep our eyes off (name your particular preference/prejudice)" — is indicative of internal auditors' natural aversion to risk. When speaking with auditors about the need for change, I invariably here concerns about the risk we would face. And, while there is nothing wrong with taking the potential risks into consideration, internal auditors (when they are speaking of their own profession) tend to use risk as the primary reason to avoid big changes.
Our strongest trait; our biggest problem.
Our focus on potential risks and approaches for best mitigating those risks is one of the foundations upon which we have built our reputation. But our love of that foundation means we have become some of the biggest risk avoiders in the organization. Here's a simple test — when was the last time you actually reported that a control should be removed because it was not providing value? I think most of us have done it, but I also think the instances are few and far between. And I further believe that we avoid doing so partly because we just want to be sure things are under control — we fear that any (emphasize any) unmitigated risk is bad and, even more tellingly, if it leads to a problem will reflect on professionalism.
We won't take the risk.
And then it all leads to the biggest impact this has on the profession: our fear that we cannot make mistakes. If we are to be the ones who are the control experts, then we seem to think we have to have absolute control over the work we do.
Because we have such an important role in risk mitigation, we shy away from risk — we don't want to be seen making even the most infinitesimal, inconsequential mistake. Take a look at your operation, take a look at your processes, take a look at anything going on in your department, and I'll bet that half of the work you are doing is geared toward reducing that risk.
First and second reviews of workpapers. Checking and double-checking mind-numbing details. Innumerable meetings geared towards talking about what was done, what is being done, and what will be done. Rewriting reports until results are so old they aren't worth reporting any more.
Has anyone done a cost-benefit analysis of how much our controls cost versus the exposure?
That is a key point. And that is the fear I see from most auditors when we discuss creativity and change. Of course there is a risk. There was a risk over 70 years ago when a group of internal auditors got together and decided we should be a real profession. There was a risk when our principals were put in writing. (Put it in writing and you have to be held to it.) There is a risk every time we put forward an opinion.
And we have to raise our risk tolerance, allowing ourselves to occasionally fail.
I would argue there is no such thing as too much creativity and too much innovation. And for those who fear there will be "too much," I share a quote from John Burroughs: "Jump and a net shall appear." You have to take the chance, or else you will achieve nothing.
And one more quote to end this part of the discussion — this time from some weirdo named Pablo Picasso: "The chief enemy of creativity is good sense." Allow me to paraphrase for our profession.
The chief enemy of internal audit's success is good sense.