My Thoughts on Internal Audit and Other Topics
A leader taking control of his organization – being accountable, hiring the best experts around, and vetting their business partners. What a novel concept! Compare Mr. Wynn’s control environment with other organizations – including his counterpart at Las Vegas Sands (see here: http://blogs.wsj.com/corruption-currents/2011/03/01/sec-investigating-las-vegas-sands-for-fcpa-violations/)
http://blogs.wsj.com/exchange/2011/05/17/steve-wynns-handbook-to-avoiding-organized-crime/
In earlier posts, we talked about effective communications – our post today will be effective thinking. With the news that Osama bin Laden has assumed room temperature last weekend, there has been a withering focus on the minute-by-minute account of the events. However, very little attention has been given to the Navy SEALs and other team members to the successful mission.
Why?
Beyond the classified nature of their work product, soldiers are hesitant to talk about their specialized training outside the confines of fellow military personnel. The one area that has been made public and is most-applicable to investigators and auditors is the idea of situational awareness. Our friends at the US Coast Guard define the term as, “…the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regards to the mission. More simply, it’s knowing what is going on around you.”(1) The definition sounds logical and simple enough. The trick is applying it to real life.
Let’s take a look at a real-life situation – from our Austin, TX friends at STRATFOR:
Should an attack occur, then, a person with a complacent or apathetic mindset will be taken completely by surprise and could freeze up in shock and denial as their minds are forced to quickly adjust to a newly recognized and unforeseen situational reality. That person is in no condition to react, flee or resist.
Denial and complacency, however, are not the only hazardous states of mind. As mentioned above, paranoia and obsessive concern about one’s safety and security can be just as dangerous. There are times when it is important to be on heightened alert — a woman walking alone in a dark parking lot is one example — but people are simply not designed to operate in a state of heightened awareness for extended periods of time. The body’s “flight or fight” response is helpful in a sudden emergency, but a constant stream of adrenalin and stress leads to mental and physical burnout. It is very hard for people to be aware of their surroundings when they are completely fried.
Situational awareness, then, is best practiced at a balanced level referred to as “relaxed awareness,” a state of mind that can be maintained indefinitely without all the stress associated with being on constant alert. Relaxed awareness is not tiring, and allows people to enjoy life while paying attention to their surroundings.
When people are in a state of relaxed awareness, it is far easier to make the transition to a state of heightened awareness than it is to jump all the way from complacency to heightened awareness. So, if something out of the ordinary occurs, those practicing relaxed awareness can heighten their awareness while they attempt to determine whether the anomaly is indeed a threat. If it is, they can take action to avoid it; if it is not, they can stand down and return to a state of relaxed awareness. (2)
How often have the terms “SALY” or “DILLY” crossed your lips? Your supervisor’s? Your partner or investigator in-charge? The tactic of “Same As Last Year” or “Do It Like Last Year” defeats the purpose of situational awareness/relaxed awareness. Additionally, it violates our code of ethics and code of conduct. As fiduciaries, we are required to understand a complicated, dynamic environment and apply our training to it. Often, the trick to applying situational awareness is to create a fresh mental picture of your surroundings and continue until the project (mission) is complete. We wish our colleagues practiced this attitude – see PwC and Satyam as one example. (3)
So, give it a try the next time your client sticks you in the janitor’s closet. It’ll keep you out of the headlines and allow you to complete the mission!
Sources:
(1). http://www.uscg.mil/auxiliary/training/tct/chap5.pdf
(2). http://www.stratfor.com/threats_situational_awareness_and_perspective
I am fortunate to be accepted as a member of the Association of Certified Fraud Examiners’ Advisory Council.
Please take a look at this very important article – ask yourself this question, professionals: Are you feeling the pressure, too?
Richard Chambers On The Profession – theiia.org
On April 26th, I posted about the moral argument in favor of internal audit – our raison de etre, our cri de coeur. In my opinion, Internal Audit is a passion business – one with difficult challenges and wonderful opportunities to make our little piece of the world a better place. My implicit question was, “Why doesn’t anyone else feel the passion?”
I am now happy to report that the Institute of Internal Auditors (IIA) has taken the challenge head-on.
BOTTOM LINE: Whether we’re in Internal Audit, Forensics, Fraud, or IT Audit:
Thank you, IIA. It’s been a long-time coming!
===================================
If you like the content here, subscribe to Hediger’s Blog! Look to the left and you will see the button – put in your email address and you’re all set. While you’re here, enjoy all the posts.
Thanks and happy surfing!
Communication Breakdown, It’s always the same, I’m having a nervous breakdown, Drive me insane! -
Led Zeppelin. ”Communication Breakdown”. Led Zeppelin I
Do you ever feel like your audit and professional communication skills are like a sinking lead balloon?
It is not enough for you to be truthful in your audit or fraud findings – your written and spoken words must be precise to your audience; you only get one change to make a good presentation. Let’s be honest: Internal Auditors et al are not known as superior communicators. I’m sure I’ll receive comments saying, “That’s not true!” or “What study did you look at to base your conclusion?”. Folks: Management’s and employee’s perception comes from their experience. They don’t need me to restate their belief that IA is the oppressive “traffic cop” – one that rivals Legal Department’s cringe-inflicting reactions. Generalizations are generally true and perception is reality. Deal with it!
Or, should we? Not just no, hell no!
It’s time to change perceptions and change our communication styles.
In this edition of “Where Is Your North Star?”, I will be walking through two strategic areas of communication breakdown between auditors and our customers. I will discuss some of the strategic challenges that Internal Audit faces in communicating with our customers and give you a preview of future posts on tactics you can use today to help your oral, written, and visual skills. It is extremely important that Management, Board of Directors, and our customers know and feel that we are partners in their business model (except for fraud, waste, and abuse). Before we begin, let me ask you a tactical question: Are you willing to work for years (IMHO*: your lifetime) to be a better communicator? If not, this post will not be for you. I don’t want to hear from the “haters” and say that it is an impossible task to communicate your findings to an unwilling Management. This situation occurs very rarely and I will not accept the premise that it cannot be done.
==============================================
I see two main areas of strategic communication breakdowns between auditors to Management:
To be an effective and efficient communicator, you have to tailor your communication to your audience. Notice I DID NOT say “tailor your message”. Of course, there are times that intense clarity must be displayed boldly – but do you really want to come across with that intensity with an AP Clerk? Here is a quote from one of my favorite authors on the subject: Dr. Frank Luntz -
One of the reasons why there is so little successful communication in this country (the United States) is that so many of our communicators don’t truly understand something as basic as who their audience is.
Dr. Frank Luntz. ”Words That Work: It’s Not What You Say, It’s What People Hear”, p. 180.
One of the communication errors I have observed (and I have done it, too!) is when you are frustrated at a customer. The emotion gets the better of you. You start to make hasty generalization about that person, their department, or the company not caring about controls. When you get into that emotional state, what does that AP clerk perceive? Does the clerk perceive you as part of Management? Do they perceive you as being harsh? If the answers are “yes”, you have problems with message effectiveness. It doesn’t matter that you’re efficient (clear) – your effectiveness will be poor.
Here’s a question for you: Since this blog’s audience is generally college-educated, should you use SAT words and jargon to all of your audiences? No. Do you anyway? Probably. Your CEO does not care about “control environment” or “control activities” – they care about a zero tolerance attitude toward fraud, waste, and abuse, they care about the company’s business risks. The use of jargon clouds what we want to say to Management. Let us remember who we are talking with – the public does not understand our lexicon. We must give a translation to our customers if we want to improve the organization’s risks. We have to be the bridge builders for our customers to cross.
To change people’s opinions of internal auditors, we must communicate that we make a positive difference. For example, be available for customer requests – and, if you cannot, refer them to a consultant or internal professional. Never say, “No.” Yes, I said it – Never say no. You may not be the right person to answer the question but be responsible for facilitating an answer. Internal Audit is often perceived having all the answers and you have to answer many questions about everything in the company. Internal Audit should be the one place where customers get the answer they need. Internal Audit should help and give answers for customers. Why is this important from Internal Audit’s perspective?
To put a finer point on top-down and bottom-up perspectives in your communication – your AP clerk is not going to care about revenue recognition risks and your AR clerk will not care about disbursement accruals that are improperly recorded. But it is Internal Audit’s job to actively listen, put those risks together from the source, and communicate this information to Management for consideration. Why is this important? The AP and AR clerk in the example deal with the details every day – but don’t know if their concerns are valid from a macro risk perspective. Conversely, Management wouldn’t otherwise know about the situation - thus having incomplete information about the detail in the financial statements and whether the AR and AP clerk’s concerns are valid. Internal Audit is the catalyst for information distribution and, potentially, incremental positive change. If the auditor cannot listen and communicate effectively, this issue would be lost and risks could be exploited.
Let’s say that Internal Audit has had repeated successes like the one I described above – continually delivering and communicating opportunities and risks to Management. This does not stop the communication cycle: it is important to remind Management and all of your customers that Internal Audit has changed. If you are having a meeting with the Audit Committee or senior management, it is important to project the positive influence that Internal Audit has had on the organization:
How often do internal auditors make this point? Unfortunately, not enough. No wonder why we are perceived as the “bad cop”! If our department is seen as only coming up with problems – with no solutions – it is no surprise that we’re treated the way we are. We have to show value. We have to show results that are beyond the expectations of Management and the enterprise. We have to show that we create value, not drain Management’s patience with constant bad news.
Considering these facts and perceptions, do you think Management is singing the same Led Zeppelin song and, “…having a nervous breakdown…” with Internal Audit?
==============================================
In conclusion, communicating with Management or staff is a very difficult task for Internal Auditors because of our perceived “bad cop” position. It is extremely important to remember that Auditors must face the two main issues to potential communication breakdowns: not understanding our audience and changing Management’s et al perception of Internal Audit. We can do these tasks through the very simple message from a great thought leader and communicator, Jack Welsh:
I used my words to give our people a more outward focus on the cusotmer so that they would always try to satisfy that customer. That’s why I said again and again: ’Companies don’t give job security. Only satisfied customers do.’”
Jack Welsh – through the book, “Words That Work” by Dr. Frank Luntz, p. 127.
NOTES:
Deloitte Webcast Poll: Majority of Business Professionals Expect More Financial Statement Fruad to Be Uncovered in 2010, 2011 Compared to the Last Three Years.
This should come as no surprise, folks – remember the “fraud triangle”: Motive, Opportunity, and Rationalization.
The topic of finding valuable information for business managers and Internal Audit is a hot tactical area. What is one surefire way to do more with less? Allow your department to analyze data for new risks and save some money for your company. I worked for two companies, Costco Wholesale and PRIDE Industries, where I was able to save my company more than $1 million each because of analyzing Accounts Receivable and Accounts Payable data – see “Experience Highlights” for more details
So, how can you do it? Is there a trick of the trade?
Yes, the Audit Command Language (ACL) software.
I wish I had ACL at Costco and was extremely happy to have it at PRIDE. I used similar techniques at Costco (through SQL) at PRIDE with ACL and had superior results because of the audit log and the ability to recreate and rollback data. The ACL system is different from using SQL or other data manipulator system because it does not affect the source data – which is so important when you are in a fraud, forensic, or other important audit.
Think about it for a second. If you’re in front of a judge and jury, do you want to admit that you don’t have data integrity? Do you want to avoid that admission? I highly recommend using ACL.
If you are a practitioner, you need to move out of your comfort zone – Excel. MS Excel is a wonderful tool, but it doesn’t do everything. Often, this is a reason why Internal Auditors/Accountants don’t get along with the IT Department – we say to the gurus, “Just fix it!” ”Give me the data I need!” Wouldn’t be more powerful to speak their language and translate that data into powerful information for Management? Let me put it a different way: If a plumber comes over to your house and repairs your leaky faucet – would you use a monkey wrench? A sledge hammer? No! Your plumber would use multiple tools to accomplish the task. Shouldn’t you? Take advantage of your company’s education funds to get educated with the tool. If you have ACL on your desktop and are afraid to double-click the icon (as I was “once upon a time” at Deloitte), release your fears and play around with it.
If you are a manager working with IT Audit staff – and analyze massive quantities of data – ACL is a tool for your staff to maintain the integrity of the data file and preserve it for document retention, compliance, and legal purposes. By the way, it also serves the task of recording every transaction that your auditor does throughout their auditing process. You can reperform every step of their process to determine your employee’s talent level for evaluations and reduce the amount of audit work papers. ACL will be able to increase the efficiency of your subordinates. More audits done in less time? Cool.
Oh, and by the way, you can also suggest new audit areas that can make your Internal Audit department shine – like revenue leakage, post-payment recovery, discount, and contract terms audits. Show how your department can save money and increase enterprise profitability. This is all without using scripts to automatically run requested reports from your company’s computer system.
BOTTOM LINE: Don’t be afraid of that ACL icon. Use it to be more efficient and save your company money. Reach out to me for tips and tricks on how I used ACL to save my company’s money.
Use this free resource TODAY to make your little part of the world a better place.
AUDITORS RULE!
With Greatest Sincerity,
Tim
———————————————-
I look forward to your comments! Feel free to email me at trhediger@hotmail.com or visit my LinkedIn site: http://www.linkedin.com/in/timothyhediger (LinkedIn)
Interesting. Can we do that for our government? Our companies?
