09 October 2020

Not everyone should be an Internal Auditor

Sometimes Internal Auditors shouldn’t be Internal Auditors. Sometimes the role can be, no matter how much effort is expended to avoid this, confrontational or with the potential for conflict with the auditee (and others). This is particularly the case when there are strong personalities on the ‘other side’ of the audit process. I ran into exactly such a situation, as I’m sure have most of us. Remember, however, that just because someone is not appropriate for Internal Audit that does not mean that they may not have a lot to contribute to the business.

A number of years ago, I was engaged by a bank to perform a number of IT Audits. The bank had a full Internal Audit function but only three IT Auditors. The audit programme, however, included too many audits to be completed by the team that was available (for various reasons, only one of which was to too much work for the available resources).

After cutting my teeth on a couple of simple reviews, the Audit Director asked me to take a look at the implementation and use of the Project Management Methodology in a couple of the major projects that were in-flight at the time. These were significant projects, being run by and for different parts of the bank. Each had external project managers, and each seemed to be running to time, budget and promised deliverables. There were no particular reasons to worry about the projects.

Enter Bob (not his real name), a somewhat meek Internal Auditor, who chanced into IT Audit from a role as a bank branch auditor. I had worked with Bob before at another institution, and knew some of his strengths and weaknesses.  The Internal Audit Director said to me “I’d like Bob to work with you on this audit”. Really? Well, okay. “It will be good for him. He’ll learn something, and hopefully will become a better auditor.” He saw the horror in my face.

“I really need you to do this, but let me know how it goes”.

So the audit began. Each project provided all the requested information, and both were open allowing interviews with key project personnel and the projection managers. The project sponsors were comfortable the progress, and the user communities were looking forward to the new systems and processes, even though these were months away.

The projects were running smoothly, and the audit did not find any unreasonable budget to actual variations, or undue and unexpected slippages in estimated deliver dates, resource requirements, etc. Risks were documented (inadequately, but there was some consideration of risks). Of course, the primary purpose was to confirm the implementation and use of the corporate-mandated project management methodology.

While everything is going smoothly, a finding that process is not being followed can be a difficult finding to make and defend, especially when the processes will add effort and probably increase the resources and costs required to accomplish the project or set of tasks.

Add to that the personality trait of many good project managers – a straightforward manner and an air of confidence that can be used to ‘encourage’ focus on goals. They are confident, and they exude confidence, and that is one of the ways that they provide comfort to stakeholders, encourage teams, and deflect or reduce potential conflict or disagreement. This sometimes can manifest itself as arrogance and bullying.

And we faced two of these individuals. They had the backing of their respective General Managers, they were confident, they were delivering, and they really didn’t need Internal Audit second-guessing how they were going about achieving their missions.

I sent Bob to carry out some interviews, collect documentation, read it and summarise his thoughts. We talked through what he was seeing. We combined our work and work papers, and we arrived at our conclusions. We wrote up the draft report, and prepared for the exit-interviews with the two Project Managers. 

As the fieldwork progressed, Bob became more and more agitated, and at times seemed distracted. Finally, with the fieldwork completed and the draft report ready, we scheduled the exit interviews. Twice.

Then a third time, with each of the other two being cancelled and rescheduled.

Finally, the day arrived. I arrived in Internal Audit, and seeing Bob, said “Fantastic, today is the day. They’ve not cancelled or postponed. We’re ready.”

I looked closely at Bob. “Are you alright? You look tired.”

“I haven’t slept all week, I’ve been so worried about this meeting” was his response. Worried? Why? All our ducks were in a row, all the documentation was completed, the draft report was written, the findings reviewed, and the key points ready. All that was needed now was a conversation with the PMs, and to give them an opportunity to take the draft back with them and write up their comments, responses and action plans.

Focusing on the coming meeting, I put his comment away in the back of my mind, something for later.

We had our exit meeting. We outlined the audit, the fieldwork performed and the data and information reviewed. We presented our findings. The PMs read the Executive Summary, looked at each other, and after a few questions said “You’re right, we use our own methodologies. They are not the corporate-approved methodology. We will talk to our teams about how we will implement and use the standard methodology. We will need to train our people, and we might need some training also.”

Done. 

Yes. It was that ‘easy’. The data was there, the documentation was there, and we did not attack their methodologies or pick holes in what they were doing. We were not auditing the effectiveness of their personal leadership, and we were not questioning the performance of the projects (although we did look at status reporting, steering committee reporting, budgets to actuals, etc). We had a specific scope and we audited to that scope, cognisant that other issues may come up.

What I didn’t expect was that the primary finding of serious concern was that one of the auditors was not able to perform the audit. Having worked with Bob in the past, it all came together then. He simply was not capable of assertive support of any position. His default in any potential conflict was not to address the issue, but to seek someone who could deal with it on his behalf.

When all was done and the report was issued, I stopped by the Audit Directors office. I told him what had happened, and said I was deeply worried about Bob, his mental state and his fitness to be and Internal Auditor. Furthermore, there was the very real potential that Bob would bring Internal Audit into ‘disrepute’ within the bank by not being adequately assertive or able, when pushed, to deal with highly assertive individuals. In the worst case, such an auditor might miss a critical control and technical issue, or fail to push for acceptance and resolution of a critical weakness, potentially endangering the bank itself. The IA Director knew we had worked together in the past, in fact, all three of us has been at another bank at the same time in the past. He “inherited” Bob when we took over IA in this bank. He knew what he had, but there was little he could do directly.

We talked, and eventually, I said “You have to get him out of Internal Audit. He will have a nervous breakdown, or worse. This is not the right job for him.” The IA Director agreed and asked for my suggestion. My view was that Bob had a solid knowledge of retail banking, adequate IT knowledge, and understood both the bank and the banking sector. Firing him would only compound Bob’s issues and would be wasting an otherwise perfectly decent person and skill-set. “Find him another job in the bank. For you and for him”.

Checking in with the IA Director a couple of years later, I asked what was the final outcome with Bob. The news was all good. Bob was encouraged to apply for, and was appointed to, a role in the Retail Product Development team, and was to all reports thriving. Conflict was not an issue, because he was supporting product developers who were, by nature, positive and had the support of the executives. His knowledge of the bank and banking products served him well.

Most of all, a ‘wrong fit’ was rectified, and IA was seen as a potential source of good quality people for the business, and not tarnished as the home of people who were not able to provide the challenge actually needed in healthy organisations.

What are the attributes of a good Internal Auditor? There is a long list. Near the top of any list must be confidence in the correctness of the principles that the auditor is espousing; of effective control, process effectiveness, risk identification and assessment, and confirmation by the auditee of the findings and potential impact. Meekness is not a desirable attribute.

  

1 comment: