Sometimes Internal Auditors shouldn’t be Internal Auditors. Sometimes the role can be, no matter how much effort is expended to avoid this, confrontational or with the potential for conflict with the auditee (and others). This is particularly the case when there are strong personalities on the ‘other side’ of the audit process. I ran into exactly such a situation, as I’m sure have most of us. Remember, however, that just because someone is not appropriate for Internal Audit that does not mean that they may not have a lot to contribute to the business.
A number of years ago, I was engaged by a bank to
perform a number of IT Audits. The bank had a full Internal Audit function but only three IT Auditors. The audit programme, however, included too many audits to be
completed by the team that was available (for various reasons, only one of
which was to too much work for the available resources).
After cutting my teeth on a couple of simple
reviews, the Audit Director asked me to take a look at the implementation and
use of the Project Management Methodology in a couple of the major projects
that were in-flight at the time. These were significant projects, being run by
and for different parts of the bank. Each had external project managers, and
each seemed to be running to time, budget and promised deliverables. There were
no particular reasons to worry about the projects.
Enter Bob (not his real name), a somewhat meek
Internal Auditor, who chanced into IT Audit from a role as a bank branch
auditor. I had worked with Bob before at another institution, and knew some of his strengths and weaknesses. The
Internal Audit Director said to me “I’d like Bob to work with you on this audit”.
Really? Well, okay. “It will be good for him. He’ll learn something, and
hopefully will become a better auditor.” He saw the horror in my face.
“I really need you to do this, but let me know
how it goes”.
So the audit began. Each project provided all
the requested information, and both were open allowing interviews with key
project personnel and the projection managers. The project sponsors were
comfortable the progress, and the user communities were looking forward to the
new systems and processes, even though these were months away.
The projects were running smoothly, and the audit did not find any unreasonable budget to actual variations, or undue and
unexpected slippages in estimated deliver dates, resource requirements, etc. Risks were documented (inadequately, but there was some consideration of risks). Of
course, the primary purpose was to confirm the implementation and use of the
corporate-mandated project management methodology.
While everything is going smoothly, a finding
that process is not being followed can be a difficult finding to make and
defend, especially when the processes will add effort and probably increase the
resources and costs required to accomplish the project or set of tasks.
Add to that the personality trait of many good project managers – a straightforward manner and an air of confidence that can be used to ‘encourage’ focus on goals. They are confident, and they exude confidence, and that is one of the ways that they provide comfort to stakeholders, encourage teams, and deflect or reduce potential conflict or disagreement. This sometimes can manifest itself as arrogance and bullying.
And we faced two of these individuals. They had the backing of their respective General Managers, they were confident, they were delivering, and they really didn’t need Internal Audit second-guessing how they were going about achieving their missions.
I sent Bob to carry out some interviews, collect documentation, read it and summarise his thoughts. We talked through what he was seeing. We combined our work and work papers, and we arrived at our conclusions. We wrote up the draft report, and prepared for the exit-interviews with the two Project Managers.
As the fieldwork progressed, Bob became more and
more agitated, and at times seemed distracted. Finally, with the fieldwork
completed and the draft report ready, we scheduled the exit interviews. Twice.
Then a third time, with each of the other two
being cancelled and rescheduled.
Finally, the day arrived. I arrived in
Internal Audit, and seeing Bob, said “Fantastic, today is the day. They’ve not
cancelled or postponed. We’re ready.”
I looked closely at Bob. “Are you alright? You
look tired.”
“I haven’t slept all week, I’ve been so
worried about this meeting” was his response. Worried? Why? All our ducks were
in a row, all the documentation was completed, the draft report was written,
the findings reviewed, and the key points ready. All that was needed now was a
conversation with the PMs, and to give them an opportunity to take the draft
back with them and write up their comments, responses and action plans.
Focusing on the coming meeting, I put his
comment away in the back of my mind, something for later.
We had our exit meeting. We outlined the
audit, the fieldwork performed and the data and information reviewed. We
presented our findings. The PMs read the Executive Summary, looked at each
other, and after a few questions said “You’re right, we use our own
methodologies. They are not the corporate-approved methodology. We will talk to
our teams about how we will implement and use the standard methodology. We will
need to train our people, and we might need some training also.”
Done.
Yes. It was that ‘easy’. The data was there,
the documentation was there, and we did not attack their methodologies or pick
holes in what they were doing. We were not auditing the effectiveness of their
personal leadership, and we were not questioning the performance of the
projects (although we did look at status reporting, steering committee
reporting, budgets to actuals, etc). We had a specific scope and we audited to
that scope, cognisant that other issues may come up.
What I didn’t expect was that the primary
finding of serious concern was that one of the auditors was not able to perform
the audit. Having worked with Bob in the past, it all came together then. He
simply was not capable of assertive support of any position. His default in any potential conflict was not to address the issue, but to seek someone who could
deal with it on his behalf.
When all was done and the report was issued, I
stopped by the Audit Directors office. I told him what had happened, and said I
was deeply worried about Bob, his mental state and his fitness to be and
Internal Auditor. Furthermore, there was the very real potential that Bob would
bring Internal Audit into ‘disrepute’ within the bank by not being adequately
assertive or able, when pushed, to deal with highly assertive individuals. In
the worst case, such an auditor might miss a critical control and technical
issue, or fail to push for acceptance and resolution of a critical weakness,
potentially endangering the bank itself. The IA Director knew we had worked
together in the past, in fact, all three of us has been at another bank at the
same time in the past. He “inherited” Bob when we took over IA in this bank. He
knew what he had, but there was little he could do directly.
We talked, and eventually, I said “You have to get him out of Internal Audit. He will have a nervous breakdown, or worse. This is not
the right job for him.” The IA Director agreed and asked for my suggestion. My
view was that Bob had a solid knowledge of retail banking, adequate IT knowledge,
and understood both the bank and the banking sector. Firing him would only
compound Bob’s issues and would be wasting an otherwise perfectly decent person
and skill-set. “Find him another job in the bank. For you and for him”.
Checking in with the IA Director a couple of
years later, I asked what was the final outcome with Bob. The news was all
good. Bob was encouraged to apply for, and was appointed to, a role in the Retail Product Development team, and was to all reports thriving. Conflict was not an
issue, because he was supporting product developers who were, by nature,
positive and had the support of the executives. His knowledge of the bank and
banking products served him well.
Most of all, a ‘wrong fit’ was rectified, and
IA was seen as a potential source of good quality people for the business, and
not tarnished as the home of people who were not able to provide the challenge
actually needed in healthy organisations.
What are the attributes of a good Internal
Auditor? There is a long list. Near the top of any list must be confidence in
the correctness of the principles that the auditor is espousing; of effective
control, process effectiveness, risk identification and assessment, and confirmation by the auditee of the findings and potential impact. Meekness is not a desirable attribute.
Thank you for sharing Daniel
ReplyDelete