Posted by: David Schneier
Audit, corruption, fraud, GLBA, Information Technology General Controls, infrastructure, IT, IT General Controls, ITGC, NCUA, Regulatory Compliance
I was reading the local newspaper this morning and was surprised to find a front page story ripped from the headlines of my professional life (ironic, I know).
Right there on the front page of today’s News and Observer was a story about how a recent audit claimed corruption at a local college (North Carolina Central University). I’m sort of trained in a Pavlovian sort of way to notice anything having to do with audit and so I gave it a cursory read. Cursory turned into focused when I reached the part about how the school’s chancellor Charlie Nelms called the report draft “sloppy” and went on to say that some of its harshest accusations might not be true.
One of the oldest tricks in the business book when it comes to audits is to start questioning the quality and veracity of reports that are perceived as not being favorable. Instead of focusing on the audits findings and trying to validate them (because a good audit is your best friend if you really want to do things right) the auditee goes into a series of tactical maneuvers to deflect attention away from the report’s contents and feigns disgust and outrage.
The school chancellor went on to say that, after firing the auditor who produced the report, he “ordered his staff to gather more information before he releases a final version to the public.” He went on to say that the “draft audit was so poor that he doesn’t trust it, and he does not want to damage the reputations of people who might not have done anything wrong”.
A few years ago, I conducted a risk assessment for a client with an odd configuration of infrastructure pieces that clearly defied anything close to typical, so it was difficult to measure them against the norm. Just the same, I tried. I took a step back after conducting all of my interviews and gathering as much information as was available and filtered it through the lenses of an examiner. I surfaced gaps and issues that were likely to be viewed in a negative light, explained why that was and offered clear and concise remedial steps. Senior management went bonkers (for lack of a better word) when they received the report.
They were outraged because the report was delivered a week late (which was true), they were insulted that there were typos (not factual errors, just a few grammatical/spelling hiccups which are common in draft versions) and charged that some of the issues listed were completely false. In summary, they called into question the accuracy and reliability of the entire report. It was startling for me because in my more than two decades working in the business world with more than 10 years conducting audits and assessment, I’d never had a client react anywhere near this way before.
But it was really more about using diversionary tactics intended to gain a negotiating advantage. Their end game was to soften the report’s contents so that it looked better when the examiners came back around; by pushing us back into a defensive position, they were almost successful. Fortunately, I’m stubborn when it comes to standing behind my findings and need incontrovertible proof that I was wrong about something before changing or removing things. I may not be the best auditor but I have well honed instincts around IT, the myriad processes necessary to support the infrastructure, and I know good from bad. I never put anything into my reports that doesn’t resonate with me and my peers (and typically the report’s audience).
So you can imagine where my head was at while reading the story today. Mr. Nelms also said, “I want to see the source documents, and I want to see the field notes from the audit, because I want it to be accurate. I don’t want it to be hearsay, because some of the allegations are just mind-boggling.”
Well that’s good to hear because any audit worth its weight in paper needs to be supported by solid work papers. But considering that he fired the auditor, I’m hoping someone in his office thought to secure that beforehand. And I’d need to understand why he’s gathering more information when all he really needs to do is use the work papers and have another independent auditor re-perform the tests.
Oh and another thing, who hired the auditor to begin with?
Also, now that the report’s findings are semi-public (it’s available despite not having been formally released), where’s the value in conducting a follow-up audit? Anyone involved with any alleged wrongdoings now has a clear roadmap in front of them on how to cover their tracks.
Here’s my thinking on all of this: The audit is likely somewhere close to 100% accurate but far from perfect (I know that’s a contradiction). If the chancellor was really interested in handling this properly, he’d quietly set about having independent people digging into the findings, not as a CYA exercise but simply to get to the bottom of things and deal with whatever is found. I’m not saying that where there’s smoke there’s always fire but unless Mr. Nelms can offer a credible explanation why he would think that the fired auditor would fabricate stories or offer poorly formed conclusions I’d have no choice but to question his position on all of this. I guess what I’m asking for is a credible explanation as to where the smoke is coming from and an explanation why he thinks it’s benign.
What I’d like is to hear the auditor’s side of the story. I’m betting that would be an enlightening conversation. But if Mr. Nelms was successful in his very public tongue lashing of this auditor, he/she will do anything and everything to avoid having their name outed. And so the diversionary tactics score another point.
And the best part of this? I almost never read the paper.