Posted by: David Schneier
assessment, assessments, Audit, compliance, control, control owners, controls, findings, GLBA, internal audit, NCUA, regulations, regulatory, Regulatory Compliance, risk, risk assessments, risks
My first encounter with an auditor was back in the mid-90′s while working as an application project manager for a Fortune 100 company. The group responsible for change management was going through an audit of their process and one of the changes that was selected for review happened to belong to my team. I remember the insane amount of activity that went into preparing for the audit, how every folder was pulled in advance of turning it over to the audit team and how every document was checked and double-checked to make sure everything that should have been done at the time was. And when issues were identified that could be fixed they were fixed; missing forms were completed, back dated and inserted into the folder, missing signatures were obtained and by the time the auditors showed up everything looked perfect. It all seemed such a waste of time to me because we didn’t figure out why things weren’t done right the first time, the auditors seemed happy enough to check off that they received everything they expected and in the end an enormous amount of work went into making sure nothing really happened.
That first experience has arguably tainted my opinion of the role played by internal audit for nearly twenty years. Subsequent to that first encounter I’ve been audited a few more times, assisted clients in preparing for internal audits many times and have had hundreds of interactions either directly or indirectly with a variety of companies internal audit function. And despite all of this experience and having eventually become an auditor myself I’m not sure I could present a credible argument as to where there’s real value being generated by the process beyond maintaining appearances.
The first problem is that for most companies there’s an unhealthy fear of auditors. There’s often real concern that if any major issues are uncovered someone’s head will roll. At the aforementioned Fortune 100 company, it was widely believed that if your group was found to have a material finding (or anything remotely resembling one) the highest ranking person in the group was doomed. To their credit the company also had a mechanism in place so that if you figured out that you had a problem before anyone else and self-reported it you were allowed appropriate time to remediate. But that wasn’t always effective enough because most application and business managers weren’t auditors and couldn’t always recognize when a control was either missing or failing and so there was still an enormous amount of work and panic leading up to a scheduled audit. I remember thinking that the company should remove the threat of termination and encourage both auditor and auditee to work openly and honestly together so that in the end issues were surfaced, defined and repaired. In the two decades since I’ve worked with and for a few companies who believed they had this healthier sort of dynamic in place between their internal audit department and its business and technology functions but really in the end it’s almost always the same problem. Internal audit is viewed as an unforgiving and punishing agent and no one ever want them snooping around.
The second problem is that there’s a degree of incompetence found within many internal audit functions. While conducting my first technical audit back in 1997 (my company was managing an outsourced audit plan) I identified a significant issue with the methodology used to make production changes in a certain database environment. It resulted in there being virtually no clear or simple way for the DBA to back out a change if it didn’t work. If a change failed it would require bringing down production for several hours in order to restore things to the previous state. The first person who challenged my finding was the internal auditor who had audited the same platform for years and didn’t either understand or agree with the finding. It took me nearly an hour to first educate him as to why the technical issue existed, prove that it did and finally to agree with the associated risks. He had worked there for years, had never had the chance to see how other companies managed similar infrastructures and was way more concerned with his authority and capabilities being challenged than with the fact that his company had a significant risk to be repaired. In the time since I’ve met many more people just like that one, auditors who stay at one company for years, fall into bad habits and fail to keep their skills relevant. They wind up relying too much on the Internet to try and update their knowledge base, don’t have the perspective of understanding how other companies are managing similar challenges and are happy enough to bring out the same whipping stick and a feeling of empowerment to scare the daylights out of internal control owners while conducting their audits. It results in poorly formed and often irrelevant findings that waste everyone’s time. I wish I had a ten dollar bill for every instance I knew of where something was being fixed because it was easier to appease the auditor than it was to convince them their finding was flawed or even wrong.
Now I’m not saying all internal auditors are incompetent, they’re not. I’ve met some brilliant and extremely effective internal auditors along the way. And in those environments audits weren’t feared because there was a high degree of confidence that if an issue was identified it was something worth knowing about. But in almost all of those cases the auditors involved had only been with their company for a few years, not decades.
The third problem is that audit needs to be seen as adding value, not creating unnecessary delays or work. Practically speaking internal audit is playing for the same team as the control owners whose processes they assess. Their primary goal shouldn’t be to notch as many findings as possible on the board but rather to identify weaknesses and deficiencies so that they can be remediated and help further harden the infrastructure and reduce risks. I understand the need for the function to maintain independence and separation but only so they can remain objective not so they can operate as if though they’re the ultimate authority on right and wrong and beyond reproach. If they’re invited to participate early in a project and find issues they should issue interim findings so that small problems don’t become bigger problems further on down the project road. If you wait for the post-implementation audit to document early stage issues you’re not really helping anyone. If they abuse being granted access to meetings and documentation long before the audit function is typically engaged the only predictable outcome is that access will be denied until someone forces the issue. And one more major issue I routinely find with internal audit is that no matter how strong or weak a finding may be, no matter how poorly or strongly worded, no matter how relevant or irrelevant they all too often defend it as if though it’s gospel that’s beyond reproach. Why is that? Why can’t the control owner question the finding, demand clarity or try to frame it’s relevancy? All auditors should feel an obligation to issue a final report which resonates with everyone involved as being accurate and hopefully fair.
Until internal audit is seen as part of the solution, not part of the problem it’s going to remain, well, a problem. Until control owners gain a sense that by developing a healthy dialogue with their auditors it will only help things and not hurt them it will continue to be a problem. And until all involved parties working for the company feel as if though they’re working towards a common goal it will remain a problem.